Cloud computing continues to transform industry after industry, appearing where it would seem least logical to appear. Process in to a large extent recalls the birth and triumphant march of computers across the diverse landscape of human activity. Today, few people think about how computers have changed the production of newspapers and magazines, production, Agriculture and especially business in all its manifestations. Now, everything around the cloud is changing in the same way, and some areas are already in the second circle. For example, accounting.
In 1994, the FAPSI Main Security Directorate developed the first electronic signature standard in Russia, but then the country was still in a very troubled time, so they really started talking about an electronic signature only 8 years later, in 2002, when a new standard for cryptographic protection of ES was approved , which actually equalizes the Russian concept of "electronic signature" and the international one - "digital signature". So the history of this technology in our country, although it has been twenty years, is actually used no more than ten.
I b about For most of this decade, the technology worked like this. On the computers of the organization (as a rule, only in the accounting department), special software was installed for working with ES, and the USB-drive contained personalized keys stored in a single copy. I must say that security in this case was provided almost complete. Without taking possession of the very "flash drive" with the keys - the token - it was impossible to sign documents on behalf of the organization. But there were also disadvantages! The token can be stolen, lost, physically destroyed - and then you will have to go through the authorization procedure in the certification center again. And if you need to sign urgent documents? In a word, cloud technologies were already on the threshold to forever change the next industry, and today the sector electronic document management can become the driving force behind their development.
We asked industry specialist Anastasia Shchepina, company analyst, to talk about the benefits of implementing EDI Synerdocs, who believes that the reluctance of businesses to switch from paper to electronic documents, from an electronic signature on a carrier to a cloud-based electronic signature in most cases is associated with fears and habits:
“Fears must be dispelled, and established processes should be replaced with new, more efficient ones and new habits should be developed that will allow you to work and make profit faster. Concerns are usually associated with distrust of the servers that store the private keys of electronic signatures. In fact, the servers where the keys are stored are securely protected. I think this is even more reliable than carrying a token or a flash card with you. Of course, this is a matter of trust, but now cloud technologies are only developing, and certification centers are taking this seriously.
Now about habits. Many articles have already been written about the advantages of electronic document management, there is no secret here. cloudy electronic signature adds benefits: allows you to reduce the cost of acquiring electronic signatures, makes it possible to sign documents at any time and in any place where there is an Internet connection. As a result, it turns out that the competitors of a conservative company, who are open to new technologies, make their business more efficient and gain a competitive advantage. This can force the business to start moving first to electronic document management using an electronic signature on a carrier, and later, possibly, to cloud-based electronic signatures.”
How does the usual ES technology look like in the cloud? The certification authority creates your electronic signature and stores it in its own cloud. No tokens are needed in this case: authorization takes place via SMS, via an attached mobile phone. The signature itself is located in the cloud, so you can sign invoices and other documents from any device with Internet access: from an office computer, from a personal laptop, from a tablet or even a smartphone. This approach has obvious advantages. According to Synerdocs analyst Anastasia Shchepina, there are two main advantages of a cloud-based electronic signature.
1. Its cost is lower. Purchasing a cloud-based electronic signature requires less costs than buying in the normal mode. This is due to the fact that in order to work with this signature, it is not necessary to purchase a carrier and a means of cryptographic information protection (hereinafter referred to as CIPF). In the case of a cloud-based digital signature, the CIPF is located only on the server where the private key is stored. All this is formalized by appropriate agreements and powers of attorney.
2. Mobility. Now the Internet is available almost everywhere, which means that you can sign documents with a cloud-based electronic signature from any tablet, smartphone, device that supports Internet access. Neither paper nor an electronic signature on a carrier gives such an opportunity. CIPF for mobile devices is, of course, being developed now, but it is easier to work without CIPF on your device at all. In addition, the private key of the cloud ES will not have to be installed by you personally or paid to the CA employee who will set everything up. There will be no need to train users to work with CIPF and ES certificates.
But, having a lot of positive qualities, the cloud signature also has negative aspects. Despite the fact that more than 100,000 cloud ESs have already been issued through popular accounting services in 2013, the widespread use of signatures is still in question. Anastasia Shchepina believes that the business has not yet fully decided on the technical component of using cloud ES:
If we talk about cloud-based ES in the workflow, it is not yet clear how it will work with several EDI services. Most likely with great difficulty. The private key is stored on the CA server, the EDI service needs to make a request there to generate an electronic signature. On the this moment not all services will easily integrate with software The CA will have to take this into account when switching to a cloud signature. You may have to buy a separate signature for each service.
The second minus is rather from the conceptual area. The essence of an electronic signature implies the replacement of a handwritten one: that is, you personally, with your own hands, sign a document using the confidential part of the key. It should be yours and yours alone. In the cloud version, the private key is not in your hands - but somewhere out there, on the CA server. That is, in fact, you sign not with your own hands, but through an intermediary. Of course, all this will be documented, and the servers themselves will be securely protected, but not in all organizations the security service will approve this. If it is important for you that the owners of the private keys themselves sign the documents, then the cloud-based electronic signature will not suit you.
In general, the prospects for cloud ES and electronic document management in our country are encouraging. The State Duma has already approved a plan for the development of e-government until 2018, which includes a number of measures to promote business. For example, "a decrease in the average number of requests from representatives of the business community to a state authority to receive one public service." And although the thesis does not sound very impressive, since the number of applications is planned to be reduced to only two, this is already some progress leading us to the European scenario. That is, such a situation when it will be possible to open a business, pay taxes and sign any documents on the Internet, and often from a smartphone.
June 19, 2014 09:21 amAT recent times we often talk about electronic signature (ES) in the cloud. Basically, this topic is discussed by IT-specialists. However, with the development of electronic document management services (EDF), subject specialists such as accountants, secretaries, auditors and others began to get involved in the topic of cloud ES.
Let me explain, a cloud-based electronic signature implies that your private ES key is stored on the server of the certification center, and the signing of documents takes place there. This is accompanied by the conclusion of relevant agreements and powers of attorney, and the actual confirmation of the identity of the signatory occurs, as a rule, using SMS authorization.
The need to use cloud ES by an accountant depends on the mode in which he works. If you are often away from the office or, for example, work for a company that provides accounting services (accounting outsourcing), then cloud-based ES will help you sign documents from anywhere. There is no need to install any additional software. However, despite the ease of use, not all companies are ready to use this opportunity.
So that you can choose for yourself whether you need a cloud-based electronic signature or not, we will consider all the pros and cons of using it. And also think about who might really need such a signature. By the way, in this article we will only talk about enhanced qualified electronic signature (hereinafter referred to as ECES).
Per
Cloud electronic signature is cheaper than usual. This is mainly due to the fact that you do not need to purchase a cryptographic information protection tool (CIPF) and a token (flash drive with a certificate). As a rule, taking into account their acquisition, the price of a certificate soars by 2-2.5 times.
Convenience and ease of use. To work with a cloud-based electronic signature, you do not need to install both the electronic signature certificate itself and special means to work with her. This means that you will not waste time figuring out how it all works.
Mobility. At the moment, there are no common and free solutions for using a non-cloud electronic signature on mobile devices. In this regard, a huge advantage of a cloud-based electronic signature is that you can work with it from any computer, tablet, smartphone with Internet access.
Against
You do not physically sign the document. You need to understand that in the case of a cloud-based electronic signature, the private part of the key, which is confidential and should belong only to you, will be located on the server of the certification center. Of course, this will be documented, and the servers themselves are securely protected. But here it all depends on the company's security requirements and on the policy associated with signing documents. If it is important for you that the owners of the private keys themselves sign the documents, then a cloud-based electronic signature will not suit you. In this situation, it is up to you to decide how much you trust the CA and the servers that store the private keys.
You can use cloud-based ES only in those services with which there is integration of the certification center software. This is also due to the fact that in the case of cloud ES, the private key is stored on the CA server. In order for the service you need to be able to use such a private ES key for signing, it needs to be able to send a request for generating an electronic signature to the CA server. It is clear that at the moment there are many services, and all of them will not be able to provide integration with the CA software. It turns out that you will have to use cloud ES only with certain services. To work with other services, you will have to buy another ES certificate, and there are no guarantees that these services will support any cloud-based electronic signature.
And what?
Cloud electronic signature is a convenient, mobile and simple tool, but not the most flexible. And in terms of security, perhaps storing the private key on a secure server would be better than keeping a token in a drawer.
Who really needs an electronic signature? First of all, those who often work outside their office in the office. For example, lawyers and auditors who often visit clients. Or executives and directors for whom it is important to sign documents anywhere. For them, a cloud-based electronic signature will become an indispensable assistant in their work.
Also, a lot depends on the policy of the company. If an organization moves towards cloud technologies, for example, in terms of storing documents, using services for internal and external document management, then electronic signatures will most likely also be cloud-based. Otherwise, accountants, clerks and other employees who usually do not leave their office during work do not need a cloud-based electronic signature. They can purchase an ES private key and an ES certificate in the usual mode, on a carrier that can be used in most services for exchange with counterparties and government agencies.
(4.33 - rated by 9 people)
Similar posts
Well, it's not true. For example, there has been Crypto-Pro for iOS for a long time. EDMS solution providers use it. For the same DIRECTUM, there is also an EDS based on Crypto-Pro for Android.
Physically, any electronic document is not signed by you. The software does it.
More precisely, not on the CA server, but in a specialized hardware server for storing keys of the electronic signature service that interacts with the information system (electronic document management).
In this case, indeed, the user does not need to install anything on himself, but the entire security of using the key does not depend on the user, but on the reliability of the authentication of the key owner by the electronic signature service and the information system.
Well, the key can be used only in those information systems that are "connected" to the electronic signature service that stores and applies the owner's key. Those. the key will be "not fully functional" (for example, it cannot protect the connection to servers with cryptography, operating system, email and files, provide authorization for the STATE SERVICES and many other places), but only for a specific task in a specific system. It's like comparing a bus and a tram, everywhere there is +/-.
There are solutions, but they are not common due to their relative insecurity. Free unknown. And will they show up...
I have a slightly different point of view: if the primary one is not a cloud certificate, but a cloud service. Yes, a single cloud certificate can not be used for all services. But the value, in my opinion, is not in the certificate, but in the services. And there is nothing wrong with the fact that each service uses its own cloud key. Unlike "on premise" certificates (on tokens, smart cards, or in the registry of your personal device), you don't have to carry token beads or copy certificates to registries on all devices. Just sms will come from different numbers. Moreover, a cloud certificate is usually cheaper on premise, and no software (cryptoprovider) purchase is required. Well, from a security point of view, such a scheme a priori looks more reliable, since when one key is compromised, others can remain working (uncompromised).
There is nothing shameful, but the cost is more than using one full-function key (not beads) in many systems. In the threat model of using the "cloud ES key", the risk of security breaches in the authentication channel is added. In addition, OTPviaSMS is not safe to use everywhere. And psychologically, most people feel more confident when storing their key in their safe than with a virtual key in a virtual storage with a conditionally secure channel for managing its use.
Of course, this is true as long as the signing is initiated by one device, and the SMS with the signing confirmation code arrives on another device. And as soon as the mobile client is left alone, such a scheme is no longer a priori more reliable. Only user convenience remains, but not reliability.
The user can win, get some advantage over competitors using paper with ink or physical tokens with OneTimePassword hardware support, due to faster response, greater mobility. But he also takes big risks. Service unavailability risk. The risk of compromise of the mobile device. Risks are justified when it comes to small amounts of money. I would trust a deal for a million to the good old paper, signed in silence, without prying eyes, without intermediaries and without haste.
If you need to sign a package of 30 documents. And the service does not support batch signing. Then you will have to receive 30 SMS (or one with 30 confirmation codes) and enter confirmation codes 30 times. This is the time, and the reaction is no longer faster.
But if each service has its own service for setting up an ES, then the integration of services should be very close. And batch signing will be included there. For example, one logical SMS will come: "Code 0xs3cr3t for operation #22_1806. Dear Konstantin Vasilievich. To confirm receipt of incoming documents for the period 06/01/2014-06/18/2014 (20 invoices, 7 acts of work performed and 3 waybills ), namely, the signing of 30 official documents confirming receipt, enter the specified code".
There are solutions. But, as far as I know, CryptoPro for iOS and Android is not distributed for free.
Agree. In general, this is what is meant. In this regard, using a cloud certificate is not very convenient.
In general, if you need to work with several services, then buying several cloud ES can be even more expensive than buying one qualified certificate, CIPF and token.
As for reliability, it is a question of trust in the security of the place where the keys will be stored, in the technologies with which the signing will be carried out. I think that while the technology is not very well tested, there will not be much trust. But, you see, using a cloud signature is still quite convenient in some cases. To understand which signature is suitable in a particular case, you need to look at the processes, study the needs, evaluate the pros and cons of both options, and then make a decision. Therefore, we try to show both sides of the same coin of cloud ES.
And for which platforms is CryptoPro free?
I think the technology solves little - the only question is trust in the solution provider to whom you entrust your certificate.
Therefore, when they talk about such technologies in the context of intra-corporate use, I also understand that it can "take off". As soon as we talk about trusting a certificate to a third party, I don't see any chance.
As far as I remember, Crypto-Pro for iOS and Android is not sold to end users. Therefore, everything goes at the discretion of the application software vendor. If he wants to give it to you for free, he will. If he doesn't want to, he won't. Or it can give in addition to the functionality for which you bought the solution.
Is this a guess (as in the original article) or can you back it up with real numbers?
As well as Microsoft, Facebook, Twitter and hundreds of other providers of federated authentication, and each resource chooses which provider to integrate with. Do you suggest doing the same with the storage of certificates?
And do I understand correctly that you equate federated authentication, in which no user data, with the exception of a very limited set transmitted with an authentication token, leaves the service perimeter and the EDS service through which all your signed data will have to pass?
It may not be. A cloud key does not require a token or software. The service may, for example, include the cost of issuing a cloud token in the subscription fee and provide cloud certificates "for free". In any case, this is a matter of marketing, not technology.
You can also sign a package of 30 documents. This is how the service itself is configured, whether it supports batch signing. And where does the key come from (from the cloud or from the registry / token) - this is already an orthogonal question. Thank you, you further developed this idea in a comment. This often happens on paper as well. The big boss can only sign the register of payments with his own hand, and the payments are then signed by authorized persons.
Glory to the point! :) While the cloud signature is used in cloud accounting and reporting.
Misha, already working :)
Eugene, I applaud your comment while standing :)
Misha, let's wait for Evgeny's answer, but I understood this as an example. A new, more convenient and, possibly, less safe solution, due to its convenience, is accepted by consumers over time, since the resulting comfort outweighed possible risks. Perhaps before the first disaster. It is possible that consumers will continue to use this solution after the negative event.
Cloud signature now seems more convenient, but a priori less secure. But some users will be seduced by the convenience and assess the security risks as acceptable. And will use the cloud signature.
Cloud signature is already working in the "low-cost" segment. It would be interesting to try it in the "enterprise" segment. Perhaps the words "CryptoPro HSM" or something else will calm the business. We must think, offer and try.
Well, remove the "mobility" argument from the "for" section in the article article.
Why is she there?
Do I understand correctly that cloud accounting is a service on which records are kept and from which reports are then sent? Why in this case Isn't it enough just to authorize the user on the service? Why else EDS - to meet the requirements of the regulator?
Where exactly? Within one service or services of one supplier? Ok, accepted.
Only now do I need to get a certificate from each supplier? So?
What exactly is it comfortable for?
I see a plus in only one thing - if you use a web service, then organizing a signature from a local client can be problematic.
In my opinion, at the mention of CryptoPro (as well as everything related to our strange "Russian qualified signature"), normal business is already beginning to be idioscarzic.
Yes, that's right, but it can be different services. Not everyone needs accounting and reporting. Many people prefer to keep accounting on premise, and then submit reports through the service. CEP is needed to comply with legal requirements.
Yes, it works inside the services of one provider. In theory, you could learn how to provide a cloud certificate to other vendors if it makes economic sense. But the value, in my opinion, is provided precisely by the services and environments where ES can be used, the mere possession of a cloud or regular certificate does not make economic sense.
In the case of a cloud certificate, the user does not need to install software on his device and think about copying certificates to each device or always carry a key carrier with him. Owning a cloud certificate is less of a hassle, so I wouldn't be so intimidated by getting a bunch of certificates from different providers. And the cost of the necessary software and key carrier (in the case of on premise certificates) will be noticeably less subscription payments, so the use of a single universal certificate is a matter of convenience rather than economic benefit.
Read about HSM - an interesting thing. Foreign competitors have similar solutions, and for a long time. So here CryptoPro uses the universal world experience.
I'm glad that given topics piques interest. I will try to develop the above concept of a cloud service, taking into account the comments. 1. Cloud service as the development of information systems is already a fait accompli, which means that software manufacturers are being brought up to this standard. In terms of cost reduction - previously you had to buy 2-3 software products that meet your needs, now it's 1, and 30-40% lower in total cost.
2. What is a digital signature and who needs it in the first place? The CPU is your identifier in IT systems, allowing you to say "I am I" to make decisions at any level of financial responsibility with a guaranteed level of protection against hacking or misuse. In any case, the appearance of the CPU is the evolution of a "live" signature in order to accelerate the implementation of the company's business processes. Those. if earlier a paper document was processed slowly, now one click is enough to make decisions.
3. Nobody says that there are ideal solutions and means. Indeed, CryptoPro has set the teeth on edge when using it. Recently I reinstalled the system for accountants using 1C, VLSI and 2 bank accounts through the web interface (using CryptoPro) - I cursed everything until I added all the necessary certificates and key support.
Michael, not exactly an equals sign. Rather, the identity sign, because FA allows you to implement a single window mechanism for users of different domains, i.e. acts as an identification guarantor for the authorization participant. The EDS service itself has authorization tools and decides its own specific tasks. In this case, a clear example is the website of public services and satellite services (for example, ROI). The public services website is a FA that guarantees user identification for other services.
Sergey, I absolutely agree with you. A cloud signature can and should act as a single identification service accepted by other participants in business processes. Now, it's all too fragmented and there are many intermediaries in the way of document movement.
Where does this conclusion come from?
Maybe you don't know how to use it? Installing certificates is a very trivial task and no one raises questions. Moreover, technologically it is no different from installing certificates on other crypto providers.
Use CONVENIENT applications that work with CIPF and you will be happy.
Now what is sold under the name "cloud signature" cannot in any way perform the functions of an identification service, because itself depends entirely on authentication. The cloud signature does not have an identification task, it is required to transfer the signature generation process from the workplace to the cloud, but only for the reason that workplace user is not so safe to work with CIPF.
What is fragmented? What are the intermediaries? If about UC, then it is needed for manufacturing qualified certificates. If about the operator, how do you imagine it without him? Need electricity operator, network access operator, cloud signature service operator, operator information system etc. This is a specialized activity. We do not have subsistence farming.
No matter how I said it :) I completely admit the use cloud signatures for individual services, okay, let the services from one operator. But for the time being, I would hesitate to use it as a single identification service.
Yeah, lately one often hears how EDF operators are compared to air sellers. I’ll probably write a big article about what the operator does, in addition to ensuring legal significance, for now I’ll limit myself to theses:
1. Creation of ED. In the service interface, as a rule, you can create the most common EDs (ESF, TORG-12, acts, etc.).
2. Storage of ED. I can’t speak for all services, but Diadoc keeps your documents until you delete them yourself. Even if you are no longer paying a subscription fee.
3. Single legal space. Try to conclude agreements with all your counterparties, if you are, say, a telecom operator or an energy sales company!
4. Transport. Ok, will you be able to organize the transportation of electronic documents through communication channels and control the signing for all your 10,000 counterparties? Oh well...
5. Integration. I'll tell you a little story. One transnational corporation decided to send through the operator ESF and TORG-12. Yes, the trouble is that ERP could only upload PDF and then in a special perverted format. IT corporation was somewhere in Latin America and took orders for development on next year. This is not counting the red tape with the formulation of m TOR and coordination on several continents. Who was able to quickly establish integration? That's right, operator.
Sergey, i.e. Can you summarize the failure of the IT infrastructure to ensure the required quality of ED within the existing ERP? Based on what you have said, ED is still in its infancy and cannot fully meet the needs of end users in full.
Then it turns out that paper manufacturers sell processed pulp.. :) EDF operators provide services that are in demand by the market (although some manage to sell canned air of the Alps)
Why so? Electronic document management is not an end in itself, it is a tool. It develops, and the requirements grow the same. Somewhere the requirements are higher, somewhere the ED itself forms the needs. In general, I believe that the state of EDI in Russia is more or less adequate to the requirements of the market.
Sergey, making such a conclusion, I am based on what you wrote above. After all, you are raising the question of the effectiveness of IT tools for the implementation of ED. In addition, the cloud service, as a service sector, is developing quite dynamically and the chances of an electronic signature appearing are a matter of time.
Daily subscription. Other types of subscriptions are available upon registration.
Back in the last century, many enterprises began to massively switch to electronic document management. Everyone has computers with office programs. Documents were often typed into Microsoft Word or other text editors, exported to PDF, sent by e-mail.
It seemed that if the workflow electronic, then we will soon forget about cabinets with paper archives, not a single paper sheet will remain on the desktops. If suddenly a paper document is sent to the organization by regular mail, the artifact will be immediately scanned and digitized. In reality, it turned out quite the opposite. It turned out that the more an organization uses computers for digital workflow, the more documents it prints. After all, every document needs to be endorsed. A document without a signature is just a draft or information note. To get a signature, documents are printed out and then often scanned back, keeping the originals in the archive.
It is now clear what really electronic(paperless) workflow cannot be implemented without digital signatures.
Today B2B, B2C companies and state organizations move to the introduction of digital signatures for their undeniable advantages:
- Paperless workflow. Saving time, money and resources.
- Effective business processes. Signing in in electronic format makes every transaction a smoother process.
- Mobile capabilities. Communication within the organization and with customers becomes easier.
Uniform standards for electronic document management and digital signature infrastructure are gradually being developed. For example, in the EU countries, since July 1, 2016, the eIDAS (electronic IDentification, Authentication and trust Services) standard has been in force for electronic services identification, authentication and trust. In the US, the 21 CFR 11 standard has been adopted.
The world's largest trusted services for electronic documents- Adobe Trusted List (AATL) and Microsoft program root trust. The CAs included in this list issue certificate-based digital identifiers and timestamp services that comply with global regulations, such as the eIDAS standard. Electronic digital signatures are already supported for the most popular office document formats. Including the signature of the document by several persons, with timestamps is supported.
What is Digital Signing Service (Cloud service of digital signatures)?
Digital Signing Service (DSS) is a scalable API-enabled platform for rapidly deploying digital signatures that provides:For your own DSS service, you need to set up more than just a signing workflow and user management. Signing certificates are also required to verify the identity of the author of each document. This includes cryptographic elements such as key management, a FIPS level 2 or higher key storage system (such as hardware tokens or HSM), an OCSP or CRL service, and a timestamp service. Combining these components, especially integrating with a Hardware Security Module (HSM) directly, whether in the cloud or on-premises, requires significant effort on the part of the IT and IT departments. information security along with good knowledge cryptography and the availability of the necessary resources.
It is important to consider these hidden costs and investments, as well as limitations and overheads, when evaluating digital signature solutions.
Separately, it is worth mentioning that if the DSS service is critical to the organization, then it should work with a high level of uptime and provide high throughput. That is, you need to design your solution with a certain amount of redundancy - with a margin for the future. And it should be assumed that business is characterized by growth. The infrastructure must be scalable.
| Digital Signing Service | Traditional Implementation | |
|---|---|---|
| Integration with document signing applications | Through a simple REST API | Requires internal cryptographic expertise for configuration and support |
| Cryptographic signature components (certificates, OCSP, CRL, timestamps | Included in the API, do not require advanced cryptography knowledge or development resources | They go separately, require separate calls from applications and internal development resources to configure |
| Scalability | Highly scalable - no additional configuration or integration required | Additional equipment purchase and configuration may be required |
| High availability and disaster recovery | Delivered via WebTrust-verified GlobalSign infrastructure with global data centers, redundancy and the best equipment for network protection | Requires additional investment in equipment |
| Secret key management and storage | Via REST API, no internal resources or hardware are used | The client is responsible for key management and storage (for example, in the cloud or on-premises HSM) |
| Signing identities | Support for signatures of two levels: departments and employees (for example, John Doe, accounting) | Not all solutions support both types of identities |
The cloud service greatly simplifies the deployment of a document management system with support for digital signatures. All operations simply go through the API.
Cloud services differ in price and functionality. But they all guarantee flexibility, scalability and high availability. Although the services are paid, they relieve companies of the need to invest in the development of their own solutions, including the purchase of expensive cryptographic equipment.
Who might need a cloud-based digital signature service? In theory, these are any organizations of any size that develop or put into operation specially developed applications and intend to either integrate digital signatures there, or use an already integrated application.
- Providers of document management solutions or applications that wish to integrate digital signatures or seals. Another option: to offer them to customers as a premium option as a guaranteed document protection against forgery. A flexible model is supported here: digital signatures can be added as an additional layer or option.
- Businesses that want to integrate digital signatures or seals into their workflow.
- System integrators who implement digital signatures in existing and new document management systems.
Recently, we often talk about electronic signature (ES) in the cloud. Basically, this topic is discussed by IT-specialists. However, with the development of electronic document management services (EDF), subject specialists - accountants, secretaries, auditors and others - began to get involved in the topic of cloud ES.
Cloud electronic signature means that your private ES key is stored on the server of the certification center, and the signing of documents takes place there. This is accompanied by the conclusion of relevant contracts and powers of attorney. And the actual confirmation of the signer's identity occurs, as a rule, using SMS authorization.
The need to use cloud ES by an accountant depends on the mode in which he works.
If you are often out of the office, or, for example, work for a company that provides accounting services (accounting outsourcing), then cloud-based ES will help you sign documents from anywhere.
There is no need to install any additional software. However, despite the ease of use, not all companies are ready to use this opportunity.
So that you can choose for yourself whether you need a cloud-based electronic signature or not, we will consider all the pros and cons of using it. And also think about who might really need such a tool. By the way, in this article we will only talk about enhanced qualified electronic signature (hereinafter - UKES).
A cloud-based electronic signature is cheaper than a conventional one. This is mainly due to the fact that you do not need to purchase a cryptographic information protection tool (CIPF) and a token (flash drive with a certificate). As a rule, taking into account their acquisition, the price of a certificate soars by 2-2.5 times.
Convenience and ease of use. To work with a cloud-based electronic signature, you do not need to install either the electronic signature certificate itself or special tools for working with it. This means that you will not waste time figuring out how it all works.
Mobility. At the moment, there are no common and free solutions for using a non-cloud electronic signature on mobile devices. In this regard, a huge advantage of a cloud-based electronic signature is that you can work with it from any computer, tablet, smartphone with Internet access.
Against
You do not physically sign the document. You need to understand that in the case of a cloud-based electronic signature, the private part of the key, which is confidential and should belong only to you, will be located on the server of the certification center. Of course, this will be documented, and the servers themselves are securely protected. But here it all depends on the company's security requirements and on the policy associated with signing documents. If it is important for you that the owners of the private keys themselves sign the documents, then a cloud-based electronic signature will not suit you. In this situation, it is up to you to decide how much you trust the CA and the servers that store the private keys.
You can use cloud-based ES only in those services with which there is integration of the certification center software. This is also due to the fact that in the case of cloud ES, the private key is stored on the CA server. In order for the service you need to be able to use such a private ES key for signing, it needs to be able to send a request for generating an electronic signature to the CA server. It is clear that at the moment there are many services and all of them will not be able to provide integration with the CA software. It turns out that you will have to use cloud ES only with certain services. To work with other services, you will have to buy another ES certificate, and there are no guarantees that these services will support any cloud-based electronic signature.
And what?
Cloud electronic signature is a convenient, mobile and simple tool, but not the most flexible. And in terms of security, perhaps storing the private key on a secure server would be better than keeping a token in a drawer.
Who really needs an electronic signature?
First of all, those who often work outside their office in the office. For example, lawyers and auditors who often visit clients. Or executives and directors for whom it is important to sign documents anywhere. For them, a cloud-based electronic signature will become an indispensable assistant in their work.
Also, a lot depends on the policy of the company. If an organization moves towards cloud technologies, for example, in terms of storing documents, using services for internal and external document management, then electronic signatures will most likely also be cloud-based. Otherwise, accountants, clerks and other employees who usually do not leave their office during work do not need a cloud-based electronic signature. They can purchase an ES private key and an ES certificate in the usual mode, on a carrier that can be used in most services for exchange with counterparties and government agencies.