Trustworthy Migration and Retrieval of Regulatory Compliant Records

Compliance storage servers are designed to meet organizational needs for trustworthy records retention, largely mandated by recent legislations such as HIPAA, SEC Rule 17a, and the Sarbanes-Oxley Act. These devices export a file-system-level interface, and enforce write-once read- many (WORM) semantics for file access. Compliance storage protects records from alteration, as long as they remain on the same storage server. However, the decades-long records retention requirements of recent legislation mean that a compliance storage server will often be obsolete long before the documents it contains can be destroyed. Unfortunately, records will be vulnerable to change during migration to a new server. Records are also vulnerable during retrieval, when they are taken off the server and "migrated" to the person or organization who needs them. In this paper, we propose techniques for trustworthy document migration and retrieval, by enhancing the storage servers with the capability to sign their files and directories. The proposed techniques can be used to verify that a migration was carried out properly, even across multiple migrations, deletions of expired documents, and changes in the content and structure of migrated directories. In our approach, file writers incur no performance penalty, which is important since compliance workloads are write-intensive. Migration incurs a reasonable 5-10% space overhead and requires 24 msec processing time per file. The result of the migration can be verified at a rate of 24 msec per file by a trustworthy auditor (or ordinary user), who can then generate a certificate attesting to the correctness of the migration.