Digital signatures: what you need to know
ARX gives a factual lowdown
TRP: Is this really a market growth area?
RL: The Forrester Wave: e-Signatures Q2 2013 report stated that the momentum is growing in the market and went on to say that "Enterprise architects should include e-signatures as part of an overall ECM and BPM strategy… a foundational technology along with records management, eDiscovery, and other content services."
Both AIIM and Gartner have also predicted increased adoption of signature technology and the fact that an increasing number of vendors are getting into the market place is a clear sign that this a hot area of technology right now.
Adobe bought EchoSign for their electronic signature solution a couple of years back, and Microsoft recently announced that it is integrating DocuSign's electronic signatures into Office365.
TRP: Can you provide some examples of legislation and regulations that digital signatures are compliant with?
RL: Many people don't realise that there is EU Directive that governs digital signatures which has been around for over 10 years, though it is likely to be updated soon. Each EU member state has enacted legislation to legalise the use of digital signatures.
In the UK, this is covered under laws such as the Electronic Communications Act 200 and the Electronic Signatures Regulations Act 2002. The equivalent in the US is the ESign Act, which was passed in 2000.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Specific industries have their own regulations. For examples, the life sciences market has various regulations including FDA 21 CFR part 11. Even when digital signatures are not specifically mandated, they can help organisations comply with regulations such as Sarbanes-Oxley and Know Your Customer in the financial services market.
TRP: Can you describe the security measures in more detail? How can I verify the validity of the signature itself and the document as a whole?
RL: Digital signatures are the result of a standards-based cryptographic operation that typically takes place on a highly secure hardware appliance. The operation creates a coded message that binds the document and the signer and is unique to both of them.
By providing long-term proof of signer identity and data integrity, digital signatures enable organizations to securely and responsibly automate their signature-dependent processes.
If someone tries to tamper with the document, it is invalidated. And even if someone managed to 'hack' into a signature, it would be a useless set of data that they couldn't do anything with.
Users can easily validate the document and signature independently of the vendor solution by using applications, like Microsoft Office and Adobe Acrobat, which support digital signatures.
TRP: Is this technology really only for big companies and governments or SMEs too? And are digital signatures more widespread in some markets more than others?
RL: Companies of any size can use digital signatures. Sure, we have examples like the European Court of Human Rights, which uses our CoSign solution to digitally sign some 500,000 letters a year, but at the other end of the scale, there are some very small organisations using our technology over the cloud.
Digital signatures could apply to any organisation that has a need for secure signatures, but in particular, we've seen strong adoption among life sciences, in-house legal and law firms, public sector, energy, and financial services.
Some other example users include the Royal Navy, GSK, Credit Suisse, EDF, Bayer, Johnson and Johnson, Bechtel, Foster Wheeler, GKN and a whole host of education, healthcare and government organisations.
TRP: The theory makes sense, but how easy are these digital signatures to implement?
RL: Cloud, on-premise and even mobile options are available. Depending on the solution chosen, users can be signing their Word, Excel and PDF documents within a couple of days with minimal training.
Whatever solution is chosen, it should be easy to integrate with existing systems, including office, document management, workflow and collaboration tools. For instance, CoSign integrates with Microsoft Office, SharePoint, Oracle, OpenText, Alfresco, K2, Nintex, AutoCAD, HP Autonomy's WorkSite among others.
TRP: Okay Ronan, so if you've managed to convince our readers, what should they look for when shopping for a digital signature solution?
RL: Like any area of enterprise IT, it's going to depend on the business, but here is my suggested tick list. The system needs to be tamper-proof, so if anyone changes the document, the signature is invalidated. Compliance with regulation and legislation is a must have.
Clearly, the digital signature system – regardless of what platform it is on - needs to integrate with existing systems. Ideally, it should be easy and simple to install, with minimal on-going maintenance, but support should be available if needed.
For large organisations that have hundreds or thousands of users, it is essential that the digital signature solution be seamlessly integrated with their user management system.
For many companies who have deployed digital signature solutions, they have done so to remove unnecessary paper from key processes and to improve efficiencies.
It is therefore important to many companies that their staff should be able to digitally sign documents in a matter of seconds, whether they are Microsoft Office or PDF documents, or as part of an embedded workflow.
Similarly, it may sound obvious, but digital signatures must be very easy to use. For instance, the signer's signature should be easily viewable so that it is immediately clear if a document is signed or not.
It may also be important to simultaneously add multiple signatures, particularly when different locations or time zones are involved.
Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website builders and web hosting when DHTML and frames were in vogue and started narrating about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium.