Towards Regulatory Compliant Storage Systems

Legislators and the courts have begun to recognize the importance of how electronically stored data should be maintained and secured, and how electronic data should be differentiated from their paper analogs. Examples of some of the sweeping pieces of electronic record management legislation include the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Gramm-Leach-Bliley Act (GLBA) of 1999, and the more recent Federal Information Security Management Act (FISMA) and Sarbanes-Oxley Act (SOX) of 2002. Altogether, there exist over 4,000 acts and regulations that govern digital storage, all with a varying range of requirements for maintaining electronic records. Storage systems vendors have quickly identified the large market opportunity and have modified existing systems and marketed them as compliance products. Sarbanes-Oxley compliance alone represents a market of over $5 billion [22]. Mostly, vendors add policy enhancements to existing storage platforms that aid in the maintenance and retention of data, such as forbidding data deletion. Current product offerings include EMC Centera Compliance Edition, HP Reference Information Storage Systems, and IBM Tivoli Security Compliance Manager. Many of these products fail to meet the new demands legislation places on storage systems. Systems must now provide confidentiality through encrypted storage and data transmission. Some legislation requires an auditable trail of changes made to electronic records that are accessible in real-time. This implies versioning files and providing a means of quickly retrieving versions from any point in time. Other legislation sets limits on the amount of time an organization may be liable for maintaining their electronic data, but for those data that go out of scope, permanently deleting data from magnetic media can be challenging. Because electronic data is dynamic, and therefore easily malleable on disk, new methods for authentication and non-repudiation need to be developed to ensure a binding of an individual to an auditable trail of data changes. Further, these systems must be robust against both external and internal attacks. A data loss or compromise due to negligence may result in an organization falling out of compliance and susceptible to litigation. In this proposal we introduce some completed technical contributions to the field of regulatory compliant storage, and propose a set of goals pursuant to completing a Ph.D. We begin with a treatment of the ext3cow file system; an open-source versioning file system designed to be a platform for developing regulatory compliant storage technologies.