No Hiding in the Cloud: The Telltale Signature of Inefficient, Nonsecure Processes
No Hidingin the Cloud:THE TELLTALE As organizations increasingly adopt cloud transforming traditional business pro-SIGNATURE OF technology, the chief information secu- cesses. In CIO magazine’s “2012 State ofINEFFICIENT, rity officer (CISO) role is taking on greater the CIO” survey, the cloud was the factor prominence as broker across corporate divi- cited most often as influencing the role ofNONSECURE sions in order to ensure proper due diligence the CIO in the next three to five years.PROCESSES is performed and strong data protections are in effect. As a result, many are turning a critical eye on one particular business pro- ✔ SECURE BUSINESS ASSETS cess that continues to defy auditing, lacks IN THE CLOUD anti-tampering controls and eschews digital authentication and authorization: the paper- The cloud equation is indeed a strong one. based, “wet-ink” signature. Today, ROI discussions are often centered around what can be more cost-effectively There’s little doubt that cloud technology, deployed, transitioning previously auto- or IT delivered as a service, is dramatically mated functions “into the cloud” to take
2 No Hiding in the Cloud“With the advantage of the cost benefits, flexibility compliance requirements to protect sensi- increasing and scalability derived from software- tive data and intellectual property. demand and as-a-service (SaaS), infrastructure-as-a- expansion of service (IaaS) and platform-as-a-service The forces transforming the delivery of (PaaS)—utilizing technology as a utility. information technology via cloud and to the global role an increasingly diverse array of mobile of security, According to a report earlier this year sur- devices are also transforming the role of the role of a veying 554 IT professionals, six out of 10 the CISO. As Forrester analyst Andrew modern CISO U.S. companies already have at least one Rose noted in a recent blog, “Security is evolving application in the cloud, and 71 percent management now encompasses much from simply expect to increase spending on cloud ser- more than technology; CISOs can build being a tech- vices in the next 12 months.i In addition their reputation and enhance their per- nical officer to business continuity, the top business sonal career prospects by talking ‘ROI’ to a leader drivers for moving to cloud services are rather than ‘IPS’ and influencing their increasing speed of deployment, gaining colleagues at the highest levels of the in business the flexibility to react to market condi- organization.”ii strategy.” tions, and improving customer support. IDC senior market analyst Naveen Hegde, Yet that same survey indicates significant reviewing results of an IBM survey of concerns that putting data in the cloud CISOs, came to a similar conclusion: also carries risks, with 70 percent of the “With the increasing demand and expan- respondents citing security worries as the sion of the global role of security, the role top barrier to their adoption of cloud com- of a modern CISO is evolving from simply puting. Whether implementing services being a technical officer to a leader in via public cloud, private cloud or a hybrid business strategy.”iii of both, organizations are relying on some form of shared access beyond the One of the key factors in this transfor- walls of the data center, often intending mation of the CISO role is the grow- to increase availability of those resources ing requirement for sharing information to mobile users within or outside of the securely outside of the walls of the enter- organization. prise. According to PriceWaterhouseCoo- pers, “Once seen only as the first step in Already concerned about compliance and asset protection, today’s security plays security for more traditional IT resources, a critical role in enabling the exchange CIOs, CISOs and CEOs now have to worry of sensitive information with other about managing risk and building trust organizations.”iv within a new computing paradigm that is i Lauren Brousell, “CIOs Plan evolving rapidly and along different lines to Increase Cloud Spending,” March 28, 2012. CIO magazine. of deployment. Of paramount importance ✔ PAPER, PEN AND INK: THE WEAK ii Andrew Rose, “Go Beyond to these executives advocating a cloud- LINK IN THE SECURITY CHAIN Technology To Build An Effective Security Practice,” based approach is the determination that July 24, 2012. Forrester Research. the cloud provider offers the same—if not One of the most persistent forms of greater—level of information security as exchanging information with other orga- iii Naveen Hegde, “IBM Study: Changing Role of CISO, from the organization itself. Beyond business nizations is the written signature. Used Technical Officers to Business Strategy Leaders,” efficiency qualifications, the very nature of for myriad purposes, from legally binding July 2, 2012. IDC Insights. a CISO’s responsibilities is to ensure any contracts to proposals to finance applica- iv “How to align security with your strategic business objec- selective adoption of cloud service pro- tions and so on, the “wet-ink” signature tives,” 2005, viders meets stringent due diligence and is a fundamental business process that PriceWaterhouseCoopers LLC.
3 No Hiding in the Cloud“ ocuSign’s D many organizations are still struggling to transmission of paper documents lacks eSignature automate. basic security protections that are rou- services not tinely applied to electronic data, such as Considering the time involved, and the encryption and authentication. So, why only allow effort and cost of printing, faxing, scan- has paper-based signing persisted when for secure ning and overnighting documents of all nearly every business process leading business types for signature—not to mention the up to and following the signature has transactions labor-intensive processes of keying and changed? to be com- rekeying data—it is remarkable how many pleted from of today’s highly automated businesses “Signatures remain small, but important, almost still remain tied to eminently manual components of myriad business transac- anywhere, methods. Many make significant invest- tions,” Gartner Inc. analyst Gregg Kreiz- they make our ments in sales and marketing automa- man wrote in a 2012 report.v “Signature tion to accelerate the acquisition of new requirements can be found in internal and sales process customers and revenue, only to leave the external interactions, but are most sought more efficient, most crucial part of the process—actually as formal components in transactions customer- gaining a binding customer agreement— among parties in different organizations.” centric as well completely manual, time-consuming and as credible.” labor-intensive. While other business processes suc- cumbed to automation, adoption of What is more striking, however, is that electronic signatures, or e-signing, lagged “wet-ink” signatures and paper-based behind, for many reasons. Initially, there documents are inherently unsecure. For were legal issues regarding acceptance of the most part, both can be duplicated, digital signatures on filings and contracts, used by unauthorized parties, and even but the European Community in 1999 and stolen without anyone realizing it. the United States in 2000 adopted legisla- tion to ensure legal validity of electronic Marci McCarthy, president and CEO of signatures and electronic documents. T.E.N. and creator of the Information Security Executive® Programs recognizing Also, before the Web and cloud, organiza- the contributions of security profession- tions were only able to take advantage of als within organizations, is a proponent of on-premise server-based systems, which adopting electronic signature for business were complex and lacked standards for efficiencies and transaction management certification, limiting their appeal at many within a secure platform service. “Docu- organizations that were already struggling Sign’s eSignature services not only allow to maintain disparate systems and facing for secure business transactions to be interoperability issues with partners and completed from almost anywhere, they customers. make our sales process more efficient, customer-centric as well as credible,” McCarthy says. “Furthermore, this type of ✔ E-SIGNING COMES OF AGE product provides T.E.N. and our custom- ers with a virtual repository that is acces- Consumer-facing businesses such as lend- sible, auditable and accountable.” ing and insurance have adapted quickly to customers who are increasingly com- An organization’s most valuable asset fortable with and often expect to be ablev Gregg Kreizman, “TheElectronic Signature Market Is outside of its employees is the intellectual to transact all activity electronically fromPoised to Take Off,” May 21, property around the data it transacts, yet their desktops, laptops, mobile phones2012. Gartner Inc
4 No Hiding in the CloudAs companies and tablets. That has dramatically trans- 16 examined and tested, PCI DSS 2.0look for inno- formed acceptance, adoption and use of compliant as both a merchant and level-vative ways e-signing. one service provider, TRUSTe certified and a member of the U.S. Department ofto increase Organizations reliant on customer rela- Commerce Safe Harbor.speed to tionship management (CRM) or salesresults, force automation (SFA) systems havereduce costs come to recognize that e-signing can ✔ WHY E-SIGNING IS A BETTERand enhance accelerate the ROI from these systems by SOLUTIONcustomer shaving days or even weeks of process-engagement, ing time off of orders and contracts that Whether it’s sales teams closing moreelectronic sig- require signatures. deals, banks and credit unions process-nature ing more loans, insurance providers and The cloud has dramatically lowered bar- agents accelerating the speed to cover-has gone riers of acceptance. In 2010, DocuSign age for clients, or healthcare companiesfrom a “nice introduced the Connect API to increase getting patients the care they need moreto have” to a interoperability with key cloud platforms quickly, e-signing is helping companies“must have” like Force.com, Ruby and PHP, allowing transform their processes, automatebusiness developers to easily and securely create workflows and accelerate transactions toimperative. and integrate native applications with do business faster and better —all while the DocuSign electronic signature plat- delighting customers and reducing costs.vi form. In an assessment of DocuSign’s elec- As companies look for innovative ways to tronic signature platform, Nucleus increase speed to results, reduce costs Research identified key benefits of utiliz- and enhance customer engagement, elec- ing DocuSign, including accelerated sales, tronic signature has gone from a “nice to improved data quality, improved audit have” to a “must have” business impera- trail and reduced costs. tive. High-availability cloud-based service makes documents readily available wher- DocuSign can be utilized on a personal ever they need to be accessed from. level, for a workgroup or across a global enterprise. Using DocuSign Ink, users But, even when dealing with electronic can legally send and sign documents with signatures, it’s not enough to proclaim mobile devices while enterprises can accel- trust, reliability and business efficiency. erate compliance and improve business These factors need to be validated continuity and disaster recovery by being through extensive third-party audits and able to access documents any time, from certification of cloud-based vendors. anywhere. To this end, DocuSign strives to ensure that it is the most continually audited and ✔ BEST PRACTICES FOR ELECTRONIC highest certified global eSignature ser- DOCUMENT MANAGEMENT vice in order to provide optimum levels of security assurance. DocuSign is the Because it is so easy to implement cloud- only eSignature service to achieve global based services, the role of the CISO in ISO/IEC 27001:2005 certification as an establishing adoption policies and moni-vi “Assessing the Benefits ofElectronic Signatures: information security management system toring best practices across business unitsDocuSign,” November 2010. (ISMS). DocuSign is also continually SSAE has never been more important.Nucleus Research Inc.
5 No Hiding in the CloudSome To validate the integrity of the docu- n Selectable user authentication methods purported ment, to manage version control of the to be commensurate with the transac-electronic document, and to ensure oversight of the tion’s security requirements.signing process by the document sender, docu- ments should always be accessed securelyapplications during the signing process within their ✔ CISOS STEPPING UP TO THE PLATEsimply “paste” secure repository.an image into Cloud technology has proven ruthless ina PDF and Private and confidential documents should exposing inefficiencies and inconsistentcall it good. be encrypted in storage so that no one business processes. Nowhere is that more can read them except those who are evident than with paper-based signa- authorized. Documents stored with appli- tures, perhaps the last bastion of the cation-level encryption provide confidenti- pre-information systems age. As CISOs ality and assurance. step up to the plate and take charge of encapsulating security at the forefront of Much like paper counterparts, electroni- changing business processes, signatures cally signed documents can become the can no longer stand alone against the tide subject of a dispute. The signature pro- of efficient, secure and reliable manage- cess must provide enough proof to uphold ment systems. E-signing enables depart- the transaction. ments and functions across the enterprise to integrate signatures into the systems Some purported electronic signing appli- and processes required for success in the cations simply “paste” an image into digital age—but only when those signa- a PDF and call it good. This creates a tures are trusted. document that has no real value because it does not produce a file that has any For more information, please visit assurance that a particular person signed DocuSign at http://esignature.docusign. it. It is not linked to any “proof” to make com/learnmore. the signature legally binding. Following such best practices, DocuSign’s comprehensive approach includes: n A digital audit trail that logs associated activities and applies a time/date stamp on all signer actions. n Secure encryption so the document can be read and signed by only designated users. n Unique signatures created by each user, accessible only to that user, and stored securely online. n Signature areas (Stick-eTabs) so signers can initial and sign in specific parts of the document.