How Yousign enhanced their Forest Admin setup with their own security layer

Looking to expand on Forest Admin’s security features? Read on to learn about how Yousign created an additional layer of access verification on top of our architecture.

This piece is based on a French article written by Yousign. If you're interested in more posts by them, don't forget to visit their engineering and product blog.

Yousign, one of the world’s leading eSignature solutions and another member of eFounders, has been using Forest Admin as their web application's admin panel for 2 years. The company’s goal is to provide a platform that streamlines your approval workflows, secures your agreements, and enables you to offer a top-notch signature experience — all of which are heavily reliant on the proper security and data protection measures.

Yousign’s choice of Forest Admin as an internal tool was with this in mind, as well: however, given just how crucial it is for them to protect client data at all times, they have not only leveraged Forest Admin’s robust security system to the fullest, but have also built an additional layer of access verification upon it.

The Forest Admin architecture

To begin to understand all the layers of Yousign’s security measures, the first step is to take a look at the software architecture of Forest Admin. By default, our setup is composed of two main parts:

• The API called "Admin Backend", which is hosted on our clients’ side and connects to various application databases, allowing for advanced actions via development done by the clients
• The web user interface and its management API, hosted by Forest Admin and its teams

If you’re curious to learn more about how an internal tool like Forest Admin works, check out our deep-dive article on our software architecture.

All about admin panel security

In order to provide a high level of security out of the box, Forest Admin uses various methods and solutions to secure the exchanges between our and our clients’ sides at all times.

The most important aspect of our architecture is that our clients' data never passes through our servers. Your data goes through the admin API hosted on your servers, right into your end-user browser interface. It remains completely invisible to us, so it can never be accessed or stored by anyone other than you.

In addition to this, our security is carried by the JWT standard, with the communications between the backend and the Forest Admin servers being protected by two different JWTs, signed with two different keys. We also have several other security options available for your admin panel in our paid plans, including IP whitelisting, auto-disconnect, and two-factor authentication.

An additional layer of safety

Handling delicate data every second, Yousign is vigilant about maintaining the highest security levels possible. But even with a carefully planned-out architecture and protection mechanisms, there is always more that can be done — hence why they decided to add an additional layer of security to their Forest Admin setup, fully adhering to their idea of “Zero trust”.

At first, Yousign considered focusing on protecting the access to their backend through the use of a VPN. By installing an encrypted virtual tunnel connected to their server hosting the API, calls made by users’ web interfaces would have been completely secure, however, this would have introduced a need to install the software on all their users’ setups, so they decided to go another route.

For years, Yousign has been using Kong as an API gateway, and Okta as an IAM, so that their partners could securely access their enterprise tools. This is where their final idea came from: to place the backend API behind their API gateway, and benefit from all the power that a gateway like Kong brings. With an OIDC plugin configured on their OKTA IDP, they have managed to create a protection for their backend API routes through a homemade mechanism, without any specific development needed on the backend side.

Taking this idea to the table, Yousign has been able to set up a custom system with the help of our engineers, and create a non-intrusive additional layer that is virtually transparent. Running through their connection on Okta, they are now able to fully customize their interface true to their “Zero trust” policy, and guarantee that their clients’ data is protected by the highest level of security measures.

Reinforcing their security with this solution has also resulted in Yousign’s tech, operations, and security teams to have even greater confidence in Forest Admin than ever before, providing them with the peace of mind to treat the solution as if it was a completely internal information system of their own that they can use and expand on at all times.

Looking to take a closer look at all the security features of Forest Admin? Check out our Security and Privacy page, or get in touch with us if you have any questions — or a setup of your own in mind.

If you’d like to read more about how Yousign is helping businesses all around the world power their legal agreements, check out their website, as well as their current list of open positions.