Databases Reference
In-Depth Information
pliance solutions for unstructured data”. This approach has the same vulner-
abilities as do the EMC products.
IBM System Storage Archive Manager.
The IBM Tivoli Storage Manager
[17] is part of the IBM TotalStorage Software [16] and “makes the deletion
of data before its scheduled expiration extremely dicult.
Short of physical
destruction to storage media or server, or deliberate corruption of data or
deletion of the Archive Manager database
, Archive Manager will not allow
data [...] to be deleted before its scheduled expiration date.” From a security
point of view, it is not desirable for the regulatory compliance mechanism to
depend on the correct behavior of the main system. After all, the compliance
mechanism's main role is to guarantee exactly such faultless behavior. The
main adversary of concern in regulatory settings is
exactly
one with incentives
for data corruption and physical attacks.
Network Appliance Snaplock Compliance/Enterprise Software.
The Net-
App SnapLock software suite [23] is designed to work on top of NetApp Near-
Store and FAS storage systems. It provides soft-WORM assurances, “prevent-
ing critical files from being altered or deleted until a specified retention date”.
Unlike several other vendors, NetApp SnapLock supports open industry stan-
dard protocols such as NFS and CIFS.
Sun StorageTek Compliance Archiving Software.
Sun also offers soft-
WORM assurances through its StorageTek Compliance Archiving Software
[44]. The software runs on top of the Sun StorageTek 5320 NAS Appliance
[45] to “provide compliance-enabling features for authenticity, integrity, ready
access, and security”.
Strong WORM.
Today's compliance storage products do not really
satisfy the criteria for trustworthy record retention. They are fundamentally
vulnerable to faulty behavior or malicious adversaries with incentives to alter
stored data, as they rely on enforcement primitives—such as software and/or
simple hardware device-hosted on/off switches—ill-suited to their target ad-
versarial setting. For sound designs, we believe the following properties are
required:
•
To prevent physical attacks such as disk replacement, strong tamper-
resistant and reactive hardware is required to ensure data integrity. As
discussed later, a determined adversary can circumvent today's physical
protection.
•
The requirement for ecient access to compliance records, coupled with
the large volume of such records, indicates that the records will need to
be searched using indexes. These indexes cannot be kept on traditional
storage, as a superuser could hide a record by removing its index entries.
Even with indexes designed to be kept on optical media [1, 6, 19, 35],
an adversary can compromise the search results—even for an approach
as simple as binary search. The design of trustworthy indexes is an open
research area.
