Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Electronic Signatures

A presentation on the real-world experiences of Electronic Signatures. Delivered at the Scientific Archivists Group conference in Nice, 2nd May 2014.

  • Be the first to comment

Electronic Signatures

  1. 1. Electronic Signatures What happens in Practice Simon Coles CTO & Co-Founder Amphora Research Systems 1
  2. 2. Electronic Signatures • Signature Technology • Long Term Considerations • Robustness • Humans • Processes 2
  3. 3. A Little About Me • So you can understand my perspective, experience and biases • Started working with Electronic Laboratory Notebooks in 1996 • Active in CENSA at the time 3
  4. 4. Amphora • Solutions which Focus on • the Capturing (from busy scientists) • and Preserving (in complex environments) • of Evidence (for use in court) • about Scientific Activity (in Discovery) • generally for Patent purposes • Note: GxP is not a huge part of this 4
  5. 5. Representative Customers
  6. 6. Differences are Interesting • Diverse Customer Base • We have some of the largest “ELN” deployments in the world • We have some of the smallest • But all have the same problem • Same technology • Same outcome • Very different approach required 6
  7. 7. Large companies • Have in-house records/archive expertise • We’re a competent technology partner • Often will mediate with IT departments • We often help with the long view • Large companies are not immune to pain • But the incentives are sometimes short term • Unusually for a technology supplier we’re taking decades-long view 7
  8. 8. Smaller companies • No in-house expertise • No real appetite or money to do things “Properly” for the sake of it - need to demonstrate fast ROI • We embed best practice in a robust offering • Buy and do what it tells you • Often SaaS • Often a limited runway to prove a concept to get more investment gives these companies a very near-term focus 8
  9. 9. Signature Technology • Good systems all use the same technology • RSA, DSA, Elliptic Curve, SHA512 hashes etc. • The underlying algorithms are well proven, with lots of implementations, and free • If anyone claims to have some secret sauce – run away, fast • Beware: Some vendors are shockingly bad at this stuff 9
  10. 10. Signature Technology • Not going to go into any more detail on the technology side • Would take more time than we have • Probably wouldn’t remember it • Not all that interesting • Wikipedia is excellent! 10
  11. 11. Long Term Considerations • Technology:Violently agree with Peter from Phlexglobal • PDF/A, XML, Multiple Copies, Bit-level integrity checking • But: Signatures in XML format, nothing proprietary or binary • Integrity checking • Regular and routine • Use a different implementation of signature algorithm 11
  12. 12. Not just file formats • Also need to preserve supporting information • Personally identifying information • Processes and proof of compliance • Need to ensure this all survives departure of • The people • The project • The vendor • The company 12
  13. 13. Nothing is Forever • We're doing an awful lot of corporate transition work • e.g. splitting of repositories • Or complex splitting of businesses • Outsourcing of work is huge and interesting • A lot of the long term records decisions have helped us out here 13
  14. 14. Vendors and Longevity • Looking back, focused niche companies are more reliable than larger composites • You should have everything you need to protect and defend your records without a vendor • IMHO this is your primary responsibility when purchasing on behalf of your company • This is not in the vendors’ interests! 14
  15. 15. Long Term Recommendations • Make sure your archive is stand alone with no IT or other dependancies • Can you identify people after they’ve left your company? Without access to HR records? • Can you describe signature intent etc. without access to the specific SOP in place at that time? 15
  16. 16. Long Term Recommendations • Make sure you can access your records on your own • e.g. file system • You should be able to read with a standard PC & Software • No Encryption • No Compression except what’s in the PDF standard 16
  17. 17. Robustness • Signature systems run for a long time and their threat model is asymmetric • Your system will produce millions of signatures • One, at random, will get analysed in huge detail • Designing for robustness is essential 17
  18. 18. Technology is Bad • Avoid technology where you can - it goes wrong • Avoid two-factor authentication unless you really need it • Avoid mixing risks and incentives • You should be able to explain it to your Granny 18
  19. 19. Integration Traps • IT seem to have an obsession with integrating systems • Vendor push? • Need to be seen to getting value for money? • Not always a good thing - adds complexity and risk • Integrate for record acquisition/ingestion • Make it easy, quick, and reliable • Don’t depend on anything else for records preservation and defence 19
  20. 20. Processes • There's often a view that more is better • That isn’t always the case • Better something straightforward that’s done reliably • Things change • Simple processes survive the tests of time 20
  21. 21. Process Example • Detailed SOP • Lots of information about what to put in a notebook • Hence rarely read, seldom followed • Setting yourself lots of traps • Better • “Write up your experiments…” • “Sign them…” 21
  22. 22. CROs and Others • This big/small company difference is evident with CROs and other Partners • Often there is a culture gap • In our “Research Externalisation” work • Yes there’s technology • But there’s a large portion of cultural brokering • Processes that work in big companies are often too heavy for smaller companies 22
  23. 23. What Electronic Signatures are Really About 23
  24. 24. People 24
  25. 25. What People Really Think • Signing stuff (especially outside of GxP) is generally perceived to be a pain • Make it quick and easy • Gentle encouragement • Remember you’ll need reporting to spot troubles 25
  26. 26. People • Yes there’s some technology • Just as there was with paper • Of course • Pick your technology and vendor carefully • Keep things straightforward and robust • But you are designing a system which involves humans 26
  27. 27. Working with People • The technology of Electronic Signatures is relatively easy • Most of the hard stuff is about people • And we are often working with people on the less articulate spectrum • We use something called “Clean Language” which really really helps with this. Especially for highly technical people. • Caitlin Walker pioneered this in Business • She’s just written a book (I’m in the Chapter 3 case study) • There’s a TED talk -YouTube “clean questions ted” • Happy to discuss offline - very easy to demonstrate 27
  28. 28. We’re Dentists! • The effort is routine and ongoing • The payoff is long term • People know they should but… doesn’t always work out like that • Our task is often thankless but always essential 28
  29. 29. Summary • Good signature systems are simple • Self-contained and depend on very little else to work properly • Beware of technology • Snake Oil vendors • IT value for money complexity • Design for Robustness • Design for People • Go to your dentist :-) 29
  30. 30. ThankYou 30