Successfully reported this slideshow.

Electronic Signatures

2

Share

Upcoming SlideShare
2005 10 20 IVT ELN Cost
2005 10 20 IVT ELN Cost
Loading in …3
×
1 of 30
1 of 30

Electronic Signatures

2

Share

Download to read offline

Description

A presentation on the real-world experiences of Electronic Signatures. Delivered at the Scientific Archivists Group conference in Nice, 2nd May 2014.

Transcript

  1. 1. http://www.amphora-research.com/ Electronic Signatures What happens in Practice Simon Coles CTO & Co-Founder Amphora Research Systems 1
  2. 2. http://www.amphora-research.com/ Electronic Signatures • Signature Technology • Long Term Considerations • Robustness • Humans • Processes 2
  3. 3. http://www.amphora-research.com/ A Little About Me • So you can understand my perspective, experience and biases • Started working with Electronic Laboratory Notebooks in 1996 • Active in CENSA at the time 3
  4. 4. http://www.amphora-research.com/ Amphora • Solutions which Focus on • the Capturing (from busy scientists) • and Preserving (in complex environments) • of Evidence (for use in court) • about Scientific Activity (in Discovery) • generally for Patent purposes • Note: GxP is not a huge part of this 4
  5. 5. Representative Customers
  6. 6. http://www.amphora-research.com/ Differences are Interesting • Diverse Customer Base • We have some of the largest “ELN” deployments in the world • We have some of the smallest • But all have the same problem • Same technology • Same outcome • Very different approach required 6
  7. 7. http://www.amphora-research.com/ Large companies • Have in-house records/archive expertise • We’re a competent technology partner • Often will mediate with IT departments • We often help with the long view • Large companies are not immune to pain • But the incentives are sometimes short term • Unusually for a technology supplier we’re taking decades-long view 7
  8. 8. http://www.amphora-research.com/ Smaller companies • No in-house expertise • No real appetite or money to do things “Properly” for the sake of it - need to demonstrate fast ROI • We embed best practice in a robust offering • Buy and do what it tells you • Often SaaS • Often a limited runway to prove a concept to get more investment gives these companies a very near-term focus 8
  9. 9. http://www.amphora-research.com/ Signature Technology • Good systems all use the same technology • RSA, DSA, Elliptic Curve, SHA512 hashes etc. • The underlying algorithms are well proven, with lots of implementations, and free • If anyone claims to have some secret sauce – run away, fast • Beware: Some vendors are shockingly bad at this stuff 9
  10. 10. http://www.amphora-research.com/ Signature Technology • Not going to go into any more detail on the technology side • Would take more time than we have • Probably wouldn’t remember it • Not all that interesting • Wikipedia is excellent! 10
  11. 11. http://www.amphora-research.com/ Long Term Considerations • Technology:Violently agree with Peter from Phlexglobal • PDF/A, XML, Multiple Copies, Bit-level integrity checking • But: Signatures in XML format, nothing proprietary or binary • Integrity checking • Regular and routine • Use a different implementation of signature algorithm 11
  12. 12. http://www.amphora-research.com/ Not just file formats • Also need to preserve supporting information • Personally identifying information • Processes and proof of compliance • Need to ensure this all survives departure of • The people • The project • The vendor • The company 12
  13. 13. http://www.amphora-research.com/ Nothing is Forever • We're doing an awful lot of corporate transition work • e.g. splitting of repositories • Or complex splitting of businesses • Outsourcing of work is huge and interesting • A lot of the long term records decisions have helped us out here 13
  14. 14. http://www.amphora-research.com/ Vendors and Longevity • Looking back, focused niche companies are more reliable than larger composites • You should have everything you need to protect and defend your records without a vendor • IMHO this is your primary responsibility when purchasing on behalf of your company • This is not in the vendors’ interests! 14
  15. 15. http://www.amphora-research.com/ Long Term Recommendations • Make sure your archive is stand alone with no IT or other dependancies • Can you identify people after they’ve left your company? Without access to HR records? • Can you describe signature intent etc. without access to the specific SOP in place at that time? 15
  16. 16. http://www.amphora-research.com/ Long Term Recommendations • Make sure you can access your records on your own • e.g. file system • You should be able to read with a standard PC & Software • No Encryption • No Compression except what’s in the PDF standard 16
  17. 17. http://www.amphora-research.com/ Robustness • Signature systems run for a long time and their threat model is asymmetric • Your system will produce millions of signatures • One, at random, will get analysed in huge detail • Designing for robustness is essential 17
  18. 18. http://www.amphora-research.com/ Technology is Bad • Avoid technology where you can - it goes wrong • Avoid two-factor authentication unless you really need it • Avoid mixing risks and incentives • You should be able to explain it to your Granny 18
  19. 19. http://www.amphora-research.com/ Integration Traps • IT seem to have an obsession with integrating systems • Vendor push? • Need to be seen to getting value for money? • Not always a good thing - adds complexity and risk • Integrate for record acquisition/ingestion • Make it easy, quick, and reliable • Don’t depend on anything else for records preservation and defence 19
  20. 20. http://www.amphora-research.com/ Processes • There's often a view that more is better • That isn’t always the case • Better something straightforward that’s done reliably • Things change • Simple processes survive the tests of time 20
  21. 21. http://www.amphora-research.com/ Process Example • Detailed SOP • Lots of information about what to put in a notebook • Hence rarely read, seldom followed • Setting yourself lots of traps • Better • “Write up your experiments…” • “Sign them…” 21
  22. 22. http://www.amphora-research.com/ CROs and Others • This big/small company difference is evident with CROs and other Partners • Often there is a culture gap • In our “Research Externalisation” work • Yes there’s technology • But there’s a large portion of cultural brokering • Processes that work in big companies are often too heavy for smaller companies 22
  23. 23. http://www.amphora-research.com/ What Electronic Signatures are Really About 23
  24. 24. http://www.amphora-research.com/ People 24
  25. 25. http://www.amphora-research.com/ What People Really Think • Signing stuff (especially outside of GxP) is generally perceived to be a pain • Make it quick and easy • Gentle encouragement • Remember you’ll need reporting to spot troubles 25
  26. 26. http://www.amphora-research.com/ People • Yes there’s some technology • Just as there was with paper • Of course • Pick your technology and vendor carefully • Keep things straightforward and robust • But you are designing a system which involves humans 26
  27. 27. http://www.amphora-research.com/ Working with People • The technology of Electronic Signatures is relatively easy • Most of the hard stuff is about people • And we are often working with people on the less articulate spectrum • We use something called “Clean Language” which really really helps with this. Especially for highly technical people. • Caitlin Walker pioneered this in Business • She’s just written a book (I’m in the Chapter 3 case study) • There’s a TED talk -YouTube “clean questions ted” • Happy to discuss offline - very easy to demonstrate 27
  28. 28. http://www.amphora-research.com/ We’re Dentists! • The effort is routine and ongoing • The payoff is long term • People know they should but… doesn’t always work out like that • Our task is often thankless but always essential 28
  29. 29. http://www.amphora-research.com/ Summary • Good signature systems are simple • Self-contained and depend on very little else to work properly • Beware of technology • Snake Oil vendors • IT value for money complexity • Design for Robustness • Design for People • Go to your dentist :-) 29
  30. 30. http://www.amphora-research.com/ ThankYou 30

Description

A presentation on the real-world experiences of Electronic Signatures. Delivered at the Scientific Archivists Group conference in Nice, 2nd May 2014.

Transcript

  1. 1. http://www.amphora-research.com/ Electronic Signatures What happens in Practice Simon Coles CTO & Co-Founder Amphora Research Systems 1
  2. 2. http://www.amphora-research.com/ Electronic Signatures • Signature Technology • Long Term Considerations • Robustness • Humans • Processes 2
  3. 3. http://www.amphora-research.com/ A Little About Me • So you can understand my perspective, experience and biases • Started working with Electronic Laboratory Notebooks in 1996 • Active in CENSA at the time 3
  4. 4. http://www.amphora-research.com/ Amphora • Solutions which Focus on • the Capturing (from busy scientists) • and Preserving (in complex environments) • of Evidence (for use in court) • about Scientific Activity (in Discovery) • generally for Patent purposes • Note: GxP is not a huge part of this 4
  5. 5. Representative Customers
  6. 6. http://www.amphora-research.com/ Differences are Interesting • Diverse Customer Base • We have some of the largest “ELN” deployments in the world • We have some of the smallest • But all have the same problem • Same technology • Same outcome • Very different approach required 6
  7. 7. http://www.amphora-research.com/ Large companies • Have in-house records/archive expertise • We’re a competent technology partner • Often will mediate with IT departments • We often help with the long view • Large companies are not immune to pain • But the incentives are sometimes short term • Unusually for a technology supplier we’re taking decades-long view 7
  8. 8. http://www.amphora-research.com/ Smaller companies • No in-house expertise • No real appetite or money to do things “Properly” for the sake of it - need to demonstrate fast ROI • We embed best practice in a robust offering • Buy and do what it tells you • Often SaaS • Often a limited runway to prove a concept to get more investment gives these companies a very near-term focus 8
  9. 9. http://www.amphora-research.com/ Signature Technology • Good systems all use the same technology • RSA, DSA, Elliptic Curve, SHA512 hashes etc. • The underlying algorithms are well proven, with lots of implementations, and free • If anyone claims to have some secret sauce – run away, fast • Beware: Some vendors are shockingly bad at this stuff 9
  10. 10. http://www.amphora-research.com/ Signature Technology • Not going to go into any more detail on the technology side • Would take more time than we have • Probably wouldn’t remember it • Not all that interesting • Wikipedia is excellent! 10
  11. 11. http://www.amphora-research.com/ Long Term Considerations • Technology:Violently agree with Peter from Phlexglobal • PDF/A, XML, Multiple Copies, Bit-level integrity checking • But: Signatures in XML format, nothing proprietary or binary • Integrity checking • Regular and routine • Use a different implementation of signature algorithm 11
  12. 12. http://www.amphora-research.com/ Not just file formats • Also need to preserve supporting information • Personally identifying information • Processes and proof of compliance • Need to ensure this all survives departure of • The people • The project • The vendor • The company 12
  13. 13. http://www.amphora-research.com/ Nothing is Forever • We're doing an awful lot of corporate transition work • e.g. splitting of repositories • Or complex splitting of businesses • Outsourcing of work is huge and interesting • A lot of the long term records decisions have helped us out here 13
  14. 14. http://www.amphora-research.com/ Vendors and Longevity • Looking back, focused niche companies are more reliable than larger composites • You should have everything you need to protect and defend your records without a vendor • IMHO this is your primary responsibility when purchasing on behalf of your company • This is not in the vendors’ interests! 14
  15. 15. http://www.amphora-research.com/ Long Term Recommendations • Make sure your archive is stand alone with no IT or other dependancies • Can you identify people after they’ve left your company? Without access to HR records? • Can you describe signature intent etc. without access to the specific SOP in place at that time? 15
  16. 16. http://www.amphora-research.com/ Long Term Recommendations • Make sure you can access your records on your own • e.g. file system • You should be able to read with a standard PC & Software • No Encryption • No Compression except what’s in the PDF standard 16
  17. 17. http://www.amphora-research.com/ Robustness • Signature systems run for a long time and their threat model is asymmetric • Your system will produce millions of signatures • One, at random, will get analysed in huge detail • Designing for robustness is essential 17
  18. 18. http://www.amphora-research.com/ Technology is Bad • Avoid technology where you can - it goes wrong • Avoid two-factor authentication unless you really need it • Avoid mixing risks and incentives • You should be able to explain it to your Granny 18
  19. 19. http://www.amphora-research.com/ Integration Traps • IT seem to have an obsession with integrating systems • Vendor push? • Need to be seen to getting value for money? • Not always a good thing - adds complexity and risk • Integrate for record acquisition/ingestion • Make it easy, quick, and reliable • Don’t depend on anything else for records preservation and defence 19
  20. 20. http://www.amphora-research.com/ Processes • There's often a view that more is better • That isn’t always the case • Better something straightforward that’s done reliably • Things change • Simple processes survive the tests of time 20
  21. 21. http://www.amphora-research.com/ Process Example • Detailed SOP • Lots of information about what to put in a notebook • Hence rarely read, seldom followed • Setting yourself lots of traps • Better • “Write up your experiments…” • “Sign them…” 21
  22. 22. http://www.amphora-research.com/ CROs and Others • This big/small company difference is evident with CROs and other Partners • Often there is a culture gap • In our “Research Externalisation” work • Yes there’s technology • But there’s a large portion of cultural brokering • Processes that work in big companies are often too heavy for smaller companies 22
  23. 23. http://www.amphora-research.com/ What Electronic Signatures are Really About 23
  24. 24. http://www.amphora-research.com/ People 24
  25. 25. http://www.amphora-research.com/ What People Really Think • Signing stuff (especially outside of GxP) is generally perceived to be a pain • Make it quick and easy • Gentle encouragement • Remember you’ll need reporting to spot troubles 25
  26. 26. http://www.amphora-research.com/ People • Yes there’s some technology • Just as there was with paper • Of course • Pick your technology and vendor carefully • Keep things straightforward and robust • But you are designing a system which involves humans 26
  27. 27. http://www.amphora-research.com/ Working with People • The technology of Electronic Signatures is relatively easy • Most of the hard stuff is about people • And we are often working with people on the less articulate spectrum • We use something called “Clean Language” which really really helps with this. Especially for highly technical people. • Caitlin Walker pioneered this in Business • She’s just written a book (I’m in the Chapter 3 case study) • There’s a TED talk -YouTube “clean questions ted” • Happy to discuss offline - very easy to demonstrate 27
  28. 28. http://www.amphora-research.com/ We’re Dentists! • The effort is routine and ongoing • The payoff is long term • People know they should but… doesn’t always work out like that • Our task is often thankless but always essential 28
  29. 29. http://www.amphora-research.com/ Summary • Good signature systems are simple • Self-contained and depend on very little else to work properly • Beware of technology • Snake Oil vendors • IT value for money complexity • Design for Robustness • Design for People • Go to your dentist :-) 29
  30. 30. http://www.amphora-research.com/ ThankYou 30

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

×