Digital signatures – not to be confused with electronic signatures such as scanned-in bit map images – are being adopted by businesses all over the world, gradually displacing pen and paper processes.
Why? Proponents cite a raft of benefits: security, resistant to fraud, compliance with a wide variety of legislation and standards, less time wasted collating signatures, reduced costs around paper, print and transporting documents for signing, plus integration with workflow, BPM, ECM and document management systems.
Ronan Lavelle, UK Country Manager of ARX, talks us through the facts, the benefits and some implementation advice.
TechRadar Pro: What are digital signatures and how long have they been around?
Ronan Lavelle: Digital signatures make it possible to sign documents while keeping them digital, portable and secure at all times. Once a document has been digitally signed, it becomes tamper-proof so that the signatures are invalidated if it is changed.
They've been around for a few years now and are compliant with a wide variety of international and local legislation and compliance requirements. In fact, just about the only document you can't sign digitally at the moment in the UK are related to probate and wills.
TRP: So what are the differences with this and electronic sigantures?
RL: The terms "electronic signature" and "digital signature" describe two very different technologies, yet they're often used as interchangeable terms. An electronic signature can be as basic as a typed name or a scanned image of a handwritten signature that is attached to the signed electronic record.
Because they lack measures for preventing forgery and information tampering, electronic signatures are very problematic in terms of maintaining security and integrity.
Electronic signatures can be provided by externally-managed, third-party services using proprietary technology, creating serious security, portability and usability limitations.
A digital signature, also known as an advanced, standard or secure electronic signature, is based on globally accepted Public Key Infrastructure (PKI) standards and provides the highest levels of security and universal acceptance.
Digital signatures are the result of a cryptographic operation that creates a 'fingerprint' unique to both the signer and the content, so that they cannot be copied, forged or tampered with.
This process provides proof of signer identity and data integrity for eliminating the possibility of anyone repudiating the signed documents. All this information can be easily verified using widely available applications such as Microsoft Office and most PDF readers.
TRP: What's wrong with old-fashioned paper-and-ink signatures anyway?
RL: Signatures play a much bigger role in business life than most of us realise. Research by AIIM found that worldwide, around half of organisations surveyed print documents just to get a (valid and legally enforceable) signature, and that number rises to 80 per cent in the UK, according to YouGov (YouGov research, Oct 2013).
All kinds of problems are created as soon as a document is printed out for signing. For a start, this breaks any 'end to end' processes that are in use, which defeats the purpose of automation and the push toward a paperless office.
These breaks easily lead to errors, regardless of whether the final version is kept as paper or is scanned back into the system.
Also, printing and routing documents for signing takes time and costs money: I know of one instance when a 20Kg box of documents was couriered to someone in Brazil who had to return them once they were signed, wasting significant amounts of both time and money. In fact, AIIM reckons that collecting 'wet ink' signatures adds on average 3 days to most processes.
Finally, there have been some high profile instances of fraud which was based on how easy it is to copy pen and paper signatures. Basic electronic signatures are arguably no more fraud-proof than manual signatures, but digital signatures are designed to overcome any security concerns.
TRP: Is this really a market growth area?
RL: The Forrester Wave: e-Signatures Q2 2013 report stated that the momentum is growing in the market and went on to say that "Enterprise architects should include e-signatures as part of an overall ECM and BPM strategy… a foundational technology along with records management, eDiscovery, and other content services."
Both AIIM and Gartner have also predicted increased adoption of signature technology and the fact that an increasing number of vendors are getting into the market place is a clear sign that this a hot area of technology right now.
Adobe bought EchoSign for their electronic signature solution a couple of years back, and Microsoft recently announced that it is integrating DocuSign's electronic signatures into Office365.
TRP: Can you provide some examples of legislation and regulations that digital signatures are compliant with?
RL: Many people don't realise that there is EU Directive that governs digital signatures which has been around for over 10 years, though it is likely to be updated soon. Each EU member state has enacted legislation to legalise the use of digital signatures.
In the UK, this is covered under laws such as the Electronic Communications Act 200 and the Electronic Signatures Regulations Act 2002. The equivalent in the US is the ESign Act, which was passed in 2000.
Specific industries have their own regulations. For examples, the life sciences market has various regulations including FDA 21 CFR part 11. Even when digital signatures are not specifically mandated, they can help organisations comply with regulations such as Sarbanes-Oxley and Know Your Customer in the financial services market.
TRP: Can you describe the security measures in more detail? How can I verify the validity of the signature itself and the document as a whole?
RL: Digital signatures are the result of a standards-based cryptographic operation that typically takes place on a highly secure hardware appliance. The operation creates a coded message that binds the document and the signer and is unique to both of them.
By providing long-term proof of signer identity and data integrity, digital signatures enable organizations to securely and responsibly automate their signature-dependent processes.
If someone tries to tamper with the document, it is invalidated. And even if someone managed to 'hack' into a signature, it would be a useless set of data that they couldn't do anything with.
Users can easily validate the document and signature independently of the vendor solution by using applications, like Microsoft Office and Adobe Acrobat, which support digital signatures.
TRP: Is this technology really only for big companies and governments or SMEs too? And are digital signatures more widespread in some markets more than others?
RL: Companies of any size can use digital signatures. Sure, we have examples like the European Court of Human Rights, which uses our CoSign solution to digitally sign some 500,000 letters a year, but at the other end of the scale, there are some very small organisations using our technology over the cloud.
Digital signatures could apply to any organisation that has a need for secure signatures, but in particular, we've seen strong adoption among life sciences, in-house legal and law firms, public sector, energy, and financial services.
Some other example users include the Royal Navy, GSK, Credit Suisse, EDF, Bayer, Johnson and Johnson, Bechtel, Foster Wheeler, GKN and a whole host of education, healthcare and government organisations.
TRP: The theory makes sense, but how easy are these digital signatures to implement?
RL: Cloud, on-premise and even mobile options are available. Depending on the solution chosen, users can be signing their Word, Excel and PDF documents within a couple of days with minimal training.
Whatever solution is chosen, it should be easy to integrate with existing systems, including office, document management, workflow and collaboration tools. For instance, CoSign integrates with Microsoft Office, SharePoint, Oracle, OpenText, Alfresco, K2, Nintex, AutoCAD, HP Autonomy's WorkSite among others.
TRP: Okay Ronan, so if you've managed to convince our readers, what should they look for when shopping for a digital signature solution?
RL: Like any area of enterprise IT, it's going to depend on the business, but here is my suggested tick list. The system needs to be tamper-proof, so if anyone changes the document, the signature is invalidated. Compliance with regulation and legislation is a must have.
Clearly, the digital signature system – regardless of what platform it is on - needs to integrate with existing systems. Ideally, it should be easy and simple to install, with minimal on-going maintenance, but support should be available if needed.
For large organisations that have hundreds or thousands of users, it is essential that the digital signature solution be seamlessly integrated with their user management system.
For many companies who have deployed digital signature solutions, they have done so to remove unnecessary paper from key processes and to improve efficiencies.
It is therefore important to many companies that their staff should be able to digitally sign documents in a matter of seconds, whether they are Microsoft Office or PDF documents, or as part of an embedded workflow.
Similarly, it may sound obvious, but digital signatures must be very easy to use. For instance, the signer's signature should be easily viewable so that it is immediately clear if a document is signed or not.
It may also be important to simultaneously add multiple signatures, particularly when different locations or time zones are involved.