Communications of the ACM

In response to a growing body of electronic records legislation, the storage community has enhanced data stores to include privacy, auditability, and a "chain-of-custody" for data. There are currently over 4,000 federal, state, and local regulations that govern the storage, management, and retrieval of electronic records. Most notably, the Sarbanes-Oxley Act of 2002, which regulates corporate financial records. Storage vendors provide "compliance" platforms that store and manage data in accordance with regulations, which aids customers in meeting compliance guidelines. Examples include: EMC Centera Compliance Edition,™ NetApp SnapLock,™ and IBM Tivoli Security Compliance Manage.™

Many of these platforms add storage management policy to existing systems. Vendors start with systems that manage versions of files or volumes. They add immutability to past versions by preventing writes by policy. They also enforce data retention guidelines by not allowing the deletion of protected files. Enhanced metadata allows users and auditors to examine the store at any point-in-time and investigate the manner in which data have changed throughout their history.

While these features aid organizations in complying with regulations, they do not provide strong evidence of compliance. By following storage management policies, data are versioned and retained for mandated periods. However, there are many opportunities and motivations to subvert such storage policies. In fact, the file system owner represents the most likely attacker. For example, a corporation might alter or destroy data after the corporation comes under suspicion of malfeasance. The shredding of Enron audit documents at Arthur Anderson in 2001 provides a notable paper analog. Similarly, a hospital or private medical practice might attempt to amend or delete a patient's medical records to hide evidence of malpractice. In policy-based storage systems, past data may be altered or destroyed by reverse engineering file system formats and editing the file data on disk--a common and well understood data forensics task.

We assert that these features need to be cryptographically strong, providing irrefutable evidence of compliance with regulations. This can be achieved for data retention and chain of custody. A storage system commits to a version history so that, at a later time, an auditor may access past data and gain conclusive evidence that the data have been retained and are unmodified. Further, all data should be bound to the users that modify, create, or delete that data. Such constructs improve the evidentiary value of electronic records within the courts, increase an auditor's confidence in the veracity of the information on which they report (and for which they are responsible), and enhance an organization's quality of data management.

To these ends, we review three security constructs for versioning file systems. Digital audit trails allow a file system to prove to an independent auditor that it stored data in conformance with regulated retention guidelines. Fine-grained, secure deletion allows a system to efficiently delete individual versions of files to meet confidentiality requirements, limit liability, and allow data to be redacted. Per-block authenticated encryption adds authenticity guarantees to the confidentiality provided by encryption. We also include a distillation of requirements based on a review of relevant legislation and a brief characterization of the performance impact of these techniques based on their implementation within the ext3cow file system.