By Scott Brandt
One of the most basic security tenets of corporate workflow and document management systems is the requirement to keep files within the security of the corporate four walls as much as possible. When files are sent outside the organization, errors or other bad things can happen — certainly, we understand the vulnerability of giving out our personal information even to innocuous providers like Target or Equifax.
There are many instances where the delivery of native files is a necessity but even then, there are methods to control and secure files. Sending out links to files that force users to view, print, and check out files is still the preferred means, and meets security guidelines as issued by NIST.
Often, in workflows, there is a need to assign a formal approval to a document or a group of documents, or completion of a specific step irrespective of related documents. This approval can be represented using several methods, including freeform signatures, electronic and digital signatures, or simple application “I accept” buttons.
Use of free form signatures was once the rage, but when institutions figured out how easy they were to copy and how drawing them was not the same as using a pen, they moved away from this method. Instead, some systems allow users to type their names using a script font, though these still present the same potential issues of security and uniqueness.
Sending out files for e-signatures
Most e-signature providers are similar in that they provide an independent authentication authority when it comes to the signing of documents. They provide this service by a) being a signature authenticator and b) keeping copies of files to which signatures have been associated. The authenticator asks users to submit files for signature and identifies signature and related fields to be filled out by the file recipient. Files are typically transmitted using SSL or other encryption technologies.
Signatures by the recipient are held by the authenticator as means of proof of execution. This workflow requires the sender to forward the file to the e-signature organization every time a file needs a recipient’s signature or approval.
Third-party e-signature companies provide some comfort as being external to the organization requesting a signature. But this independence comes at a cost, in terms of both money and security. Using a third party for e-signatures can be expensive, with many charging on a transaction basis or on a per-user basis. This can add up. In addition, files are transmitted to a third party and kept by them. Though e-signature entities provide relatively high levels of security, they are still adding unnecessary transmission vulnerability and storage hacking risk into the equation.
Using digital signatures instead
For many use cases, the signature being applied is simply a designation of approval and is not a legal signature as defined in ESIGN and UETA legislation in the U.S. The signature may be to indicate the finality of a document, an agreement with the changes made to a document, that the file(s) have not been tampered with, or simply a means of moving a workflow ahead, as in “this step is complete.”
So, for the majority of situations in business today, there is no requirement for a legally binding signature and using third party e-signatures is not needed, as well as unnecessarily costly. An alternative is a digital signature, assigned to a file or workflow to indicate the appropriate endorsement. The receiver just needs to know that the document or drawing or step has been approved by an entity with appropriate authority for release and the file has not been altered or changed since issued. Neither of these requirements needs a legally binding signature.
How is a digital signature different?
Digital signatures are very much like e-signatures. The major difference is that files signed with digital signatures don’t need users to access a third party to assign a signature. That is, the company becomes a self-authenticator through the use of a digital certificate, issued either by a certificate authority or by the company itself, attached to the file, similar to the certificate authentication process used in SSL (Secure Sockets Layer) connections.
The certificate is assigned to the file and any application using the file first authenticates the certificate is valid and thereafter doesn’t allow any changes to the file. For situations where revisions or redlines are needed, the user must first make a copy of the file. Even if the file is renamed with the same name, the new file does not carry the certificate and, as such, is identified as a different file than the original.
Signatures for workflows
Many organizations use a project manager or professional engineer’s signature as a means of approving the completion of a workflow step or task (an engineer’s signature can even be augmented with the engineer’s seal stamp). This is a consistent method of advancing workflows, and while keeping an audit trail of who approved particular steps and when is useful for analysis, it certainly does not need to be authenticated by a third party.
For instance, a simple internal authentication against the organization’s Active Directory is more than sufficient to indicate consent. Using a digital signature rather than a simple “approved” button adds the assurance that the signer is not only who he says she/he is but that the workflow step has not been altered after the fact. This provides all workflow users, including external parties, that there is integrity in the workflow and participant reviews.
Digital signatures get the job done
So, though e-signatures can be used for workflow management, it is often more costly and more than is needed and makes analysis of audit trails more difficult. Digital signatures can provide the needed consents and the assurance the workflow steps have not be altered.
Approvals and signatures, though not the same, can be used interchangeably with a digital signature providing the added assurance that the signer is authentic and the signature has not been tampered with. Moreover, digital signatures done internally by your workflow system don’t require a connection to a third-party authenticator which makes them more secure and less costly.