Transforming the Document Signing Process

Transcription

1 July 2015 Transforming the Document Signing Process Copyright Ascertia 2015 Sam Crook Key Account Manger

2 Agenda About us Why are digital signatures inevitable? What are digital signatures? What can you trust from a digitally signed document? Which applications are ideal for digital signatures? What are the high-level choices when implementing digital signatures? What helps to make digital signatures legally enforceable? 2

3 Ascertia overview Established in the UK in 2001 with decades of relevant industry and security expertise Key focus on government and financial services organisations Company focus is on real client relationships and secure, high quality products Product focus is on providing advanced digital signature solutions that deliver legal weight, high-trust cryptographic security Core brand message is the most secure way to sign A privately held company that listens to it s customers and partners! 3.

4 Ascertia global customers 4.

5 Why are digital signatures inevitable? 5

6 Remember these 6.

7 Where we are now In today s connected digital world, people want: Access to everything At any time From anywhere 7.

8 Paper presents process issues Substantial impacts: Time wasted Greater costs Inefficient processes Susceptibility to errors Poor data integrity Increase business risk Data leakage Lower level of trust Tracking issues Archive costs Complex paper based signing time: 28 days Complex digital signing time: 28 hours 8

9 Some stats A survey of more than 1,600 small businesses by j2 Global (the biggest electronic fax-service provider) late last year found that 27 percent of respondents would love to ditch their office fax machine in 2014 and invest in a digital option to replace it! 60% of companies admit to printing and signing documents and then scanning them back into their document management systems, according AIIM 2014 Employees who use paper-based processes can spend up to 20% of their workdays searching for information 9.

10 Digital signatures remove paper issues Originality with paper documents Paper copy of the original is needed using e-documents Always available on-line and more than one original can exist Completeness Pages can be missing, lost or damaged Not possible to have missing, lost or damaged pages Authenticity Achieved using inked initials and hand signatures Achieved using advanced digital signatures Non-repudiation Achieved using multi witnessed/notarised copies Achieved using ADS with optional notary Confidentiality Using sealed envelopes and couriers Using encrypted SSL/TLS secure sessions Time notarisation Workflow management Archiving May be unclear exactly when signed Document whereabouts is unclear! Difficult to find and scanned backups are unsuitable for proof On-line timestamp authority provides secure and trusted time of signing action The document status and next user action is always available Multiple copies can be kept at different sites in a secure digital archive format 10

11 Organisations face challenges Meeting customer demands and exceeding expectations Ensuring 24/7 availability and convenient access to services Shifting into a mobile and digital-first world Giving customers a first class experience Understanding the power shift and connecting on multiple channels Increasing efficiencies and delivering revenues Reducing paper use, archive, recovery Streamlining business processes Speeding up the customer acquisition / on-boarding process (KYC) Driving loyalty and repeat business and referrals from customer base Winning more business more frequently Meeting regulations and compliance Delivering strong security and standards compliance Ensuring legally binding documents, providing evidence and audit trails AML measures and reducing susceptibility to fraudulent activity Improving traceability, accountability, internal controls Ensuring validity of documents and files for the long term 20+ years 11

12 The value of digital signatures For the sender: Much less time and effort to manage overall process Easy to track status & easy to search and find documents Less mistakes by signers Reduce signer drop-off rates On average, up to 3 days is added to most processes in order to collect physical signatures. - AIIM For the signer: Simple Quick Can sign anytime, anywhere For the organisation: Happy customers & employees Better productivity & time to focus on core tasks Much higher security than ink-based paper signatures Easy to deploy, manage and control, clear audit trails High availability and back-up of important documents Cost effective 68% of companies using digital signatures have had payback within 12 month budget cycle - AIIM 12.

13 The benefits of digital signatures Identify and sign from any location on any device Enhanced digital workflow minimising errors Speed up internal and external signing processes Easy to use, robust and flexible Fast and secure archive of documents Improve efficiencies & customer experience Clearly identify signers and approvers Guarantee no document changes Provide full audit trail & evidence of actions Long term archiving of documents Legal acceptance compliance Prevent fraud & reduce business risk No paper, printer, postage, handling, storage Reduced carbon footprint and green credentials Fast ROI can be achieved by going digital Maintain integrity and accuracy of data Faster conversion of new business transactions Reduce cost & deliver fast ROI 13

14 What are digital signatures? 14

15 Basic e-signatures Signer makes their mark on the document Properties: No protection of the document itself Signer can claim e-signature was copied from another document Signer can claim document was changed after e-signing Signer can claim that this is not their signature 15.

16 e-signature with User s Digital Signature After e-signing, John digitally signs the whole document using his private signing key Properties: User s identity bound with the document (no one else can sign on behalf of this user) Document can t be changed without detection Signer can t deny having signed the document 16.

17 Registration process New User A new customer, employee, partner or citizen Identity Check Either the organisation performs the necessary background KYC checks and then enrols the user into SigningHub Or SigningHub can register users itself by checking: Access to identified address, or Validate using external identity providers Enroll into SigningHub Once identity verified, as part of the enrolment each user gets a unique digital signature key pair & certificate - referred to as the user s Digital ID. 17.

18 Digital signature process Sign 18 Identify User visits SigningHub, e.g.: By clicking a link in an requesting their signature, or Visiting the site directly, or As a result of interactions with a front-end portal Authenticate SigningHub verifies the user s identity via: Username/password 2-factor authentication Checking with an external Identity Provider (e.g. Oauth, SAMLv2) User reviews and signs the document using their own private signing key: User s identity bound with the document (no one else can sign on behalf of this user) Document cannot be changed without detection Signer can t deny having signed the document Signing key under the control of the signer.

19 Digital Signatures Digital Signatures: Subset of electronic signatures because also in electronic form Cryptographic codes providing much higher security and trust: 19

20 E-Signing (with witness digital signature) Sometimes need a user s signature immediately without registering them Sometimes need a user s signature without authenticating them Sign Unauthenticated user creates their e-signature mark User views the document and e- signs (squiggle mark) on the document Document is then digitally signed automatically using an independent server-held key: User s identity is not bound with the document (since user did not digitally sign with their own key) Document cannot be changed without detection since its crypto-protected by encrypting with the server-held key 20.

21 E-Signatures with Witness Digital Signatures After e-signing, the whole document is digitally signed using a central authority s private signing key Properties: User s identity is not bound with the document (since user did not sign with their own key) Document cannot be changed without detection since its digitally signed by the corporate key 21.

22 The different types of signatures EU Qualified Advanced Electronic Signatures Advanced Electronic Signatures Basic Electronic Signatures 22

23 What can you trust from a digitally signed document? 23

24 Creating an Advanced Electronic Signature Signer authentication proof of who actually signed the document. i.e. digital signatures linking the user s signature to an actual identifiable entity. Data integrity proof that the document has not been changed since signing. The digital signature depends on every binary bit of the document and therefore can t be re-attached to any other document. Non-repudiation i.e. the signer should not be able to falsely deny having signed their signature. That is, it should be possible to prove in a court that the signer in fact created the signature. 24.

25 Meeting the EU definition of advanced digital signatures Advanced digital signatures are: Uniquely linked to the signer Capable of identifying the signer Created using means that the signatory can maintain under their sole control Linked to the data to which it relates in such a manner that any subsequent change of the data is detectable Qualified signatures are also supported Requires a smartcard and reader or USB token plus a Windows or MacOSX appropriate driver software Advanced signatures are more commonly used than Qualified SigningHub delivers this automatically Custom branded corporate signing certificates can be offered Electronic Transactions Act 1999 (Australia) Australia s Electronic Transactions Act provides a regulatory framework that facilitates the use of electronic transactions and ensures that no transaction will be ruled invalid simply because it was completed electronically. This act was most recently amended in 2011 to provide even more protections to Australian consumers and businesses. Department for business innovation & skills guide: 25.

26 Which applications are ideal for digital signatures? 26

27 All kinds of documents need a signature 27.

28 What are the high-level choices when implementing digital signatures? 28

29 Consider carefully Which business process to automate first Use a cloud solution or on premise Standalone interface or integrated within existing web solution e-signatures, digital signatures, EU qualified signatures Single signing key or unique user-based signing keys Use built-in PKI or pre-existing external PKI scheme What level of authentication for users Server-side signing, local signing or mobile signing EU Qualified signatures, Adobe AATL signatures or Enterprise signatures 29.

30 What are the choices? Identify Sign Secure Identity confirmation Username, password (optional OTP) Active directory Two factor authentication Existing KYC data & web applications Trusted identity providers SAML/OAuth Client TLS/SSL authentication Using existing PKI trust schemes External Adobe CDS and AATL CAs EU Qualified CA certificate providers Sign from any location Using any modern browser - Windows / MacOSX / Tablet / Phone - Using specialist mobile apps Within any business web application - SharePoint, Dynamics, Salesforce - via web-portals Authorise signature using OTP Smartcard/USB Tokens Long term signature + timestamp Flexible signature appearance Unique signing certificate Industry standard signatures Securely held signer keys/certs eidas, TS compliance AES 256-bit encryption SHA-256, RSA2048, algorithms ISO PDF ISO PDF/A ETSI PAdES, CAdES, XAdES ETSI Long-term signatures Strong evidence audit logs 30

31 The key features of a trusted signature solution Strong authentication, integrity, non-repudiation and encryption Preventing mistakes when users are signing Supporting current open standard document formats and data types Creating long-term signatures Supporting keys/certs on Windows, MacOSX and mobile devices Providing strong trust using a secure WYSIWYS capability Making the digital signature process easy for non-technical people Quickly enabling applications to easily create digital signatures Allowing corporate re-branding and localisation Leveraging the value of existing trust schemes and KYC processes Supporting a full range of current and future desktops & devices 31.

32 Other important features Displaying an optional signature legal notice before signing Supporting mandatory initials for paragraphs or pages Supporting mandatory form fields to be filled before signing Support for delegated, group and bulk signing Enforce strong Data Loss Prevention features Document access permissions date/time, document locking Who can view and sign each document and in which order Optional document open password authentication can be set per user Control access to download and print features Data privacy for digital signature and also e-signature users 32.

33 What helps to make digital signatures legally enforceable? 33

34 Achieving Legal Certainty on a Global Scale Does the signature identify the signer? Can the user make their signature mark on the document? Can the signer s intention to sign be proven? Can you prove the signer was the only one who could have created the signature? Will any subsequent changes to the document invalidate the signature? Can the signature be verified many years into the future? Can the signature be verified independently of the solution provider? Is there a complete audit trail? 34

35 Achieving Legal Certainty on a Global Scale Click 35

36 Overview 36

37 Workflow for users and business applications E.G. ECM, CRM SharePoint, Dynamics, Salesforce 37

38 SigningHub Standalone Workflow 38

39 SigningHub Integrated Workflow 39

40 Mobile applications for signing Easy to sign on mobiles & tablets! 40

41 Demonstration 41

42 Document workflow (Preparation)

43 Document workflow (waiting for another signer)

44 Document workflow (now waiting for me)

45 Document workflow (open to view and sign)

46 Document workflow (check other signature details)

47 Document workflow (my next action)

48 Document workflow (wilful signing)

49 Document workflow (signatures completed)

50 Signature Verification

51 Document workflow (completed)

52 , Trust Delivered Register for an enterprise trial account today and start signing with advanced digital signatures! Sam Crook Trust Delivered Copyright Ascertia 2015