Many regulatory authorities and enterprise internal policies require the retention of certain data for a specified period (the “retention period”). As the data required to be retained in this manner is generally intended to provide a reliable record of contemporaneous events (such as stock exchange transactions), the data held in retention is required to be protected against change, at least to some degree.
Much of the data subject to a data retention regime will be in electronic form. Write-once-read-many, WORM, storage systems are well suited for retaining electronic data in immutable form. In a WORM storage system, data to be retained is stored in WORM files and the system provides protection mechanisms preventing changes to the file and at least some of its metadata. Generally, a WORM storage system is not limited to the storage of WORM files and may store non-WORM files as well; as a consequence, the protection provided to WORM files includes protection of the designation of a file as a WORM file, whatever form this designation may take.
In the context of data retention, the “write once” in relation to a WORM file refers to the form of the file data at the point the file is designated a WORM file (it being understood that the file may have undergone many re-writes before this point). From the point of view of resource efficiency, a WORM file created to comply with a particular data retention regime should only be maintained as such for as long as needed to comply with the retention period specified. Therefore, a retention end date (herein “retention date”) is generally stored as metadata along with the WORM file, the retention date having been determined at the time the WORM file is created on the basis of the retention period (or the longest such period) applicable to data in the file.
Upon expiry of the retention period associated with a WORM file (as judged by comparing the retention date held in the file's metadata with the current time, inclusive of date, provided by a reference time source), the WORM storage system is generally arranged to permit the file's WORM designation to be rescinded. Changes can thereafter be made to the file, subject to normal access permissions. This gives rise to a potential way of illicitly changing file data during its retention period; more particularly, if either the stored retention date can be rolled back to the present or the reference time source rolled forward to the stored retention date, the WORM storage system can be tricked into believing that the retention period for a particular WORM file has expired, and allow the WORM designation of the file to be rescinded and data in the file changed. By restoring WORM designation to the changed file and resetting the stored retention date or reference time source (whichever was changed), the fact that the file data has been altered can be hidden. For this reason, the protection of the metadata storing the retention date, and the trustworthiness of the current time source, are pertinent considerations in any WORM storage system used for implementing a data retention regime.