ShowTable of Contents
Document security is a concern for most applications that center around the delivery, routing, storing and viewing of documents, whether they are forms, legal documents, specifications or other. Generally, system designers want to be able to restrict the access to documents, identify users viewing or completing documents, ensure the secrecy of documents and ensure that documents are not tampered with. These general concerns can be addressed by considering document security as a function of four different aspects: Authentication
Authentication is simply the identification of a user. This is typically performed at a system level rather than a document level for document access, but there is more than one point at which a user's identity is critical - when users access documents, and when documents containing digital signatures are assessed. At both points it is critical to ensure that the user is positively identified.
Approaches to Authentication
System authentication is normally handled by standard web or network-based authentication protocols (ie, mutual SSL authentication or Windows Network authentication). This type of authentication can enable a system to make authorization decisions.
Document-level authentication can also be useful, when the document format permits. Certain types of documents, like IBM ® Lotus Forms™, have the capacity to embed decision logic that can detect and respond to an authenticated user via a digital signature or information passed into the document from server-side processes.
A digital signature is created by the document Viewer and a third-party-issued digital certificate. This digital certificate must be provided to the user in such a way as to ensure adequate assurance of the user's actual identity. Many organizations use company-issued cards on which the signing certificate is stored or have security policies in place regarding the issuance of purely electronic certificates. Biometric methods (electronically-captured handwritten signatures, thumbprints, etc.) can also be employed to create the certificate.
Information from either the certificate or server-side authentication can be used by logic built into the document to restrict access to parts of the document, determine which portions are visible, and block write-access to portions as required if a user is not authenticated properly.
Authentication that will be used for multiple levels of access should contain some notion of access level or role. This information can be embedded within a user's digital certificate or stored on a central server and linked to the user's id.
Authorization is closely linked to authentication, and encompasses the process by which a user or user level is permitted access to different levels or parts of an application. A solid, secure authentication process allows automatic authorization of users for a variety of purposes.
The degree of authorization complexity and security will depend on the application. Typically, applications that define a hierarchical role structure require more complex authorization procedures, in which not only is the user identified, but credentials for the current access level are analyzed also.
Approaches to Authorization
Authorization can also occur at various logical places in an application. Most applications will require authorization for user login, document access, document submission, data queries, and so on. With the exception of user login, most of these authorizations are transparent to the user (single sign-on). This may be done through any kind of retention of session information and the methodology should be appropriate for the technologies involved and the levels of security and privacy required by the application and its users.
Single sign-on systems can be extended to use within the context of the document itself. Document formats that support internal logic, like Lotus Forms, can make decisions regarding which sections of a document are available to the user. This is typically accomplished by server-side insertion of session sign-on information into the document, or by embedding the document in HTML for portal use.
The advantages of in-document authorization are mainly in the area of usability and error reduction.
For example, sections of a paper form that are to be filled in by someone with manager credentials can be made read-only or invisible for someone without those credentials. Likewise, if a manager views the form later, information previously entered by a subordinate can be "rolled up" with just summaries shown. This makes multi-stage documents significantly less error-prone, as well as easier for all users.
In-document authorization can also potentially allow for sensitive information to be contained in a document but not available to every user of that document. This approach is less common and requires additional use of encryption and, in the context of Lotus Forms, document handling extensions.
Confidentiality refers to the ability of the system or document to restrict the viewing of the data to authorized users. Data may be in the form of documents or http-based streams (or both).
Confidentiality assures that no-one can see or copy the data without the knowledge or permission of the system.
Approaches to Confidentiality
Confidentiality is typically provided through encryption of document or data, and is employed throughout a system. The majority of applications implement transmission confidentiality through the use of SSL to encrypt any user-to-server or web services-based communications.
As an added layer of confidentiality, it is possible to implement document encryption. This is used when storing a form on a local machine or on a shared machine - using a public/private key methodology to ensure that only the owner of the private key can decrypt the document. If the document format supports it (as do Lotus Forms documents) it is possible to store the information regarding permitted access within the document itself. A custom-built application extension can then control whether or not the document is viewable by a given person or application.
Document integrity refers to the assurance that the document being viewed is exactly the same as the document a user filled out. This is extremely important in documents that are legally binding, such as contracts and account applications.
Document integrity is implemented at the document level but can be checked at various points throughout the system.
Approaches to Integrity
Document integrity is typically implemented by use of a digital signature, which is generated by a document hash combined with information from the signer's digital certificate - usually a private key. Biometric information can also be used to generate the digital signature.
Many document formats provide only full-document signing capabilities; that is, the user can sign the whole document at once, typically when it has been completed. This type of document integrity is best for single-user documents, since signatures can only be applied to the whole document.
Lotus Forms support multi-stage and overlapping signatures (as well as whole-document signing). A user may fill out part of a form, sign that part, then send the form to another user who can fill out and sign another part of it. The second user's signature can also cover the first user's, which would prevent the first user from subsequently altering anything. This flexibility most closely approaches the process that most forms-based processes naturally follow. It also provides the capability to ensure step-by-step document integrity, rather than simply end-product document integrity.
With respect to Lotus Forms, digital signatures ensure the integrity of the document by locking all items covered by the signature. Accidental changes are prevented by the form Viewer software, which actively prevents changes to fields or other input items once a signature has been applied. Other changes (data, positioning, formatting, visibility, overlap of other elements, etc.) cannot be changed without invalidating that signature on the document. The forms Viewer re-evaluates the signature on form open and save or submit, so changes that occur between signing and any operation that could affect the overall system are identified. Also, the Lotus Forms API provides programmatic methods to check and validate signatures.
As well as supporting document integrity after it has been filled, Lotus Forms offer the ability to sign the presentation of the form with a separate signature at design time. This prevents anyone from tampering with the layout, logic or other context of the form as it was intended to be, before the user fills in the form.
Once the form has been signed by a user, it can also be notarized by an automatic process on the server side for increased assurance of document integrity.