There’s still room for pen and ink solutions in our digitally transformed world
6 January 2018
Do you think we’ve evolved modern business to no longer require paper and wet-ink signatures for protecting critical information? Think again.
A client recently asked me to build her a “new product-approval process.” Nothing terribly complex; we just had to make sure that appropriate security testing got done before the company put potentially dangerous technology into production. They wanted a moment of sombre reflection, documented in a report that key stakeholders had to sign off on. I built exactly what my client wanted, with one key exception: I designed all the approval forms to be hand-signed.
Bear in mind, this was recent – within the last five years. Contemporary enough that digital signatures and electronic routing technologies were practical options. We could have gone entirely paperless – I insisted that we didn’t. The reason why had nothing to do with the availability of key technology, and everything to do with its deployment.
See, I come from the US Department of Defense, where a robust public key infrastructure had been in play for years. Millions of soldiers, sailors and civilians are comfortable using digital signatures and document encryption to protect critical information. This client’s IT department had no such information assurance capability deployed. They could do secure file transfer, but when it came to validating that a document hadn’t been altered… they couldn’t.
Since the primary goal of the new programme was to record that system owners had been warned (prior to implementation) that certain actions had to be executed so management could approve a system’s use, document integrity for the approvals was critical to the programme’s viability. If an authorisation package could be altered after it was signed, the entire programme’s integrity collapsed. Auditors were expected to reply on these approvals to hold system operators accountable – on pain of termination. There couldn’t be room for doubt.
That’s why the solution I designed relied on printed forms and wet-ink signatures for the approvals, with master copies locked in a high-security cabinet. System owners would get photocopies or scans of the approval packages, while the auditors would be able to verify the integrity of each record from the master archive. It was very low-tech, but it met the client’s needs in the time allotted and for the cost allowed.
I would have preferred to implement a DoD-style PKI solution company-wide, and rely on military-grade document hashing, but that additional expense and effort wasn’t realistic. Some day, the client will come around in order to reap the proven benefits of a fully-electronic information assurance capability. Some day. First, though, they’re going to have to convince their owners to invest in a significant amount of design time, configuration effort, new equipment, new support, and extensive employee training in order to make it work. I’ve sworn to my client that it’ll all be worth it in the end, assuming they can endure the pain of getting there.
Keil Hubert is a retired US Air Force cyberspace operations officer with over ten years of military command experience. He currently consults on business, security and technology operations issues in Texas.
This article was published in our Business Reporter Online: Digital & Mobile Transformation.
Read the full issue online now!