Electronic Signatures

http://www.amphora-research.com/
Electronic Signatures

What happens in Practice
Simon Coles

CTO & Co-Founder

Amphora Research Systems
1

Electronic Signatures
• Signature Technology

• Long Term Considerations

• Robustness

• Humans

• Processes
2

A Little About Me
• So you can understand my perspective,
experience and biases

• Started working with Electronic Laboratory
Notebooks in 1996

• Active in CENSA at the time
3

Amphora
• Solutions which Focus on

• the Capturing (from busy scientists)

• and Preserving (in complex environments)

• of Evidence (for use in court)

• about Scientiﬁc Activity (in Discovery)

• generally for Patent purposes

• Note: GxP is not a huge part of this
4

Differences are
Interesting
• Diverse Customer Base

• We have some of the largest “ELN”
deployments in the world

• We have some of the smallest

• But all have the same problem

• Same technology

• Same outcome

• Very different approach required
6

Large companies
• Have in-house records/archive expertise

• We’re a competent technology partner

• Often will mediate with IT departments

• We often help with the long view

• Large companies are not immune to pain

• But the incentives are sometimes short term

• Unusually for a technology supplier we’re taking
decades-long view
7

Smaller companies
• No in-house expertise

• No real appetite or money to do things “Properly”
for the sake of it - need to demonstrate fast ROI

• We embed best practice in a robust offering

• Buy and do what it tells you

• Often SaaS

• Often a limited runway to prove a concept to get
more investment gives these companies a very
near-term focus
8

Signature Technology
• Good systems all use the same technology

• RSA, DSA, Elliptic Curve, SHA512 hashes etc.

• The underlying algorithms are well proven,
with lots of implementations, and free

• If anyone claims to have some secret sauce
– run away, fast

• Beware: Some vendors are shockingly bad at
this stuff
9

Signature Technology
• Not going to go into any more detail on
the technology side

• Would take more time than we have

• Probably wouldn’t remember it

• Not all that interesting

• Wikipedia is excellent!
10

Long Term
Considerations
• Technology:Violently agree with Peter from Phlexglobal

• PDF/A, XML, Multiple Copies, Bit-level integrity
checking

• But: Signatures in XML format, nothing proprietary
or binary

• Integrity checking

• Regular and routine

• Use a different implementation of signature
algorithm
11

Not just ﬁle formats
• Also need to preserve supporting information

• Personally identifying information

• Processes and proof of compliance

• Need to ensure this all survives departure of

• The people

• The project

• The vendor

• The company
12

Nothing is Forever
• We're doing an awful lot of corporate
transition work

• e.g. splitting of repositories

• Or complex splitting of businesses

• Outsourcing of work is huge and interesting

• A lot of the long term records decisions
have helped us out here
13

Vendors and Longevity
• Looking back, focused niche companies are
more reliable than larger composites

• You should have everything you need to
protect and defend your records without a
vendor

• IMHO this is your primary responsibility
when purchasing on behalf of your company

• This is not in the vendors’ interests!
14

Long Term
Recommendations
• Make sure your archive is stand alone with
no IT or other dependancies

• Can you identify people after they’ve left
your company? Without access to HR
records?

• Can you describe signature intent etc.
without access to the speciﬁc SOP in
place at that time?
15

Long Term
Recommendations
• Make sure you can access your records on
your own

• e.g. ﬁle system

• You should be able to read with a
standard PC & Software

• No Encryption

• No Compression except what’s in the PDF
standard
16

Robustness
• Signature systems run for a long time and
their threat model is asymmetric

• Your system will produce millions of
signatures

• One, at random, will get analysed in huge
detail

• Designing for robustness is essential
17

Technology is Bad
• Avoid technology where you can - it goes
wrong

• Avoid two-factor authentication unless
you really need it

• Avoid mixing risks and incentives

• You should be able to explain it to your
Granny
18

Integration Traps
• IT seem to have an obsession with integrating
systems

• Vendor push?

• Need to be seen to getting value for money?

• Not always a good thing - adds complexity and risk

• Integrate for record acquisition/ingestion

• Make it easy, quick, and reliable

• Don’t depend on anything else for records
preservation and defence
19

Processes
• There's often a view that more is better

• That isn’t always the case

• Better something straightforward that’s
done reliably

• Things change

• Simple processes survive the tests of
time
20

Process Example
• Detailed SOP

• Lots of information about what to put in a
notebook

• Hence rarely read, seldom followed

• Setting yourself lots of traps

• Better

• “Write up your experiments…”

• “Sign them…”
21

CROs and Others
• This big/small company difference is evident with
CROs and other Partners

• Often there is a culture gap

• In our “Research Externalisation” work

• Yes there’s technology

• But there’s a large portion of cultural brokering

• Processes that work in big companies are often
too heavy for smaller companies
22

What Electronic
Signatures are Really
About
23

People
24

What People Really
Think
• Signing stuff (especially outside of GxP) is
generally perceived to be a pain

• Make it quick and easy

• Gentle encouragement

• Remember you’ll need reporting to spot
troubles
25

People
• Yes there’s some technology

• Just as there was with paper

• Of course

• Pick your technology and vendor carefully

• Keep things straightforward and robust

• But you are designing a system which
involves humans
26

Working with People
• The technology of Electronic Signatures is relatively easy

• Most of the hard stuff is about people

• And we are often working with people on the less
articulate spectrum

• We use something called “Clean Language” which really
really helps with this. Especially for highly technical
people.

• Caitlin Walker pioneered this in Business

• She’s just written a book (I’m in the Chapter 3 case
study)

• There’s a TED talk -YouTube “clean questions ted”

• Happy to discuss ofﬂine - very easy to demonstrate
27

We’re Dentists!
• The effort is routine and ongoing

• The payoff is long term

• People know they should but… doesn’t
always work out like that

• Our task is often thankless but always
essential
28

Summary
• Good signature systems are simple

• Self-contained and depend on very little else to work
properly

• Beware of technology

• Snake Oil vendors

• IT value for money complexity

• Design for Robustness

• Design for People

• Go to your dentist :-)
29

ThankYou
30

Electronic Signatures

Electronic Signatures

Recommended

More Related Content

Similar to Electronic Signatures

Similar to Electronic Signatures(20)

More from Simon Coles

More from Simon Coles(10)

Recently uploaded

Recently uploaded(20)

Electronic Signatures