An increasing number of government regulations are defining strict rules for management of electronic records. Some regulations, such as Securities Exchange Commission rule 17a-4, require that data to be stored in “non-erasable” and “non-rewritable” format.
Conventional WORM (Write Once, Read Many) media, such as optical disks and WORM tapes, have been used to satisfy long-term data retention requirements. These conventional WORM media can store unalterable data for decades. However, current performance and capacity requirements for reference data storage are exceeding capabilities of conventional WORM storage. Consequently, “WORM disk” storage solutions are being proposed in which inexpensive hard drives are used as the underlying storage media.
The read-once property of WORM storage prevents the data from being modified or erased. However, WORM storage, regardless of whether its WORM property is enforced electronically or through physical material, can only guarantee that data remain intact on the WORM storage where the data was originally placed. If the data is migrated or replicated to another trusted storage device, the trust is lost as data is at risk of modification during the transfer. Data migration and replication can occur during operations such as system upgrade or disaster recovery, and is often of critical importance in the storage strategy of an organization. Therefore, even though data is stored in trusted WORM storage, the trustworthiness of the data could still be placed at risk when data migration is needed, for example, when a system upgrade or disaster recovery is performed.
Unlike optical disks and WORM tapes that can store data for decades, the typical life span for hard disks is significantly shorter. Consequently, data migration or replication is likely to happen more frequently for compliance systems based on WORM storage using hard disks. Therefore, data stored on such systems is at a higher level of risk for losing its trustworthiness.
Due to the exposure of data to a risk of modification during data migration or replication, existing data retention solutions based on WORM storage are not sufficient to guarantee compliance with regulations such as Securities Exchange Commission rule 17a-4. In the context of data retention, the primary mission of an adversary is to hide or modify specific records that may be incriminating. Often, this adversary is an insider to a company and may be the owner or manager of the data. The adversary in this case often has the highest (executive) level of support and insider access, privilege, and knowledge. This “insider adversary” can be considered a super system administrator with physical access to the computer systems and the privilege to issue arbitrary commands to the systems.
In the case of maintaining data in a trustworthy fashion to satisfy federal regulations, a basic data objective of record keeping is not to prevent the writing of history, but to prevent the changing of history, i.e. changing records after they have been created. It is assumed that the process of creating records is trusted, because generally it is easier for an adversary with insider privilege to alter a data record before it is stored on WORM storage than afterwards. The adversary cannot destroy records in a blatant fashion (for example, by physically destroying the storage devices), because such destruction is easy to detect and could lead to severe penalties and a presumption of guilt. However, when an adversary or company comes under investigation, the adversary may initiate a spurious migration of records and attempt to modify selected records during the migration process.
A trusted data storage system is then required to secure data integrity and data completeness during data migration or replication. Securing data integrity ensures that data objects are not modified during the migration process. Securing data completeness prevents a removal of existing data objects or an insertion of new data objects during the migration process.
Both data integrity and data completeness have been widely studied in the area of computer security. For example, cryptographic algorithms such as encryption and secure signatures are often used to ensure data integrity for data transferred over insecure communication channels. However, such approaches are inadequate given an insider adversary primarily due to the scope of trust. For traditional secure storage systems, the owner of the data is typically trusted. In the case of ensuring data integrity to meet data retention requirements, the owners of the data and the system are often the same group of people who may benefit from tampering with the data. Consequently, it is very important to minimize the scope of trust in such a system.
In general, given a regulatory compliance system based on WORM storage, one may only trust data that is directly retrieved from the WORM storage. This limited scope of trust indicates that when cryptographic methods are applied, the owner of data cannot be trusted with the keys used to encrypt or sign the data.
There have been approaches proposed to address similar issues with limited scope of trust, such as electronic postmark. Although this technology has proven to be useful, it would be desirable to present additional improvements. Such approaches normally require the existence of some trusted third-party. Given the amount of liability such trusted third-parties carry, the trusted third-party is required to be both highly reliable and extremely secure. As a result, few such services have gained widely deployment.
What is therefore needed is a system, a computer program product, and an associated method for performing a trust-preserving migration of data objects from a source to a target. The need for such a solution has heretofore remained unsatisfied.