Limiting Liability in a Federally Compliant File System

1 Policy and Problem Statement Congress has begun to explicitly addressed the importance of maintaining and securing electronic information, be it personal health information, top-secret defense data, or the accounting information of a publicly traded company. There exist over 4,000 local, state and federal acts and regulations with regard to storage, all with a varying range of requirements for securely maintaining electronic records. Examples include the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Gramm-Leach-Bliley Act (GLBA) of 1999, and the more recent Federal Information Security Management Act (FISMA) and Sarbanes-Oxley Act (SOX) of 2002. Some acts and regulations require the use of strong encryption for privacy, confidentiality and non-repudiation, as well as a means for securely transmitting data. Some legislation requires an auditable trail of changes made to electronic records that is accessible in real-time. This involves versioning files over time and providing a means of quickly retrieving versions from a particular point in time. The ability to securely delete electronic records is as important as the act of securely maintaining them. Users must be confident that records that are deleted will never be recovered under a subpoena or other more devious method. Some legislation specifies a scope of time for which a company or agency is explicitly liable for their electronic records. For records that fall out of scope, there may be a desire to reduce liability by removing them forever. Further, destroying private information, such as personal health or financial statements, with per-version granularity may also be desirable. While methods for securely deleting data from magnetic storage exist, all fail to meet the combined requirements put forth by legislators. Secure overwriting [4] is a method by which data blocks are overwritten many times with alternating patterns of 1s and 0s in order to degauss the magnetic media, making the data safe from magnetic force microscopy. This process is often lengthy and can exhibit poor performance for systems that have noncontiguous block allocation (a common side effect of file versioning). It is possible to securely delete data that have been strongly encrypted by simply “throwing away” the key used for encryption [2]; without a key, data may never be decrypted and read again. This method is very successful in a system that employs one key per file, but becomes unusable in a block-versioning file system, as data blocks may be shared between file versions. Lastly, there exist user-space tools for secure deletion. However, these tools are inappropriate for the regulatory environment. User-space tools leak information because they are unable to delete metadata managed by a file system. Further, they can’t be interposed between file operations, may leak actual data on truncates, and are difficult to use synchronously.