Databases Reference
In-Depth Information
tional dangers that are unique to the compliance arena. In this section, we
describe those latter dangers. For information on other kinds of threats and
their countermeasures, we refer the reader to the other chapters in this volume
and to any textbook on computer security.
The main focus in trustworthy records retention is on preventing malicious
insiders from tampering with or destroying records. Further, the traditional
notion of an insider attack is refined to assume a very powerful insider who
is capable of gaining physical, root-level access to the storage media. While
outside adversaries may also pose threats, measures that are effective against
superuser insiders will also stymie external attackers.
A second key factor in the threat model for trustworthy records retention
is that the visible alteration or destruction of records is tantamount to an
admission of guilt, in the context of litigation. Thus a successful adversary
must perform their misdeeds undetectably.
The target usage scenario for trustworthy records retention is as follows.
First, a legitimate user Alice creates and stores a record
R
that is subject to
compliance regulations. Later, a user Mallory starts to regret
R
's existence
and will do everything he can to prevent a subsequent user Bob from accessing
R
or inferring its existence. For example, Bob may be a regulatory authority
looking for evidence of malfeasance, while Mallory may be the superuser CEO
or Alice herself. The primary goal of trustworthy records retention is to ensure
that Bob can still find and read
R
until the end of
R
's mandated lifespan,
no matter what Mallory does. For some applications, undetectable post hoc
insertion of records is also considered a threat and must be addressed.
Once
R
reaches the end of its mandated lifespan and is deleted, then
Mallory may wish to determine whether
R
ever existed or infer information
about the contents of
R
, based on any traces of information about
R
that
may remain in the system. A second goal of trustworthy records retention is
to ensure that Mallory cannot make these inferences.
To illustrate some of the implications of the threat model, consider the
following hypothetical scenarios:
Trustworthy retention.
Mallory can employ his superuser powers to
attempt to modify or delete
R
,ortohide
R
by modifying indexes so that
they no longer lead to
R
. Mallory can also swap out the disks in the storage
server, replacing them with disks that do not contain any trace of
R
. We must
make sure that Bob can detect Mallory's attacks and, where feasible, we must
prevent them.
Trustworthy access and migration.
Suppose that Alice's organization
needs to migrate its compliance records to a new compliance storage server.
Mallory is effectively in charge of the migration, and he wants to omit incrim-
inating record
R
during the transfer. For trustworthy record retention, Bob
must be able to detect whether any such modifications or omissions occurred
during migration.
Trustworthy deletion.
When its mandatory retention period is over
and any litigation holds on
R
have been lifted, Alice's organization removes
