The Security of Cloud-Based Electronic Signature5 Nov, 2012 By: Joan Ross imageSource
Cloud-based electronic signatures are a powerful way to accomplish business goals with ease
No matter the size of the business and no matter what type of business, the selection of technologies in today’s economy is driven by the dual needs of saving money and increasing revenue. However, there’s little sense in selecting a complex system that will take months for users to learn, and may never adopt if it isn’t easy, convenient and secure.
Cloud-based electronic signatures are a powerful way to accomplish these business goals with ease. In fact, every day, all over the world, businesses and individuals are forgoing pen and paper – and all of the hassles associated with printing, faxing, scanning, even overnighting documents for signature – and instead, signing important business and personal documents online. From signing a vendor or dealer contract, to signing a home mortgage, and everything in between, eSignatures are disrupting the way business gets done for the better.
Electronic signatures have been legally binding in the United States since 2000, when Congress passed the ESIGN Act. They became legal in Europe even before that, and over the past 10 years electronic signatures have been embraced throughout the world. Today, eSignatures have gone from a ‘nice to have’ to a ‘must have’ as a business imperative.
With extensive benefits and proven legality, the question of the selection of an electronic signature solution often comes down to security. How secure is electronic signature, especially when compared with the known way of doing business, pen and paper?
The Cloud and Electronic Signature
Imagine if there were a way for a company to transact business faster, cheaper, and in a manner that met all essential legal and security requirements—and was easy to implement and use, creating a better experience for your customers, employees, partners and suppliers. An electronic signature (eSignature) transaction management platform available as a software-as-a-service (SaaS), and globally certified as an information security management system, can be the answer.
Often one experience of being asked to sign a document with electronic signature is enough to ignite interest in learning more about the technology. For others the driver is the frustration of needing to sign a form, not having paper in the printer, not having access to a fax machine—or even the other side of the transaction: waiting around for a signed fax, or driving all over town just to get the signature. Not to mention the expense and waste of paper. How many times have you printed and signed a document then scanned it just so you could attach it to an email to return to the sender? Once that digital copy is saved, the signed piece of paper is just shredded and tossed out.
This experience is common for account executives looking to get the last signed contract to meet quota, or a parent who needs to return a field trip permission slip. It’s universal. The good news is, there’s a simple, fast solution for all: electronic signature.
When considering the reputation and features of a particular electronic signature, the security of the service is of the utmost importance—but often misunderstood. The following provides an overview of the security considerations for a cloud-based eSignature vendor.
A top concern from anyone considering electronic signature is data ownership. A trustworthy eSignature vendor will enable the customer to determine who is authorized to view and sign their documents, implementing a certified encryption and key management program to ensure no one except whom the sender authorizes can view or see their data, ensuring the data ownership remains in the control of the customer.
Robust Security Architecture
Electronic signatures are a mission-critical service to customers, and the underlying architecture must be available to meet global use considerations in an on-demand manner. Not only must the architecture be resilient to handle and scale for peak loads, but security controls must be persistent and tested as effective on a continuous basis. Vendors should be tested and examined in peak load analysis to ensure continuous availability and that no degradation of service or data loss is experienced by customers.
Security Audit Transparency & Certifications
Of paramount importance to chief information security officers are the levels of security audits and the number of certifications achieved by cloud-based vendors. A best practice is to look for a vendor certified under leading international standards, such as the global ISO/IEC 27001:2005 information security standard. Other ways in which a vendor can provide assurance include SSAE 16 examination and testing, compliance with PCI DSS 2.0 as both service provider and as a merchant, TRUSTe certifcation, and membership in the U.S. Department of Commerce
Information Security Management System (ISMS)
A company using an eSignature solution should demand the confidence of using a transaction management service certified to the highest global standards of information security management systems (ISMS) as defined by ISO 27001 certification. The full scope of enterprise and production services should be certified from security policy through incident response. This includes not only engineering, operations, and quality assurance processes, but also the office, datacenters and even customer service operations. This provides assurance that end-to-end service and security management is in place.
Business Continuity and Disaster Recovery
For maximum confidence, the vendor should have a geo-diverse distributed service, certified and examined in business continuity and disaster recovery to ensure optimum and available transactional service. The vendor should routinely contract to optimum service level agreements, with an annually tested program to ensure that SLA levels can always be met and improved upon through full-scope testing. Advanced replication technology can ensure the most up-to-date customer documents are readily available during any business disruption or disaster scenario. Professional, commercial-grade datacenters should provide strong physical, environmental, and security access controls, and ensure diversity in datacenter vendors.
Minimum Due Diligence
For CISOs taking on the responsibility of providing third-party security assessments of cloud-based services, demanding global ISO 27001 certification, an SSAE 16 report for both the eSignature business and datacenter, PCI DSS compliance for assurance of general computing controls at the infrastructure level, and TRUSTe/U.S. Department of Commerce Safe Harbor for privacy requirements is an important minimum due diligence baseline to offset and manage risk for the organization.
Confidence in the Future of eSignature
Electronic signatures make sense today because so much of individuals’ daily lives—whether it’s personal or business—is now conducted online, and especially on mobile devices. The traditional signature, as the last critical piece of business that’s not digital, causes too much hassle, cost and rework to ignore. Maintaining a pen-and-paper signature process is expensive, with all that paper, faxing, scanning and overnight shipping. Then there’s accuracy—because errors are generated from retyping form information back into a computer after the form is signed—plus wasted time and needless damage to the environment.
This, of course, is where electronic signatures begin to make a lot of sense. And once the question of security is resolved—and it can be through careful selection of the vendor—the decision to make the move to the leading cloud-based electronic signature solution is effortless.