Fossilization: A Process for Establishing Truly Trustworthy Records

LIMITED DISTRIBUTION NOTICE: This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g. , payment of royalties). Copies may be requested from IBM T. J. Executive Summary Trustworthy records are vital to an organization. These records help to improve an organization's operations and aid in reducing its liability and costs. The fundamental purpose of record keeping is to establish solid proof and details of events that have occurred. A trustworthy record management system is, therefore, one that can be relied upon to provide irrefutable evidence of all of the events that have been logged. In other words, trustworthiness has to be established on an end-to-end perspective, from the proper preservation of all of the records to the subsequent delivery of the relevant records to an agent seeking the proof. In this white paper, we show that the current limited focus on storing electronic records in Write-Once-Read-Many (WORM) storage is not adequate to ensure that such records are trustworthy. What is really needed is a process we call fossilization-a holistic approach to storing and managing records that ensures that they are trustworthy. Fossilization is composed of three parts. The first, fossilization of storage, guarantees that all records and their associated metadata are reliably stored and securely protected from any modification. The second, fossilization of discovery, ensures that all preserved records pertinent to an enquiry can be quickly discovered and retrieved. The third, fossilization of delivery, warrants that the exact pertinent records are delivered to the agent and that the records are delivered in an intact form. Because of the extremely high stakes involved in tampering with the records, fossilization must be realized very securely. The essential principles for securely implementing fossilization include 1) raising the barrier to any attack; 2) focusing on end-to-end trust; 3) limiting what has to be trusted; 4) using a simple, well-defined interface between trusted and untrusted components; and 5) verifying all operations.