Over the past two months we’ve been discussing the security of the SIGNiX digital signature solution in celebration of October’s National Cyber Security Awareness Month. Superstorm Sandy threw us off a bit on timing, but I’m glad to be back to discuss a rather important element of our e-signature product that doesn’t often get the limelight…our secure architecture.
SIGNiX products like MyDoX™ operate entirely via a Software-as-a-Service (SaaS) model, meaning that customers need not worry about installing software or managing hardware or servers—SIGNiX manages that over the internet in coordination with our hosting partner. For a long time, moving to a cloud service was viewed somewhat skeptically: why should I move my data somewhere else when it’s just fine right here within my firewall? Certainly, consumers have moved to cloud-based services in droves: witness the success of services like Gmail, Spotify and Facebook. But it was only in the past few years that enterprises have truly embraced the cloud due to the cost savings, incredible scalability, and improved security that have been implemented.
For SIGNiX, whose entire service is based on making the application of standards-based electronic signatures (digital signatures) as simple and easy as a click on a web page, SaaS is the best option. That way, we can manage the keys, cryptography and security of our service without customers having to worry about implementation or management of the solution. That’s where choosing a good hosting provider comes into play.
SIGNiX’s hosting provider meets the highly secure requirements of SSAE 16, the follow-on to the popular SAS 70 audit, which features a complex reporting matrix of physical, logical, and personnel controls designed to protect the confidentiality and integrity of the information contained within the datacenter.
Within the datacenter, SIGNiX uses FIPS (Federal Information Protection Standard) 140-rated hardware security modules (HSMs), whose sole purpose is to keep cryptographic material such as signing credentials secure and protected. These devices are equipped with systems right out of a Bond film that cause the information within them to be erased if the device is tampered with rather than have that information leaked.
But SIGNiX doesn’t stop there:
- All of our XML-based audit log and event history information (which was detailed in this blog entry) is digitally signed to create a tamper-evident seal.
- All communication with the SIGNiX service is handled via secure communication (secure sockets layer - SSL), which effectively uses the same technology as our digital signatures, but within the browser, encrypting communication between sender and receiver.
- Documents can be shredded electronically according to DOD standard 5220.22-M.
As you can see, we take the security of our service—and our customers’ documents—very seriously. To find out more about our security and technology, check out our Technology FAQ here.
You can also watch a video about our digital signature service by clicking the button below.