Databases Reference
In-Depth Information
•
Ecient access to data
. Authorized requests for access to records must
be serviced in a timely manner.
•
Data confidentiality
. Only authorized parties can access confidential
records.
•
Data integrity
. Records can only enter the system through authorized
means. Further, there must be procedures in place for correcting errors in
the data, once detected.
•
Guaranteed deletion
. Some laws require enterprises to properly dispose
of records after a certain point in time (e.g., [24, 3]). In other situations,
deletion may not be required by regulation, but still may be highly desir-
able from the organization's point of view, as the records may represent
a liability. Once records are deleted, ideally it should be impossible to re-
construct any information about their contents, either directly or through
metadata-based inference. We use the term
trustworthy deletion
to describe
this combination of features.
•
Litigation holds
. Electronic information may be used in litigation [18].
If a
litigation hold
is placed on a record, it must remain accessible until
the hold is lifted, even if it reaches the end of its mandated lifespan.
•
Insider adversaries
. Much recent high-profile corporate malfeasance has
been at the behest of chief executive ocers and chief financial ocers
who have the power to order the destruction or alteration of incriminating
records. Thus many compliance regulations target powerful insiders as the
primary adversaries. In effect, these adversaries have superuser powers
coupled with full access to the storage system hardware.
•
Auditing
. The organization is subject to periodic audits of its records
retention practices.
•
High penalties for non-compliance
. Non-compliance with the regula-
tions can bring stiff financial and criminal penalties [32].
For example, a chief financial ocer can receive a prison sentence for pub-
lishing an incorrect financial report, even if the false information was in-
cluded without his or her knowledge.
Compliance regulations do not specify
how
these assurances are to be pro-
vided, i.e., what technology should be used to attain compliance. Thus we
expect that the legal interpretation of whether an organization is in compli-
ance will evolve over time, with more stringent measures being required once
the technology is available to support them. This assumption drives much of
the current research on trustworthy records retention, which focuses on cost-
effective means of providing a higher degree of assurance than is available
from current compliance products.
3 Usage Scenario and Threat Model
A records retention system faces all the attacks that any computer system is
vulnerable to (e.g., physical destruction, denial-of-service attacks), plus addi-
