Let’s talk about digital identity with Robin von Post, Head of IAM Solutions at Cybercom.
In episode 10, Oscar talks to Robin about digital signatures – what are they, what challenges do they solve/pose, and why businesses should be taking advantage of their benefits now. They also talk about the issue of trust between organisations and internationally – particularly from Swedish (where Robin is based) and pan-European perspectives.
[Scroll down for transcript]
“Digital identities and digital signatures are one of the basic building blocks of making the transition to pure digital.”
Robin has a deep interest and experience in the IT-security domain. He has for the last 20 years been involved in the development and deployment of high assurance encryption systems for European government and defense customers, with the last year’s focus on securing national civilian critical infrastructure.
Last year, Robin took on a role at Cybercom Secure as the Head of IAM Solutions, including advanced electronic signature services, directory administration and governance, and other IAM and security related services.
On a private note, he weekly curates a newsletter – ‘The von Post’ – covering IT-security related events. He supports the Swedish “Säkerhetspodcasten” as a freelance reporter. He is also a private pilot & passionate photographer.
Cybercom is an innovative consulting firm that enables leading companies and organisations to benefit from the opportunities of digitalisation. It provides innovative, secure and sustainable solutions in IT and communications technology by combining technical edge and strong business insight. This applies whether the issue is transforming products into services, developing new business models or helping the public sector get closer to citizens.
It is a highly diverse company, with a large age range, 45 nationalities and assignments in 20 countries. Cybercom’s domestic markets are the Nordic region and Poland, and in addition the company offers global delivery capacity for local and international business. Find out more at cybercom.com.
Read about Ubisecure and Cybercom’s recent partnership announcement at ubisecure.com/news-events/cybercom-partnership.
Listen to episode 21 with Robin’s colleague, Bengt Berg – Head of Compliance Management Services at Cybercom, here: www.ubisecure.com/podcast/bengt-berg-cybercom-iam-compliance/
Or subscribe with your favorite app by using the address below
Let’s talk about digital identity. The podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and thanks for joining today. Today we’re going to discuss a situation in which many people who have to sign documents and are given a digital version of signing might be aware that is this really safer, more secure than the old way? Or, if you are one of these persons who are signing documents not occasionally but many times per day and you think there will be a more modern way to do this. So we’re going to talk about digital signatures. And for that we have our guest today.
Let me introduce you to Robin von Post. He has a deep interest and experience in the IT-security domain. He has for the last 20 years been involved in the development and deployment of high assurance encryption systems for European government and defence customers, with the last year’s focus on securing national civilian critical infrastructure.
Last year, Robin took on a role at Cybercom Secure as the Head of IAM Solutions, including advanced electronic signature services, directory administration and governance, and other IAM and security related services.
On a private note, he weekly curates a newsletter called The von Post covering IT-security related events. He is also a private pilot and a passionate photographer.
Robin von Post: Hello Oscar. Nice to be online talking to you here on this podcast.
Oscar: Great talking with you, Robin. Welcome. Please tell us what was your journey to this world of digital identity.
Robin: Yeah. The digital identities and the digital signatures, I think it’s one of the most basic platform or building blocks that you need to have in order to make a good transition into pure digital. I mean there’s a lot of systems where you just add up services and so on, but the problem is always how can you prove that you have the right person in front of the computer, or that you have received the correct information from the right person. And that’s where– my experience tells me that we need to solve this in a good way.
And we have been doing this now for quite some time. As you mentioned in my bio there, I only have been here for almost two years now but we have been doing this for almost 10 years at Cybercom and we have a good experience in solving these kinds of problems. And I think that a lot of the times there will be gaps in the digital flows. There’ll be gaps where you need to print out stuff, sign it by hand, put in an envelope, go to the post office and send it. Someone needs to receive it. It needs to be scanned and it needs to be archived. So these un-digital gaps that we see in a lot of the digital solutions today, I think there is a strong need to get rid of those. So that’s why I’m so interested in yes the digital signatures and then electronic identities that we see today.
Oscar: Sure. And what other challenges do you see today in digital identity?
Robin: Well, the challenge is of course also how to trust between organisations or between nations. There is a lot of issues where you have one solution on one side, and another solution on another side. And the problem is that since this is a quite new field to trust digital signatures and identities there is a lot of different solutions. They are trying to enforce standards and I mean the European Union has set this eIDAS standard and enforced that in several steps. And that’s a really good thing.
I mean they have the greatest ambitions of bringing the EU together on this on a standard note, and also on the interoperability between countries and how that should work both in– I mean in all the digital services that we see coming in the– yeah, coming 10 to 20 years for the European departments and countries and organisations that are involved. Because I mean if you get a document from Finland that has been digitally signed by you, and sends it over to me and I need a way to trust how is this keeping together? Can I trust that it’s from you? Can I trust that it is not altered in a way?
And the big advantage I would say of a good electronic signature then is that you can actually trust the data that you get. You could actually start working on the data with a computer, not with the person that needs to scroll through and check that it’s reasonable stuff. You can say, “OK Oscar, here, you actually signed this. You signed this information that I get. So I can trust that it’s you that’s behind this information.” And that’s something that will really expedite or make digital flows more efficient.
And we see a lot of the challenges today that we have both in companies and in the public sector and other governmental institutions, that we have inefficient ways of working because some of these basic ‘puzzle pieces’ so to speak are not there yet. But it’s getting there and I see that in a lot of our customers that we have now delivered this to, there is actually making great progress in actually tying together.
I mean we’re working to you with Ubisecure with external customer identities and bringing together not only the external identities and signatures but also to internal identities and signatures. So it’s both the internal core administration flows that need to go digital and the external ones, and tie these together because it shouldn’t be hard. And it’s not really that hard if you go for a solution that’s trusted and where you keep to the standards that there are. So that’s also a big advantage I would say.
Oscar: Sure. Sure. There are many– what you have said shows many scenarios in which digital signatures can be used. If we keep a little bit back to the basics for people who are not familiar with what digital signature is, how would you define what is a digital signature? And also, some maybe misconceptions that you usually hear about that.
Robin: Yeah, that’s a really good question I would say because there is a lot of things that people consider a good signature or not a good signature and so on. And I think that there is a good definition of course. And it also depends on the use case where you need it. Some things that you sign should be valid for maybe 50 years, some things is just something that you sign because you buy something and then it’s over in like half a year it’s not relevant. So we’re talking a lot about the level of assurance that you have. And in some electronic way, you need to tie this assured identity with the right level to the document or the information part that you want to sign. And we are working both with PDF versions of information and XML versions. So there are some standards for that, of course. Not going into much of the technical details but I mean we need to tie this information to you.
So, if I get a good view that I’m talking with Oscar here, you have made that probable on some level, maybe I called you up at the correct number and you give me the secret password or something and then I know, “OK, Oscar is on the other side”. And then we can tie this information to you. You will actually– like you when you do the hand written signature on the paper, you will also tie in a technical way in a hash or a fingerprint of the document that we enclose with your signature.
And I think that’s one common misconception that we see several solutions today that some company has a stamp and they make you go into their website and you log in to that website, and you load your document there. Then they put a digital stamp on it. So let’s say that the name of the company is Signatures Inc., maybe there is one that’s that name. Yes. Pretend that it was made up.
So Signature Inc. sets its stamp on the digital document and also as information in the document says Oscar was actually logged into our system and said that he wanted to sign this document. But then to document is actually not signed by you. It’s signed by Signature Inc. And they need to be there to prove that you actually signed the document. And what happens in 20 years when they’re not there anymore? How about the logs? How about the traceability? How about the accountability? Can you say, “No, I didn’t sign that”. How can they track your assurance of your identity to that document? Can you go to the other party where they say, “Oh, Oscar, you signed this?” And you say, “No, I didn’t sign that.” So you will be in a legal process, right? To try to convince them that you didn’t. Then you need to be also involving Signature Inc. because they put a stamp on this.
But I think that there is a good level in the standardisation that’s going on in EU today that is actually good advanced electronic signature where you are the one signing the document. So Oscar signed the document. We create an individual certificate that proves that you are logged in and then we embed that in to the document itself. And then you can email this, you can send it up to some file share, you can do anything with it and you will actually be liable for what you signed. So that’s one important part.
Another, misconception is not the right term but the, challenge is of course how do we prove in the future that you signed this? 50 years from now there is new algorithms, there is new policies for how to create signatures and so on, so there needs to be some way in this process on how to re-evaluate the signature to re-address the new policies that might be enforced in like five years. So you take your side document and then you have to seal it in the best practice way that will hold in 2025 so to speak. So, it also needs to be a futureproof solution in that sense to be- follow along with the lines of the standardisation that will actually go on.
Oscar: So, one question that came to mind is that you said that I should be the one signing the document instead of the provider, but does it mean that I sign it? Is that the cryptographic signature done on side, on my device or what exactly means that I sign it?
Robin: Yeah. That’s a really good question. I think that the cryptographic signature that you create should be unique for your signature and for that document. It should not be a signature that’s made just by Signature Inc. on that document. It should be also tied to you in some way. And, yeah, that’s where the difference will happen.
Oscar: Right. Exactly that’s the difference. OK. What would you say are the top reasons why people and organisations should move to signing documents digitally already today? So why now?
Robin: Yeah, coming back to that I think that it’s actually available now. There are standards. There are ways of doing it. And there are proven ways of how it works. So there’s no reason to wait.
There is also, as I said, the wave of digitalisation that you have now in this era of going digital, there is a lot of possible places where you will actually put a digital signature in the flow. It should be internal or it could be internal, it could be external or it could be a mix. Someone internally makes a document, signs this to and provide this document to an external part where they want to sign as well. And that shouldn’t be two different systems. It shouldn’t be two different ways of signing this. It should be according to how the best of brand electronic signatures are done today, I think. So, it’s no reason to wait because it’s there. And it’s no reason to wait because it’s one of the foundations that you’re putting into– in order to enable efficient digital processes.
Oscar: Mm-hmm. And there is no excuse that is it’s difficult.
Robin: No, actually I would say that creating the signature and handling the security around it, the processes and et cetera and all these, that’s something that is quite advanced. But from a customer perspective, it’s simple. And I would say from an end user perspective also it’s simple. But the rest we will take care of at Cybercom.
Oscar: Yeah, absolutely. Yeah, that was my question from the end user perspective. Now, some people might still feel or have this conception that it’s difficult. But I believe too that at this point in time when there are great tools, like SignPort by Cybercom, that are doing things right and make it easy for customers.
So another thing that usually discuss about digital signatures are the types, the types that refer to the levels. Some are more strict, it depends also what’s required on a legal basis. Could you tell us these types of digital signatures?
Robin: Yeah, I mean that there is some levels. I mean on the basic level it’s just an email that you sent to someone which says, “Hey, I’m Oscar… sell me stuff”. That’s one kind of a signature, right? That assurance is really basic and almost zero. It was easy to spoof. Then you have next level where you can create your own account on some Facebook or Google and you could actually involve that in the signature.
The next level is of course that you have some kind of electronic ID that some system will hold together -that you actually went to the bank or to some kind of a person to actually prove together with some identity papers or identity proof that you are you. And then will tie that electronic identity to you. So like in Sweden we have BankID or Freja eID. I know in Finland you have some other ways of doing it. And there’s a system that will actually catch if there’s someone trying to fraud or fool the systems and that’s of course the level of assurance you will actually get on the signature as well then with that kind of identity.
Then on the highest level, you will actually, as you mentioned, make the signature in your own physical device on your phone or on your smart card or whatever. That’s something that would be highest level. Then, of course, you always have the problem of visibility, I mean if you get a document, how do you know that it’s actually that document that you send down to the smart card and tie that to the signature? So you always have the problem of availability and ease of use. And the level described as the advanced electronic to your signature is actually the one that that is spreading across borders now in Europe I would say because it’s a good mix and level of assurance for that signatures.
Oscar: Good. And what about the business benefits because we talk about digital identity in this podcast but we focus also what is the– what are the business opportunities about digital signatures. What would you say are these business opportunities and if you can mention some used cases to illustrate that?
Robin: Well, I see it from several angle points so to speak, several angles. From the public perspective, it’s a way of the accountability that you will get as a citizen in a country. I think that it’s- given the standardisations that’s going on we also have a possibility that I will come to Finland and my electronic signature holds.
So I mean if you’re starting your business, or I mean yeah from a legal perspective, you’re obliged to accept eIDAS signatures today in the public sector in Sweden and in whole of Europe actually. But I’m not sure how they do it in all countries yet. I haven’t seen the widespread deployment. And I know that in some countries digital identities are not really widespread so that will of course a limit the use of electronic signatures as well. But I mean if you look specifically in the Nordics, and some like Estonia or Spain and Portugal, that’s widely deployed there.
So that I think from a market perspective, you have those markets to address. But if you have a good electronic identity system, and acceptance maybe from citizens and acceptance from people working in the organisations for electronic IDs, then you’ll also have a good business case for electronic signatures. Because I think from a business perspective there’s a lot of processes that would actually benefit from- what you do is actually that you take the data and you stamp it with a quality mark. You will say that this information here holds quality. You can trust it, right. And a lot of business is actually based upon trust in a lot of levels. And given the threat level of stuff happening from people spoofing phone calls and et cetera, people spoofing emails targeting CEOs to make money transfers to strange addresses et cetera, I think that we need to strengthen the trust in the information we have both internally and externally.
Oscar: Mm-hmm. Yeah, that’s definitely an excellent point what you said and you have convinced me. I hope you convinced also others that yeah, digital signatures are today are ready, they are good solutions and we should embrace them.
Oscar: How do you foresee the future? How do you think this is going to evolve?
Robin: I think which actually are only in the beginning right now. As I see it both from a national and a European perspective, there are not all countries or not all organisations that have actually adopted the electronic ID, electronic signature. So organisations and the departments that have actually went into this now are the ones going first. And I think there is a lot more to follow.
And I think that’s when the interesting part starts to happen. Because you and I, if we are only sending documents back and forth to us, that’s of course easy to solve. But the more parts we involve in this the more benefit, because if you send information or documents to 5 or 10 or different organisations, you as an organisation, if one of them can’t really accept or handle a digitally signed document or information parts that will of course be a not a problem today because there’s a lot of organisations that can’t handle it. So you always need to have fallback for all situations.
But if we get an adoption throughout organisations where you can actually send the documents from one department to another or from one company to another and there is not a problem- So I think actually we see the start now, the early adopters are there and doing it. And actually when the early majority will follow on these early adopters to actually go into embracing, we trust information that has been signed according to this way, I think we will see it will be like a tornado effect. And we can save so much time. Time is the only thing that we have that’s equal throughout to every citizen Europe, right? There’s 24 hours a day and we can’t make up more time so we have to take care of the time we have, not printing stuff, sending it, archiving.
Robin: I see a lot of possibilities of people working in organisations that could actually work with things that humans are fit for, instead of systems or computers. And that’s one key to that is adopting, trusting and involving digital IDs and digital signatures.
Oscar: Mm-hmm. Yeah, excellent. So, yeah, we are – we are still in the beginning so there are still a lot more to come.
Robin: Yeah, that’s cool. Let’s have a talk again in like 5, 10 years and see where we are then.
Oscar: Well, sounds good so we can absolutely compare that and actually be…
Robin: Yeah, let’s book that in our electronic calendars. I can sign a document where I will promise that I will make the next interview with you.
Oscar: Let’s sign a promise digitally.
Robin: No problem.
Oscar: That sounds pretty cool, huh.
Robin: Let’s do it.
Oscar: Now, please, well, it’s almost the end. I would like you to leave us with a practical tip that anybody, not only experts, can do right away or start doing to improve to protect their digital identities.
Robin: In Sweden, there are a lot of people that have digital identities. If you have it and you use it every day, start requiring that you could also sign documents with your digital ID because there are a lot of places where you can actually go to a website, you can fill out the form and the PDF, and in the end, why can’t you sign the document with your digital identity? And just start to question that because that’s not the way it should be. So, for everyone, I would urge everyone to start requiring a possibility to digitally sign information that they enter, not being forced to print and sign by hand. That I would suggest to everyone listening to this podcast.
Oscar: Mm-hmm. And should we demand that to the services?
Robin: I think there is no reason for people – for systems not to introduce this possibility. I think actually we tell everyone that’s listening to require that and we should also tell all the service providers that they should start implementing a possibility to have a digital signature in their solutions.
Oscar: OK. Let’s do that. It is very important. Yes. Well, thanks a lot Robin. It was great talking with you. Please let us know how we can find you on the net.
Robin: OK, no problem. I’m on Twitter with @rvonpost handle. I’m on LinkedIn, just search for Robin von Post or you can actually also subscribe to that weekly newsletter that I curate every Friday morning – the latest IT-security news. It’s like a one-pager just to keep everyone updated on if there have been any things they shouldn’t miss in this domain. So, please feel free to sign up for that one.
Oscar: Yeah, that’s very nice you have this newsletter, I have to follow it. Thanks for sharing that. That’s going to be in the show notes of this episode. And again, it’s been a pleasure talking with you Robin and all the best!
Robin: Thank you for having me Oscar and big hands to Ubisecure for providing this excellent podcast to your listeners. Thank you.
Thanks for listening. Let’s Talk About Digital Identity is produced by Ubisecure. Be sure to subscribe and visit ubisecure.com/podcast to join the conversation and access the show notes. You can also follow us on Twitter @ubisecure or find us on LinkedIn. Until next time.
[End of transcript]