You’re going in the right direction of digitizing your organization processes, including Document Signing; however, when choosing the right signing solution you need to consider:
- Is the identity of the signer assured?
- Is there a way to tamper with the document contents after signing?
- Does the signature have trust and look good in Adobe and Microsoft platforms?
- Is it legally admissible and in compliance with relevant regulations?
Currently most out-of-the-box or off-the-shelf Document Signing options on the market force you to use a single signing application provider and only support unregulated electronic signatures. While the better ones are easy to use and offer good user experiences, the reliance on Electronic versus Digital Signatures has become an adoption roadblock as concerns over legal admissibility of signatures and regulatory compliance continue to grow.
So what can you do if you want an easy-to-use signing solution that also addresses these compliance concerns? Using Digital Signatures, which are based on verified identities and timestamped, helps meet most regulatory requirements but, as mentioned above, they aren’t widely available in most Document Signing workflows on the market today.
Instead, most organizations are left to put together a digital signing solution where they need to separately source everything and integrate. As we’ll outline below, this requires significant hardware and resource investment and can raise concerns about availability and ability to scale.
What Goes into a Digital Signing Service?
To deploy a digital signing service, you need more than just the signing workflow and user management. You will need something that attests to the identity of the signer – the signing certificate. This involves cryptographic elements, such as key management, FIPS level 2 or higher security storage for the credential(s) (e.g. hardware tokens or HSMs), OCSP or CRL service and a timestamping service. Putting together these components, especially integrating with an hardware security module (HSM) directly, be it cloud or on premise, requires a lot of IT or information security personnel bandwidth along with advanced crypto knowledge and development resources on hand.
It’s important to keep these hidden costs and investments, in addition to constraints and overheads, in mind when evaluating Digital Signature solutions.
The Hardware Burden
Managing HSMs on premise, and getting them to work together, requires a high level of overhead for development operations and IT infrastructure teams. This is in addition to professional support from the HSM sourcing companies, which costs up to 25% of the HSMs price annually for maintenance and service.
Not to mention that HSMs, just like any hardware, become outdated in terms of both their hardware capacities and their firmware versions. Your team will have to update and upgrade them as needed. This process will require large effort and overhead, especially from your Infrastructure and DevOps Teams. It will require hardware investment and professional services and will need additional development resources with advanced crypto-expertise to build the necessary integrations.
Availability and Up-Time
Furthermore, if signing is a critical part of your processes and you need high availability and disaster recovery, then you’ll need to double your investments as this requires redundancy in your HSMs and those mostly have to be hosted on premise, even when using cloud-based HSMs from major providers like Amazon.
Flexibility and Future Growth
Finally, let’s say your organization or business grows, or you decide to deploy digital signatures to other processes within your organization with different signer identities. In this case, scaling up or getting flexibility for more signer identities requires another investment in hardware and development or integrations.
The Future of Digital Signatures: The Cloud
Instead of the piecemeal approach outlined above, the new way to think about signing is to source the digital signing service through a seamlessly integrated cloud service. Here's what you should look for in such a service and why these would be beneficial.
- Cloud-based: Having a cloud service means no on-premise hardware to manage, lower overhead and administrator costs, more mobility and greater ability to work across most platforms and endpoints.
- Covers all crypto-components: The service should provide everything you need for digital signing, including certificate issuance, a trusted timestamping service, key management, hash signing and the revocation check you need for long term validation.
- Public trust from a Certificate Authority (CA) with Adobe Approved Trust List (AATL) and Microsoft Root Trust: This ensures that your signature looks good and is automatically trusted in Adobe and Microsoft products, satisfies your compliance requirements and has good legal standing.
- Integration and reliability: Has a simple API integration if you choose to integrate directly with it and provides high availability and disaster recovery at no additional investment.
- Flexibility: Allows you to easily access and use it with document management systems and signing workflows that you like to use and enable you to have multiple use cases through signer identity flexibility for your organization, individual employees, partners and end customers.
So Where Can You Get Such a Solution for Digital Signing?
GlobalSign will be launching our new cloud-based digital signing service that provides the easiest, fastest and most scalable way to deploy Digital Signatures. This service provides all necessary components to put a Digital Signature together with one simple API that you can integrate with if you have your own existing document and signing workflow solution – this means no hardware to manage or internal crypto-expertise needed! We are also working with a growing list of Document Signing applications to directly integrate our digital signing service, providing a complete end-to-end digital signature solution.