Magazine Article | July 10, 2006

Keep Paper At Bay With Digital Signatures

Source: Field Technologies Magazine

While once too expensive and time-consuming to implement, advancements in digital signature solutions are making the technology affordable … even to SMBs.

Integrated Solutions, July 2006

While hordes of businesses have implemented document imaging and ECM (enterprise content management) systems to decrease the paper flow within their organizations, most still find themselves printing countless paper documents on a daily basis. Some of the primary reasons for this counterproductive act are to obtain signatures on documents that require executive approval or to keep a permanent record of document originals. Recent government and industry regulations, such as Sarbanes-Oxley and HIPAA (Health Insurance Portability and Accountability Act), place significance on signer authenticity and data integrity and have only served to promote paper creation for this purpose.

“With all the litigation stressing document integrity, businesses are clamoring for a vehicle that will allow them to provide a measure of security on their scanned images and electronic files,” says Chris Larson, integration manager for the KODAK Capture Division of Eastman Kodak Company. “Organizations are hungry for any technology that can prove that their digital files have not been altered, thus allowing them to be kept in an electronic state.”

Technologies allowing for the authentication of electronic documents have been around for years. However, the business community has largely disregarded these digital signature solutions because of confusion surrounding the technology and the costs historically involved in implementing a proper digital signature infrastructure. This article will attempt to shed some light on the subject by providing you with an outline of digital signature concepts, some trends that are making the technology more affordable and easier to deploy, and some tips on how to select a solution that’s right for your business.

While the terms digital signature and electronic signature sound the same and are sometimes used interchangeably, there is a significant difference between the two. According to Electronic Signature Legislation, by Thomas J. Smedinghoff and Ruth Hill Bro, an electronic signature is a generic, technology-neutral term referring to all of the various methods by which one can sign an electronic record. It can be something as simple as adding text, symbols, or pictures to a document. While they provide a visual representation that a document has been signed, electronic signatures are not designed using industry standards. Therefore, they are susceptible to forgery and not universally verifiable.

A digital signature, on the other hand, is a term for one technology-specific type of electronic signature. It uses an industry standard, known as a PKI (public key infrastructure) to add a digital fingerprint to an electronic file that is unique to both the document and the signer. A PKI enables users of a basically unsecure public network, such as the Internet, to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority.

“Using a digital signature based on the PKI standards is the only mechanism currently available that will provide true signer authenticity and proof of data integrity for your electronic files,” says Gadi Aharoni, CEO of Algorithmic Research (ARX). “Furthermore, the standard is supported by a large selection of popular business applications, such as Microsoft Word, Adobe, and WordPerfect, allowing digital signatures to be universally verified from within these applications themselves. The standards allow a digital signature to become an integral part of these documents and, unlike  electronic signatures, can be verified without a plug-in to special verifying software.”

With such convincing evidence supporting the integrity of digital signatures over electronic signatures, why do some businesses still implement proprietary electronic signature platforms? Why doesn’t everybody opt for a digital signature solution? The reason is that a standard digital signature infrastructure has traditionally been painful and costly to deploy.

“To sign a document using a digital signature, each signer needs to have his own private digital signature key,” says Aharoni. “In order to set up an  infrastructure that provides each user with a signature key, the keys first need to be issued and certified by an element called a Certification Authority [CA]. A business not only needs to set up a CA, it also needs to generate, distribute, and manage these keys. The up-front costs for this process are expensive by themselves, but add the IT time and effort traditionally necessary to manage signature keys and integrate them into the existing IT infrastructure, and the total cost of ownership increases exponentially. This made an average digital signature solution an initiative that cost several hundred thousand dollars for a company to deploy.”

Obviously, few companies can justify an investment of this magnitude on a digital signature solution. In fact, the expense historically made the technology cost-prohibitive for most SMBs. However, advancements in the technology are beginning to make digital signature solutions a realistic option for this business segment.

Digital signature appliance solutions are eliminating many of the complicated issues companies formerly had to deal with in setting up a digital signature infrastructure. These appliance solutions provide businesses with the necessary certificates and signature keys on a single device and allow organizations to manage these signatures centrally. These solutions provide open access to a SAPI (signature application programming interface) that allows digital signatures to be quickly and easily integrated into third party software applications, including many document management and ECM software packages. Using a SAPI, an ECM vendor can create a button on the main user interface screen within its software product and provide end users with a one-click approach to digitally signing their electronic documents. All of the complicated key management issues occur behind the scenes as a function of the device.

“By coupling document management solutions with digital signature technology, digital signature procedures become easier to establish and integrate,” says Greg Schloemer, president of DocuWare. “This trend lowers the total cost of ownership of digital signature technology, making it more appealing to the midmarket.” For example, using this approach, a business can implement a PKI-standard digital signature solution for between $20,000 and $30,000, as opposed to several hundred thousand dollars.

The increased affordability of digital signatures is opening up many more businesses to the benefits of the technology. One of the primary benefits is the impact digital signatures can have on compliance efforts. “A digital signature is an excellent tool and a great asset to senior corporate management and the IT department as a way to meet compliance issues,” says Schloemer. “Once digital signature procedures are in place, these parties will no longer be responsible to identify originators, senders, and recipients of documents to satisfy certain government regulations. Furthermore, a digital signature can prove without question that a document is an unaltered original.”

Digital signatures can also help you improve internal processes and reduce paper production costs. For example, it may take months to collect handwritten signatures on a paper document that requires several levels of approval. However, by switching to digital signatures, all responsible parties can be e-mailed a link to the document in question and digitally sign the file with the touch of a button. This process not only reduces approval turnaround times, it also eliminates the costs involved with printing out documents already in electronic format.

Of course, even if you invest in digital signature technology, none of these benefits will be realized if you can’t convince your employees to use the solution. Therefore, in addition to looking for a digital signature solution that is easy to deploy, manage, and use, you should also look for one that supports graphical signatures. A graphical signature is a digital representation of an individual’s handwritten signature. “Graphical signatures are not necessary to the digital signature process and add nothing to the document from a security standpoint, but they do have a dramatic psychological impact,” says Aharoni. “A graphical signature ensures the signature is visually noticeable and reassures the user that they have actually signed the document and it is now compliant. This simple affirmation can have a dramatic impact on user adoption.”