http://www.amphora-research.com/

Electronic Signatures What happens in Practice

Simon Coles CTO & Co-Founder

Amphora Research Systems

1

http://www.amphora-research.com/

Electronic Signatures

• Signature Technology

• Long Term Considerations

• Robustness

• Humans

• Processes

2

http://www.amphora-research.com/

A Little About Me

• So you can understand my perspective, experience and biases

• Started working with Electronic Laboratory Notebooks in 1996

• Active in CENSA at the time

3

http://www.amphora-research.com/

Amphora

• Solutions which Focus on

• the Capturing (from busy scientists)

• and Preserving (in complex environments)

• of Evidence (for use in court)

• about Scientific Activity (in Discovery)

• generally for Patent purposes

• Note: GxP is not a huge part of this

4

Representative Customers

http://www.amphora-research.com/

Differences are Interesting

• Diverse Customer Base

• We have some of the largest “ELN” deployments in the world

• We have some of the smallest

• But all have the same problem

• Same technology

• Same outcome

• Very different approach required

6

http://www.amphora-research.com/

Large companies

• Have in-house records/archive expertise

• We’re a competent technology partner

• Often will mediate with IT departments

• We often help with the long view

• Large companies are not immune to pain

• But the incentives are sometimes short term

• Unusually for a technology supplier we’re taking decades-long view

7

http://www.amphora-research.com/

Smaller companies • No in-house expertise

• No real appetite or money to do things “Properly” for the sake of it - need to demonstrate fast ROI

• We embed best practice in a robust offering

• Buy and do what it tells you

• Often SaaS

• Often a limited runway to prove a concept to get more investment gives these companies a very near-term focus

8

http://www.amphora-research.com/

Signature Technology

• Good systems all use the same technology

• RSA, DSA, Elliptic Curve, SHA512 hashes etc.

• The underlying algorithms are well proven, with lots of implementations, and free

• If anyone claims to have some secret sauce – run away, fast

• Beware: Some vendors are shockingly bad at this stuff

9

http://www.amphora-research.com/

Signature Technology

• Not going to go into any more detail on the technology side

• Would take more time than we have

• Probably wouldn’t remember it

• Not all that interesting

• Wikipedia is excellent!

10

http://www.amphora-research.com/

Long Term Considerations

• Technology: Violently agree with Peter from Phlexglobal

• PDF/A, XML, Multiple Copies, Bit-level integrity checking

• But: Signatures in XML format, nothing proprietary or binary

• Integrity checking

• Regular and routine

• Use a different implementation of signature algorithm

11

http://www.amphora-research.com/

Not just file formats• Also need to preserve supporting information

• Personally identifying information

• Processes and proof of compliance

• Need to ensure this all survives departure of

• The people

• The project

• The vendor

• The company

12

http://www.amphora-research.com/

Nothing is Forever

• We're doing an awful lot of corporate transition work

• e.g. splitting of repositories

• Or complex splitting of businesses

• Outsourcing of work is huge and interesting

• A lot of the long term records decisions have helped us out here

13

http://www.amphora-research.com/

Vendors and Longevity

• Looking back, focused niche companies are more reliable than larger composites

• You should have everything you need to protect and defend your records without a vendor

• IMHO this is your primary responsibility when purchasing on behalf of your company

• This is not in the vendors’ interests!

14

http://www.amphora-research.com/

Long Term Recommendations

• Make sure your archive is stand alone with no IT or other dependancies

• Can you identify people after they’ve left your company? Without access to HR records?

• Can you describe signature intent etc. without access to the specific SOP in place at that time?

15

http://www.amphora-research.com/

Long Term Recommendations

• Make sure you can access your records on your own

• e.g. file system

• You should be able to read with a standard PC & Software

• No Encryption

• No Compression except what’s in the PDF standard

16

http://www.amphora-research.com/

Robustness

• Signature systems run for a long time and their threat model is asymmetric

• Your system will produce millions of signatures

• One, at random, will get analysed in huge detail

• Designing for robustness is essential

17

http://www.amphora-research.com/

Technology is Bad

• Avoid technology where you can - it goes wrong

• Avoid two-factor authentication unless you really need it

• Avoid mixing risks and incentives

• You should be able to explain it to your Granny

18

http://www.amphora-research.com/

Integration Traps• IT seem to have an obsession with integrating

systems

• Vendor push?

• Need to be seen to getting value for money?

• Not always a good thing - adds complexity and risk

• Integrate for record acquisition/ingestion

• Make it easy, quick, and reliable

• Don’t depend on anything else for records preservation and defence

19

http://www.amphora-research.com/

Processes

• There's often a view that more is better

• That isn’t always the case

• Better something straightforward that’s done reliably

• Things change

• Simple processes survive the tests of time

20

http://www.amphora-research.com/

Process Example

• Detailed SOP

• Lots of information about what to put in a notebook

• Hence rarely read, seldom followed

• Setting yourself lots of traps

• Better

• “Write up your experiments…”

• “Sign them…”

21

http://www.amphora-research.com/

CROs and Others• This big/small company difference is evident with

CROs and other Partners

• Often there is a culture gap

• In our “Research Externalisation” work

• Yes there’s technology

• But there’s a large portion of cultural brokering

• Processes that work in big companies are often too heavy for smaller companies

22

http://www.amphora-research.com/

What Electronic Signatures are Really

About

23

http://www.amphora-research.com/

People

24

http://www.amphora-research.com/

What People Really Think

• Signing stuff (especially outside of GxP) is generally perceived to be a pain

• Make it quick and easy

• Gentle encouragement

• Remember you’ll need reporting to spot troubles

25

http://www.amphora-research.com/

People

• Yes there’s some technology

• Just as there was with paper

• Of course

• Pick your technology and vendor carefully

• Keep things straightforward and robust

• But you are designing a system which involves humans

26

http://www.amphora-research.com/

Working with People• The technology of Electronic Signatures is relatively easy

• Most of the hard stuff is about people

• And we are often working with people on the less articulate spectrum

• We use something called “Clean Language” which really really helps with this. Especially for highly technical people.

• Caitlin Walker pioneered this in Business

• She’s just written a book (I’m in the Chapter 3 case study)

• There’s a TED talk - YouTube “clean questions ted”

• Happy to discuss offline - very easy to demonstrate

27

http://www.amphora-research.com/

We’re Dentists!

• The effort is routine and ongoing

• The payoff is long term

• People know they should but… doesn’t always work out like that

• Our task is often thankless but always essential

28

http://www.amphora-research.com/

Summary• Good signature systems are simple

• Self-contained and depend on very little else to work properly

• Beware of technology

• Snake Oil vendors

• IT value for money complexity

• Design for Robustness

• Design for People

• Go to your dentist :-)

29

http://www.amphora-research.com/

Thank You

30