Click here to close now.




















Welcome!

Microservices Expo Authors: VictorOps Blog, Pat Romanski, Elizabeth White, Liz McMillan, Trevor Parsons

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Linux Containers, Cloud Security, @BigDataExpo

@CloudExpo: Article

Four Things to Consider for E-Signature Security in the Cloud

Striking the right balance to manage risk while ensuring maximum adoption

As the number of companies adopting cloud-based solutions continues to increase, security remains top of mind for vendors, companies and their customers. Organizations of all types and sizes are opting for cloud e-signatures for many reasons including speed-to-market, agility and a lower total cost of ownership. What organizations concerned with cloud security may not know is that all e-signature solutions are not created equal; enterprise-class cloud e-signatures enable security that is beyond simply passing a security audit or obtaining certification. There are four areas organizations should keep in mind when considering SaaS e-signatures.

1. Data Protection
Recent large-scale data breaches and general concern over personal privacy in digital spaces have understandably left many wondering if their customer data is secure. E-signature solution vendors have the responsibility to ensure data is safe, which includes protecting against privacy breaches or malware attacks and ensuring that data is encrypted in transit and at rest.

In order to demonstrate that the organization has adequate controls for data protection, including technology and processes, the e-signature service host should meet the strictest certification standards like Service Organization Controls (SOC) 2, which reflects that the organization has adequate controls for data protection, including technology and processes.

The good news is that cloud computing has matured over the years and now offers trustworthy infrastructure solutions with stringent security protocols in place. However, the infrastructure used not only needs to ensure high availability, but also that the data is securely backed up and is protected against unauthorized access. The e-signature provider should be leveraging a mature, trusted and certified cloud infrastructure solution such as Amazon Web Services rather than relying on in-house servers. Finally, when evaluating an e-signature vendor, it's important to ask what security protocols and controls are in place to ensure it is keeping data safe and secure.

2. Strong Identification, Authentication & Attribution
Security and user identification, authentication and attribution are important considerations for organizations wanting to embrace cloud-based technologies. Identification is the progress of verifying someone's identity either in person or remotely, whereas authentication is the process of verifying user credentials (most often user name and password) prior to giving access to a system - in this case, e-signing. Many financial services, insurance, healthcare and government organizations require advanced authentication methods to validate the identity of signers. Examples of identification can include email, SMS text passcode, Q&A and third-party authentication services. The e-signature solution should offer a variety of ways to authenticate signers depending on:

  • The legal and compliance risk
  • The likelihood of fraud
  • The value of the process being automated

3. Tamper-Evident E-Signatures
With tamper-evident controls, all parties involved in a transaction can trust the integrity of a signed document. If the document has been adjusted even slightly, it will invalidate any signatures and alert signers to the fact that it has been tampered with.

In order to ensure these controls are properly in place, digital signature technology should be applied at each signature location, creating a digital fingerprint of the document (called a hash) that can be used at any point to verify the integrity of the electronic record. This verification should take place in the document rather than sending the use to the vendor's website to validate the signature. Since e-signatures are only as good as the security that protects them, it's important that any attempt to tamper with any part of the document, for example adding or deleting words or replacing pages, should be visible. An enterprise-class e-signature solution should demonstrate this tampering by invalidating all the signature areas within the document.

4. Detailed Evidence Through an Embedded Audit Trail
The hashing of information into the document not only secures a document but it also creates a reliable and consistent audit trail of who signed, in what order, at what time and in what locations. Further, using e-signatures built on digital signature technology, the audit trail is securely embedded into the document. That means that all electronic signatures, the time stamping and the audit trails would be embedded directly within the document and not stored separately in the cloud or ‘logically' associated in a vault or proprietary database.

Organizations should have access to this data without having to depend on a vendor or its systems for access. This type of vendor independence is a concern for many organizations looking at cloud applications and gives users peace of mind that their valuable business records will remain in their control for as long as their retention policies require. An embedded audit trail means your e-signed records will work seamlessly with your content management systems or your chosen system of record.

When it comes to electronic signatures, taking a multi-pronged approach will ensure the highest level of security for documents and data that pass through a cloud e-signature solution. At the same time, it's important to choose an enterprise-class e-signature solution that offers additional security measures like embedding all data associated with the transaction into the document, reliably reproducing that data as evidence in the event of a dispute and enabling the reduction of risk around non-compliance. Ultimately, this multilayer approach to cloud e-signature security will foster customer confidence and protect an organization's reputation.

As organizations ponder these security features and requirements, it is highly recommended that they apply a level of controls and safeguards comparable to the paper process. Some organizations have a tendency to believe that putting a process online requires stricter security, however security and usability can at times be opposing forces. Organizations must strike the right balance so to manage risk while ensuring maximum adoption.

More Stories By Tommy Petrogiannis

Tommy Petrogiannis is CEO & Co-Founder of Silanis. As President and CEO, he is responsible for setting the company strategy and vision, building corporate culture and ensuring the entire team is working towards the corporate goal of delivering the ‘best possible customer experience’.

Within Silanis, Tommy has inspired a deeply-rooted culture of charitable giving and community involvement, supporting causes proposed by employees as well as those to which the company has a longstanding commitment. These have included the Royal Victoria Hospital’s Tiny Survivors Program, Canderel Cancer Run, Leukemia & Lymphoma Society, Kids Code Program and others.

Tommy’s two decades of IT experience include positions at Compaq and Matrox Electronics.

He holds a BS in engineering from Concordia University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
Early in my DevOps Journey, I was introduced to a book of great significance circulating within the Web Operations industry titled The Phoenix Project. (You can read our review of Gene’s book, if interested.) Written as a novel and loosely based on many of the same principles explored in The Goal, this book has been read and referenced by many who have adopted DevOps into their continuous improvement and software delivery processes around the world. As I began planning my travel schedule last...
Puppet Labs has announced the next major update to its flagship product: Puppet Enterprise 2015.2. This release includes new features providing DevOps teams with clarity, simplicity and additional management capabilities, including an all-new user interface, an interactive graph for visualizing infrastructure code, a new unified agent and broader infrastructure support.
Akana has announced the availability of the new Akana Healthcare Solution. The API-driven solution helps healthcare organizations accelerate their transition to being secure, digitally interoperable businesses. It leverages the Health Level Seven International Fast Healthcare Interoperability Resources (HL7 FHIR) standard to enable broader business use of medical data. Akana developed the Healthcare Solution in response to healthcare businesses that want to increase electronic, multi-device acce...
Any Ops team trying to support a company in today’s cloud-connected world knows that a new way of thinking is required – one just as dramatic than the shift from Ops to DevOps. The diversity of modern operations requires teams to focus their impact on breadth vs. depth. In his session at DevOps Summit, Adam Serediuk, Director of Operations at xMatters, Inc., will discuss the strategic requirements of evolving from Ops to DevOps, and why modern Operations has begun leveraging the “NoOps” approa...
SYS-CON Events announced today that the "Second Containers & Microservices Expo" will take place November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities.
SYS-CON Events announced today that G2G3 will exhibit at SYS-CON's @DevOpsSummit Silicon Valley, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Based on a collective appreciation for user experience, design, and technology, G2G3 is uniquely qualified and motivated to redefine how organizations and people engage in an increasingly digital world.
SYS-CON Events announced today that DataClear Inc. will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. The DataClear ‘BlackBox’ is the only solution that moves your PC, browsing and data out of the United States and away from prying (and spying) eyes. Its solution automatically builds you a clean, on-demand, virus free, new virtual cloud based PC outside of the United States, and wipes it clean...
It’s been proven time and time again that in tech, diversity drives greater innovation, better team productivity and greater profits and market share. So what can we do in our DevOps teams to embrace diversity and help transform the culture of development and operations into a true “DevOps” team? In her session at DevOps Summit, Stefana Muller, Director, Product Management – Continuous Delivery at CA Technologies, answered that question citing examples, showing how to create opportunities for ...
Microservice architecture is fast becoming a go-to solution for enterprise applications, but it's not always easy to make the transition from an established, monolithic infrastructure. Lightweight and loosely coupled, building a set of microservices is arguably more difficult than building a monolithic application. However, once established, microservices offer a series of advantages over traditional architectures as deployment times become shorter and iterating becomes easier.
In his session at 17th Cloud Expo, Ernest Mueller, Product Manager at Idera, will explain the best practices and lessons learned for tracking and optimizing costs while delivering a cloud-hosted service. He will describe a DevOps approach where the applications and systems work together to track usage, model costs in a granular fashion, and make smart decisions at runtime to minimize costs. The trickier parts covered include triggering off the right metrics; balancing resilience and redundancy ...
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
Whether you like it or not, DevOps is on track for a remarkable alliance with security. The SEC didn’t approve the merger. And your boss hasn’t heard anything about it. Yet, this unruly triumvirate will soon dominate and deliver DevSecOps faster, cheaper, better, and on an unprecedented scale. In his session at DevOps Summit, Frank Bunger, VP of Customer Success at ScriptRock, will discuss how this cathartic moment will propel the DevOps movement from such stuff as dreams are made on to a prac...
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advance...
The pricing of tools or licenses for log aggregation can have a significant effect on organizational culture and the collaboration between Dev and Ops teams. Modern tools for log aggregation (of which Logentries is one example) can be hugely enabling for DevOps approaches to building and operating business-critical software systems. However, the pricing of an aggregated logging solution can affect the adoption of modern logging techniques, as well as organizational capabilities and cross-team ...
Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership. As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership ab...
In today's digital world, change is the one constant. Disruptive innovations like cloud, mobility, social media, and the Internet of Things have reshaped the market and set new standards in customer expectations. To remain competitive, businesses must tap the potential of emerging technologies and markets through the rapid release of new products and services. However, the rigid and siloed structures of traditional IT platforms and processes are slowing them down – resulting in lengthy delivery ...
Several years ago, I was a developer in a travel reservation aggregator. Our mission was to pull flight and hotel data from a bunch of cryptic reservation platforms, and provide it to other companies via an API library - for a fee. That was before companies like Expedia standardized such things. We started with simple methods like getFlightLeg() or addPassengerName(), each performing a small, well-understood function. But our customers wanted bigger, more encompassing services that would "do ...
Docker containerization is increasingly being used in production environments. How can these environments best be monitored? Monitoring Docker containers as if they are lightweight virtual machines (i.e., monitoring the host from within the container), with all the common metrics that can be captured from an operating system, is an insufficient approach. Docker containers can’t be treated as lightweight virtual machines; they must be treated as what they are: isolated processes running on hosts....
SYS-CON Events announced today the Containers & Microservices Bootcamp, being held November 3-4, 2015, in conjunction with 17th Cloud Expo, @ThingsExpo, and @DevOpsSummit at the Santa Clara Convention Center in Santa Clara, CA. This is your chance to get started with the latest technology in the industry. Combined with real-world scenarios and use cases, the Containers and Microservices Bootcamp, led by Janakiram MSV, a Microsoft Regional Director, will include presentations as well as hands-on...
DevOps has traditionally played important roles in development and IT operations, but the practice is quickly becoming core to other business functions such as customer success, business intelligence, and marketing analytics. Modern marketers today are driven by data and rely on many different analytics tools. They need DevOps engineers in general and server log data specifically to do their jobs well. Here’s why: Server log files contain the only data that is completely full and accurate in th...