Not all digital identity solutions on the market offer the same level of security and legal protection, according to Pere Barba, Chief Technology Officer at Víntegris.
With the digital transformation in full swing and all the new cybersecurity tools available on the market, it is strange how signing paper documents is still a thing. Not only is it time-consuming, but there is also always the risk of losing the documents, or, even worse, them falling into the wrong hands. But what if you could sign critical papers simply by using your phone?
To discuss how digital identity can enhance our future, we invited Pere Barba, CTO at Víntegris – a company specializing in authentication and the legal validity of digital processes.
Tell us about your journey over the last two decades. How did Víntegris go from an idea to a business?
We started as a system integrator reselling and maintaining cybersecurity solutions. Soon, we started developing software to create additional functionalities that helped our clients to integrate these solutions with other internal applications and tools. As the years went by, these small developments evolved into full autonomous products and became a major part of our portfolio. In recent years, due mainly to market tendencies and regulatory requirements, we have become a service provider fully dedicated to qualified electronic services with our own platform in the cloud switching to a SaaS business model.
Can you tell us a little bit about what you do? What are the main challenges you help overcome?
As a Qualified Trust Service Provider, Víntegris offers products and services to ensure the legal validity of digital processes and digital identities. This is mainly achieved by promoting the use of digital certificates and electronic signatures by companies, organizations, and users, guaranteeing its safety and usability. These processes play a major role in most digital transformation processes that are helping companies and organizations modernize their infrastructures and the way they communicate with their employees and customers. This transformation requires the development of products and infrastructures that comply with all the regulations and legal requirements applicable to what it's called Qualified Electronic Services. It also required a strong understanding of how they can help our customers to be more efficient while minimizing the legal and economic risks that come from data loss or digital process repudiation. In this complex landscape, Víntegris not only acts as a technology provider but also as a qualified trust provider and a legal and regulatory consultant.
What are some of the lesser-known risks a company can be exposed to if it doesn’t have proper authentication methods in place?
The legal validity of any digital identity used to create evidence of the relation between a person and a digital process, including electronic signatures, is as good as the authentication method used to grant access to the application or service that protects it. This has two direct consequences, the first being that the implementation of soft authentications mechanisms to protect such critical digital assets represents an important security breach risk for companies and users and facilitates the supplantation of identities and the loss of trust in the whole company’s digital ecosystem. The second is that details of the authentication method are part of the legal evidence that must be presented in any process in which electronic signatures or other digital processes are being challenged, thus increasing the risk of repudiation if a strong authentication method has not been used.
Have you noticed any new cyber threats arise as a result of the pandemic?
Yes, especially due to the increasing number of companies that are implementing remote work policies with their employees, which creates different and sometimes more vulnerable communication channels between the internal and private data repositories and external applications. Eventually, this makes it easier for attackers to perform ransomware attacks, intercept sensible information or steal access credentials.
Also, the number of document and data repositories being digitalized is growing by the day, increasing the number of possible vulnerabilities and threads of security policies, which often is the case, are not updated to protect each new scenario accordingly.
While the digital signature is becoming a widespread practice, there are still some myths surrounding it. Which misconceptions do you run into most often?
There are two main aspects of digital signatures that a lot of companies and people still misunderstand. The first is that when it comes to critical documents and processes, it is still better to use handwritten signatures on printed paper. That is completely false and unnecessary, and the law is very clear about digital signatures having the same or even more legal validity than classical handwritten versions. The second is that it is hard and complicated to use. This comes from many manufacturers which have typically been developing solutions-oriented to IT literate end-users, but this can easily be overcome if the solution design process focuses on usability and interoperability, as social media or retail applications have already been doing for quite some time.
What are your thoughts on identity-first security being named one of the top security trends of 2021? Do you think it’s going to stay that way throughout the upcoming years?
Yes, absolutely. We are now starting to see the real impact of the 2016 EU regulation on digital identity and trust services, and how companies and public administrations are radically changing and improving their digital identity management tools and processes. With the current development of the second version of the eIDAS Regulation and the introduction of a regulatory framework that will govern new concepts such as sovereign identity, digital identity data protection, or electronic archiving, I foresee that this trend not only will stay this way, but it will keep growing significantly.
In your opinion, which industries should be especially concerned about implementing quality identification measures?
Basically, any industry with the need to legally protect the relationship between two parts. That includes the relationship between a company and its clients, between companies and public administrations and citizens. Good identification methods allow for the creation of trustworthy digital identities that play a major role in many processes such as the signature of contracts, acceptance of terms and conditions, authorization of bank transactions, service onboarding, or essentially any digital process for which a company would like to minimize or even eliminate the risk of repudiation and its economic consequences.
What security issues will come up in the near future as digital identity becomes embedded in our lives?
One of the main security issues will come from using technologies and solutions to create and use our digital identities that do not comply with the minimum security requirements necessary to ensure proper access and protection mechanisms. It is important to understand that not all available solutions on the market offer the same level of security and legal protection, and only those coming from qualified trust service providers guarantee that sensitive data is secured and used according to its rightful owner’s will.
Share with us, what’s next for Víntegris?
In terms of technology and software development, we will keep investing a lot of effort into making sure our products and infrastructures keep up with all the regulatory and interoperability requirements, especially with the development of the new eIDAS 2 Regulation, to ensure our solutions are trustworthy while keeping a very high standard of quality in terms of usability and reliability, which have always been Víntegris hallmark.
In terms of vision, we see ourselves playing an important role in helping companies and organizations understand the technological changes all these new regulations and regulatory standards bring, and how they can digitally transform their daily processes and operations to be more efficient, have fewer and smaller risks and improve the safety of their digital assets.