1 / 26

Limiting Liability in a Federally Compliant File System

Learn how to securely delete data in a regulatory environment with fast and efficient methods, limiting liability and complying with federal requirements.

mairab
Download Presentation

Limiting Liability in a Federally Compliant File System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Limiting Liability in a Federally Compliant File System Zachary N. J. Peterson Randal Burns Adam Stubblefield

  2. Overview • Recent legislation makes new requirements with respect to the management of electronic records • How does one electronically “leave the past behind?” • Data managers may wish to limit their liability • Patients/account holders may wish for their data to expire • We have developed a method for securely deleting data in a regulatory environment • Fast & efficient • No additional key overhead

  3. A Paperless World • Information records are becoming entirely electronic • Financial records, medical records, federal data • 300 million computers storing 150,000 terabytes of data • Eases use, sharing, and indexing • Allows for undetectable modification, eaves-dropping, and other more devious things • Congress and others have begun to address the importance of managing and securing electronic records • Over 4,000 federal, state and local laws and regulations with regard to electronic record management

  4. Health Insurance Portability and Accountability Act (HIPAA) (1996) Government Information Security Reform Act (GISRA) Federal Information Security Management Act (FISMA) (2002) E-SIGN (2000) Sarbanes-Oxley (2002) Gramm-Leach-Bliley (2002) USA-PATRIOT Act Federal Records Act DoD Directive 5015.2 And on and on… The Law and Storage

  5. Distilling Regulatory Requirements • Authentication and Authorization • Audit Trail • Files should be versioned over time • Secure block sharing between versions • Secure Storage and Transmission The use of cryptography for: • Privacy and confidentiality • Non-repudiation

  6. Secure Deletion in the Regulatory Environment • Organizations must take steps to protect privacy • Desire to limit liability • Records that go out of audit scope should do so forever • Patients may wish to redact portions of their medial record • When a disk is subpoenaed, old and irrelevant data should be inaccessible • Simply “emptying the trash” isn’t good enough • Only frees the blocks for future allocations • Even after reuse, overwritten data may be reconstructed using magnetic force microscopy

  7. Existing Techniques • Secure Overwrite [Gutmann 96] • Data blocks are overwritten many times with alternating patterns of 1s and 0s • Magnetic media is degaussed and safe from MFM • Key Disposal [Boneh & Lipton 96] • Data encrypted with a key • Key is securely deleted, eliminating meaningful data access • User Space Tools • CyberScrub • Overwrite • Wipe

  8. Technical Problems • Secure overwriting of noncontiguous data blocks is slow and inefficient • When versions share blocks, data to be overwritten may be noncontiguous • Cannot dispose file keys in a versioning file system • Blocks encrypted with a particular key need to be available in future versions • User space tools are categorically inadequate • Can’t delete metadata • Can’t be interposed between file operations • Truncate may leak data • Synchronicity is difficult and inconvenient

  9. The Big Idea • A keyed all-or-nothing transform takes a key, a data block, and a nonce • Encryption creates an encrypted block and a stub • When the key is private, data is secure and authenticated • Securely deleting stub, securely deletes block, even if the key is later exposed

  10. All-or-nothing (AON) Encryption[Boyko 99] [Rivest 96] • A mode for block ciphers that requires all cipher blocks to be decrypted before the message block is recovered • Increases the searchable key space for brute-force attacks • Attacker slowed down by a factor equal to the number of blocks in the cipher text • By definition, destroying any cipher block destroys the entire message block • Our work is the first practical application of AON

  11. Features of our System • Stub length is a security parameter • In practice, the stub might be 128 bits • Stubs are stored with metadata and are not secret • When deleting a version, metadata and stubs are securely overwritten • this securely removes all data for that version • Stubs of the shared blocks are replicated to new versions • Shared data are preserved when previous versions are deleted

  12. Example File Metadata 11 s0 s1 s2 … Disk C0 C1 C2

  13. 17 s0 s1 s1’ s2 … C1’ Example Receive a write to block #2 at time 17 File Metadata 11 s0 s1 s2 … Disk C0 C1 C2

  14. Example Delete file at time 11 File Metadata 11 s0 s1 s2 17 s0 s1’ s2 … … Disk C0 C1 C2 C1’

  15. Example Delete file at time 11 Block C1 is deleted permanently File Metadata 11 s0 s1 s2 17 s0 s1’ s2 … … Disk C0 C1 C2 C1’

  16. More Features • No extra key overhead added to the system when compared with other secure systems • Versions of a file may use the same key for encryption • AON encryption allows the deletion of any 128 bits • Instead of removing the stub, 128 bits of the block may be securely overwritten instead • More efficient when removing data from all versions of a file

  17. Example File Metadata 11 s0 s1 s2 … 17 s0 s1 s2 … … Disk C0 C1 C2

  18. Example File Metadata 11 s0 s1 s2 … 17 s0 s1 s2 … … Disk C0 C1 C2

  19. Availability • Implementing this secure deletion scheme in ext3cow • A fully working snapshot file system for the Linux 2.4 kernel • Web site: www.ext3cow.com • Download the patch • Read the technical report • Join the mailing list • Email: zachary@jhu.edu

  20. HIPAA (1996) Technical security mechanisms Physical safeguards E-SIGN (2000) Digital contracts are as legitimate as paper contracts FISMA (2002) Framework for ensuring security controls for storage Security of system must be commensurate with security of data Sarbanes-Oxley (2002) CEO, CFO responsible for accurate financial reports Management assessment of internal controls Real time disclosure Criminal penalties for altering documents Gramm-Leach-Bliley (2002) Consumer records kept confidential Protect against threats and unauthorized access Electronic Record Legislation

  21. Health Insurance Portability and Accountability Act (HIPAA) Government Information Security Reform Act (GISRA) Federal Information Security Management Act (FISMA) Sarbanes-Oxley (SOX) Gramm-Leach-Bliley (GLB) PATRIOT Act Federal Records Act DoD Directive 5015.2 4,000+ State and Federal Laws and Regulations with regard to storage The Law and Storage

  22. Authorization Access controls (role-based authorizations) Encryption (confidentiality) Digital signatures (non-repudiation) Authentication Audit Trail Record of all changes Secure Storage and Transmission More encryption? Integrity & Reliability Unaltered records. Trusted content. What are the requirements?

  23. Introducing Ext3cow • A file system based on ext3 that supports file system snapshot with a time-shifting interface. • Creates immutable views of a file system as it appeared at a specific point in time. • Versions of a file are created with copy-on-write (cow) of blocks. • Snapshots are addressed with an epoch number that corresponds to a system time (gettimeofday).

  24. Securing our COW file system • Challenges • How to encrypt files that share blocks between versions. • How to change permissions such that a user who had access to a file in the past is not able to access current versions. • Securely deleting files such that they are no longer able to be subpoenaed.

  25. Conclusions • New legislation requires versioning, security and privacy • Versioning must be fast? • AON encryption allows for secure deletion with minimal secure overwriting • More efficient than securely overwriting noncontiguous data blocks • Does not increase key overhead

More Related