April 9, 2018 at 10:37Cloud Digital Signature Services
Even in the last century, many enterprises began to massively switch to electronic document management. Everyone got computers with office programs. Documents were often typed in Microsoft Word or other text editors, exported to PDF, sent by e-mail.
It seemed that if the workflow is electronic , then we will soon forget about the cabinets with paper archives, not a single paper sheet will remain on the desktops. If suddenly a paper document is sent to the organization by regular mail, then the artifact will be immediately scanned and converted to digital form. In reality, it turned out quite the opposite. It turned out that the more the organization uses computers for digital workflow - the more documents it prints. After all, each document must be endorsed. A document without a signature is just a draft or an information note. To get a signature, documents are printed out and then often scanned back, storing the originals in the archive.
Now it’s clear that truly electronic (paperless) document management cannot be implemented without digital signatures.
Today B2B, B2C companies and government organizations are moving to the introduction of digital signatures for their undeniable advantages:
- Paperless workflow. Save time, money and resources.
- Effective business processes. Electronic signing makes each transaction a smoother process.
- Mobile features. Interaction within the organization and with customers is becoming easier.
Public Key Infrastructure (PKI) ensures integrity and authorship of each document. Time stamps certify the time of signing a document, which is necessary for transactions tied to a specific time, to ensure the impossibility of non-repudiation and to save data for audit. Of course, the entire document management system with digital signatures must comply with the necessary requirements in force in the country of jurisdiction, as well as in countries where partners and customers work.
Gradually developed common standards for electronic document management and digital signature infrastructure. For example, in the EU countries from July 1, 2016, the eIDAS standard is valid(electronic IDentification, Authentication and trust Services) for electronic identification, authentication and trust services. In the United States, 21 CFR 11 has been adopted .
The world's largest trusted services for electronic documents - Adobe Trusted List (AATL) and Microsoft Root Trust. Certification Authorities included in this list issue certificate-based digital identifiers and time stamp services that meet regulatory requirements in the world, like the eIDAS standard. Electronic signatures are already supported for the most popular office document formats. In particular, the document is supported by several persons with time stamps.
What is a Digital Signing Service?
Digital Signing Service (DSS) is a scalable platform with API support for the rapid deployment of digital signatures, which provides:
- Digitally hash any document or digital transaction in PKI setup
- Signature Certificate Issue
- Support for AATL and Microsoft Root
- HSM-based private key storage
- Audit revocation verification
- Advanced electronic stamps and after accreditation qualified signatures that comply with the eIDAS standard
Theoretically, it is possible to organize a “cloud” service inside your own company on your servers, opening access to the API for users. For example, in the framework of the European project CEF Digital, an open-source solution Digital Signature Service ( code on GitHub , demo ) was developed .
For your own DSS service, you need to establish not only the signature workflow and user management. Signature certificates are also required to verify the identity of the author of each document. This includes cryptographic elements such as key management, a FIPS security level 2 or higher key storage system (for example, hardware tokens or HSM), an OCSP or CRL service, and a time stamp service. Combining these components, especially integration with the hardware security module (HSM) directly, whether cloud or on-premises, requires significant efforts from the IT department and the information security department along with good knowledge of cryptography and the availability of necessary resources.
It is important to consider these hidden costs and investments, as well as limitations and overheads, when evaluating digital signature solutions.
Separately, it is worth mentioning that if the DSS service is critical for the organization, then it should work with a high level of uptime and provide greater bandwidth. That is, you need to design your solution with a certain amount of redundancy - with a margin for the future. And it should be assumed that business is characterized by growth. Infrastructure must be scalable.
| Digital signing service | Traditional implementation | |
|---|---|---|
| Integration with document signing applications | Through a simple REST API | Requires internal cryptographic expertise for configuration and support |
| Cryptographic signature components (certificates, OCSP, CRL, timestamps | Included in the API, do not require advanced knowledge of cryptography or development resources | They go separately, require separate calls from applications and internal development resources to configure |
| Scalability | High scalability - no additional configuration or integration required | Additional equipment and configuration may be required. |
| High Availability and Disaster Recovery | Delivered through WebSrust-tested GlobalSign infrastructure with global data centers, redundancy and the best network security equipment | Requires additional investment in equipment |
| Secret key management and storage | Through the REST API, internal resources or equipment are not used. | The client is responsible for key management and storage (for example, in the cloud or on-premises HSM) |
| Signature Cards | Signature support at two levels: departments and employees (for example, John Doe, accounting) | Not all solutions support both types of credentials. |
Cloud service greatly simplifies the deployment of a document management system with support for digital signatures. All operations just go through the API.
Cloud services vary in price and functionality. But they all guarantee flexibility, scalability and high availability. Although the services are paid, they save the company from the need to invest in the development of their own solutions, including the purchase of expensive cryptographic equipment.
Who might need a cloud-based digital signature service? In theory, these are any organizations of any size that develop or commission specially designed applications and intend to either integrate digital signatures there or use an already integrated application.
- Document or application solution providers who want to integrate digital signatures or stamps. Another option: to offer their customers as a premium option as guaranteed protection of documents from forgery. A flexible model is supported here: digital signatures can be added as an additional layer or option.
- Companies that want to integrate digital signatures or stamps into their workflow.
- System integrators who implement digital signatures in existing and new workflow systems.
Ultimately, each organization will decide which DSS option is best based on existing project requirements. This takes into account the requirements of regulatory authorities, the size of the organization, and other factors, often unique in each case.
