Skip to main content

Digital signatures: the unsung hero of the post-Covid era

Trust
(Image credit: Image Credit: Shutterstock/xtock)

When all communications became digital overnight, businesses wondered how to continue establishing trust, and digital signatures rose as the answer.

While this technology already played a vital (if not too often discussed) part in modern-day business operations well before 2020, the need for an advanced technology to secure digital interactions and communications has been accelerated and intensified.

Changing tech for changing businesses

A digital signature is a type of electronic seal that leverages public key infrastructure (PKI) to authenticate the identity of the signer. The signature is created by generating a hash, which is encrypted using a sender’s private key. Like a virtual ID card, the signature is then attached to the data, which will confirm to any system that inquires that the data was submitted by the sender.

The signature is uniquely linked to the signer and cannot be recreated or duplicated. Any tampering with the data while it is in transit will be detected, ensuring the message’s integrity, and an audit log is also kept detailing the signing process. Taken together, these factors mean that an author cannot dispute the data’s authorship or validity. This is of critical importance to the smooth and uninterrupted running of the business, wherever it may be conducted from.

Although there are many use cases for digital signatures, three of the most common are document, email, and code signing. Securing these three processes is more important than ever in the era of remote working. With employees working from home, paper-based document signing is no longer viable and instead must be handled virtually. Similarly, staff who used to exchange confidential information in person have transferred these communications to email, with such unprotected messages posing one of the greatest risks for businesses today.

A cheap and easy to scam money via email

Cybercriminals have seen the opportunity in email becoming the main mode of communication in the business world when everyone works remotely. They are sending emails pretending to be a legitimate third party requesting payment or information, a practice known as BEC (Business Email Compromise). They are turning to spear-phishing, which means specifically targeting high-level executives to get them to authorize transfers of huge sums or to reveal industry secrets. Or they might plainly deploy mass phishing attacks in the hopes that some employees will click the wrong link and grant them access to the system where they will implant foot-in-the-door malware.

All of these would have been prevented if the fraudulent email was marked as “not what it seems”. It is no surprise, therefore, that the digital signatures market is forecasted to reach $14.1 billion in value by 2026, as companies seek to bolster their security against these attack modes.

Every single email sent and received internally or externally needs to be trustworthy, and the only way to establish that is by digital signature affirming its provenance and guaranteeing it has not been tampered with from malicious actors.  When seeking a digital certificate solution for emails, there are several things businesses should consider. End-to-end encryption, full certificate lifestyle management and multi-device compatibility are a good place to start, but businesses must also seek elements such as crypto agility and centralized encryption key storage capabilities.

When even malware looks trustworthy

Aside from the traditional social engineering methods that hackers rely on to prey on well-meaning employees, a more sophisticated method is trying to make the malware itself look legitimate, so even those more security-conscious will fall for prey to malicious intrusions. It involves the use of code-signing certificates (the certificates placing a “seal of approval” on pieces of code”) to make malware appear trusted. This is achieved through compromising the victim’s private key and certificate. It is therefore vital for users to sign their code using a highly secure certificate.

When shopping around, prospective customers should seek EV code signing for high assurance, timestamping to ensure signature validity after certificate expiration, compatibility in the cloud and on premise and certificate management workflow, to ensure that no malicious code is making its way into the internal system undetected.

Signed and sealed: how to trust a document

Digital signatures are similar to physical signatures in the sense that both are unique to the signer, except that in the case of digitally signed documents, a digital signature offers far more security and the assurance of the document’s origin, identity, and integrity. This is because a physical signature could be easily copied and pasted from a PDF or other document without the owner’s consent. The key difference between both is that digital signatures for document signing are based on Private Key Infrastructure (PKI), and therefore cannot be tampered with.

Key features of document signing that businesses need to look for include compatibility across document types and integration with relevant workflows, being trusted by Adobe Approved Trusted List (AATL) as well as EU-qualified certificate issuance. On top of this, businesses need key issuance for portable, cloud or on premise hardware security modules (HSMs), timestamping, data protection and residency compliance. With all these elements in place, the sender knows that the document will reach the receiver without being altered or manipulated in transit, securing the integrity of their communication.

Digital certificates are the gold standard for ensuring identity

There is no doubt that the conditions that make digital signatures an essential of modern business will remain long after the pandemic, as location becomes less important and the world gets used to remote working by default.

More than ever, IT teams understand how digital identities fit into their secure, geographically dispersed architecture. Automating the discovery, issuance, and renewal of public certificates saves time for security and operations personnel and reduces enterprise risk.

Digital signatures are a complex world, and it is important to have the right solution in place to protect the organization from every type of digital fraud. In preparation of this, CTOs will take a fresh look into how digital signatures bolster their security posture holistically, and demand for this technology will continue to rise.

Jason Soroko, CTO, Sectigo

Jason Soroko, CTO at Sectigo.