Electronic records can be modified relatively easily and without leaving much of a trace. As organizations increasingly rely on electronic records, it is important to protect these records from both accidental and intentional modification.
Several systems for storing electronic records have been introduced over the last few years. These include the EMC Centera, IBM Data Retention 550, and Network Appliance SnapLock. These systems allow records to be committed to be immutable (WORM) for some specified retention period or indefinitely. A record that has been committed to be immutable is protected by the systems from deletion or modification for the specified retention period or indefinitely. The systems typically maintain a clock against which the current time is compared to determine whether the specified retention period has expired.
These systems essentially offer two extremes in protecting records from deletion or modification. In the first extreme, the systems do not trust anybody, including the system administrator. Such systems ensure that the immutability protection, that is the protection of records from deletion or modification, cannot be overcome or circumvented by anybody, including the system administrator. This, however, creates difficulties in managing the system. For example, if an honest mistake is made in configuring the system or in committing records to be immutable, the mistake cannot be undone. Legitimate system management operations such as migrating the records or adjusting the clock used to determine whether the retention period has expired are also disallowed because they could be attempts to overcome the immutability protection.
In the second extreme, the systems trust the system administrator to not intentionally overcome the immutability protection. For example, the systems may allow the administrator to delete a volume that contains records committed to be immutable even if the records should still be protected from deletion or modification. The administrator may also be allowed to adjust the clock forward even though the adjustment could cause the premature expiration of records that should still be protected from deletion or modification. While this approach solves many of the difficulties in managing such systems, an honest mistake or a rogue administrator could cause the records to be compromised.