Digital Signature is Different from a Digitized One
by Shri Rakesh M. Goyal, Mumbai, India
RAKESH M. Goyal's Digital Signature, from National Center for Research in Computer Crimes (www.sysman.org) is a booklet with essential information on an important component of EDI and e-commerce, helpfully written in simple English. Thus, digital signature is explained as a unique set of digital characters that are computer-readable. To explain digital signature, Goyal exposes you first to digital identification - as an "electronic equivalent to ID card, driver licence, passport, and so on."
Digital Ids are the means to prove one's identity in electronic transactions. Licensed certifying authorities (CAs) create such IDs, and issue digital certificates containing information such as serial number, signature algorithm, name of issuer, validity period, subscriber's name and digital ID, and public key. Armed with such a certificate, you can create the `unique scrambled coded message' or `digital signature.'
If, like the many, you always thought you could create a digital signature by scanning your signature and storing it as an image file, the author clarifies that such a signature can at best be called `digitised signature'. Another common misconception is that the digital signature of yours will be the same for all the documents you send out, just as in the case of normal signature. "No," points out Goyal. The signature is "for a specific combination of private key and document." Thus, "another document with the same private key will generate a different digital signature," and so too the same document with a different private key.
To explain how digital signature is used for authentication, the book sketches the sequence graphically: Create the message; apply the encryption algorithm to create message digest or `digital fingerprint' which would vary even if you were to change the original message by adding a comma or space there; encrypt the message digest using private key to create digital signature; and so forth.
Where to store the private key? You can store it in your computer hard disk, or keep it on smart cards or hardware tokens such as floppy disks or pen drive. Whatever the medium, ensure it is not accessible to others. "The smart card and hardware tokens must be protected like money, jewellery and important documents."
One last question: What is the legal status of digital signature? For answer, the author draws you to Section 5 of the Information Technology Act, 2000 where the law confers validity to digital signatures, except in the case of certain documents such as power-of-attorney, will, contract for sale of immovable property, and so on. In India, the Act provides for cross-border certificate to be valid in India, only if there is an agreement between outside CA (not chartered accountant but certifying authority) and a licensed CA in India.
Useful read to prepare you for secure digital transactions.
Tailpiece
User: "Hello, I want to know if I clicked right!"
System support: "Did you click the right button or the left?"
User: "No, I'm wearing a pullover today. No buttons."
There really isn't any better advise for today's highly technology dependent businesses, where leave aside any break-down, even smaller disruptions such as disturbance in the electric supply may render the highly sophisticated machinery and IT systems ineffective.
Therefore, if you don't have any disruption tolerant solutions, data backups, or any disaster recovery plan in place today, there isn't much you can do after disaster strikes (except pray hard and long that disaster gives you a miss). In fact, Gartner estimates that two out of five enterprises that experience a disaster go out of business within five years.
Business continuity and disaster recovery plans assist in ensuring the ongoing viability of a business. However, merely having plans in place is not enough, the real challenge and test lies in ensuring the effective execution of plans following a disaster.
Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP), which consider various disaster/ disruption scenarios and provide proactive recovery strategies based on the criticality of information systems and data, as well as the organisation's risk acceptance capability, form the back bone of any data recovery exercise to be undertaken following a disaster.
Importance of Data Recovery
Data recovery (preceded only by human/ personnel safety) forms one of the most important aspects of any business continuity and disaster recovery strategy. The data backup strategy selected and implemented by an organisation has a direct impact on its data recovery strategy and capabilities. The management should finalise an appropriate data backup strategy based on the criticality of the IT systems for the continued working of the business process and the cost of each possible data recovery strategy. Thus, an effective Business Impact Analysis (how long can business operations continue without the supporting IT systems and underlying data) and a Cost-Benefit Analysis (speedier recovery solutions may cost more than the cost of business process unavailability) needs to be undertaken.
The two key parameters to be considered carefully while designing a suitable data dackup (recovery) strategy are Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
Recovery Time Objective (RTO) attempts to determine - How long can the business afford to be without a particular IT system? and
Recovery Point Objective (RPO) indicates - When the systems and data are being recovered, how much data can the business afford to lose or recreate after recovering from the backups?
The shorter RTO and RPO will require developing a faster responding plan and more frequent data backups, thereby attracting higher investments; and vice versa. Therefore, an appropriate determination of these parameters can significantly impact the organization's capability to recovery data in a faster and effective manner, while optimizing the investment in data backup solutions.
Data Recovery Options
The recoverability of a business or the data recovery process followed by a business after a disaster would depend upon the data backup mechanism implemented by the business. The following describes the data recovery mechanisms in their order of least time to recovery and decreasing cost of adoption (As adapted from the Disaster Recovery Journal).
Hot Site - This may be described as an alternate/ mirrored business facility, which may be maintained either by the organisation itself or by agreement with a vendor, which is fully equipped with the resources required to recover business functions affected by the occurrence of a disaster. Hot sites may vary in type of facilities offered (such as data processing, communication, or any other critical business functions needing duplication). Location and size of the hot site is proportional to the equipment and resources needed for ensuring complete business recovery. Such a facility may generally enable an organization to 'go live' or resume business process almost immediately following a disaster.
Warm Site - An alternate processing site which is only partially (as compared to hot site, which is fully equipped) equipped with resources such as hardware, communications interfaces, electricity and environmental conditioning capable of providing backup operating support for critical business operations in the event of an unexpected disruption. Such a facility may generally enable an organization to resume business operations within six to twelve hours following the disaster.
Cold Site - An alternate business facility that offers only the environmental conditions such as air-conditioning and raised flooring for conducting business operations in the event of an unexpected disruption. Such a facility may either be maintained by the organisation itself or by agreement with a vendor. The required equipment and resources required for resuming critical operations must be set-up after a disaster has occurred. This option may generally enable an organization to be operational within two to four days following a disaster.
There are various other options available such as a Co-location Site or a - Co-operative Site, where more than one organisation may depend upon the data recovery facilities offered by a vendor. However, one of the most critical aspects to be considered when outsourcing data recovery is the disaster recovery/ business continuity capabilities of the vendor.
Best practices
There is no silver bullet when it comes to data recovery. Your data recovery strategy and its success largely depend on your prior planning. Here are some of the DOs and DONTs, while recovering data following a disaster:
DOs
DON'Ts
Always BACKUP your data.
Don't assume that the backups will always work for you. Be prepared for the worst.
When it comes to sophisticated technology, always involve an expert at early stage.
In the event of disaster (data corruption), don't panic, analyze and think through the problem before attempting to quickly fix it.
Prioritize your data recovery efforts.
Don't try to recovery everything, you have limited time.
In most cases, the data is intact, just the master index get corrupted, follow a methodical approach.
Don't give up before trying every option. It is highly likely that you will recover the data as long as the media is available.
Perform a cost-benefit analysis - The cost of recovering all data may exceed the value.
Don't focus just on data, look at the business value of data.
Remain informed of the storage solution vendor's business and keep updated drivers and utilities.
When you are in a hole, don't dig deeper. Consult the vendor.
So, is data backup the solution for data recovery!
Don't be too sure! Gone are the days when manufacturers of data storage media wrote 'Life Time Warranty'. Today, 'just like the Rolls Royce which never broke-down only failed to proceed at times', virtually nothing is guaranteed to work when required.
So, does that mean that having a mirrored hot site does not really guarantee data recovery? Well! Yes, if you think of it as a one time effort and expenditure. The golden rule is to ensure that backup data is up-to-date and the backup media is periodically tested to ensure data recovery when required. Never under-estimate the power of a backup media device, it may fail to function or have a sector go bad just when you need it and you could have a bigger disaster at hand.
