Safeguarding Data with WORM :
Recording Technology vs. Process Control
Revision 1.3
January, 1995
THE ILLUSION OF SECURITY
When most of us think about safeguarding computer-generated data, we
think in terms of technology. Which technology will best protect our
data? Which technology will prevent accidental loss and intentional
tampering? Which technology can assure that our data will be accessible
and readable whenever it's needed?
Based on those questions, a great number of companies worldwide have
settled on optical Write-Once-Read-Many (WORM) technology as the
ideal storage solution. WORM addresses their needs perfectly from a
technological point of view. Yet unless those same companies ask a few
more questions, they have achieved only the illusion of data security.
They should also be asking: What really keeps data safe? Is it recording
technology, or the way that technology is implemented? Is it the
recording medium? The method of recording data? The way data is
handled after it's recorded?
According to U.S. courts and the National Institute for Standards and
Technology (NIST), it's all of the above.
Consider that, in a U.S. court of law, evidence is considered admissible
or inadmissible based on how it is handled, not on the medium or
technology that stores the evidence. Paper, audio tape, videotape,
photographs, even hand-written records have been accepted into
evidence, even though these media can be altered, some very easily. The
reason is simple. If courts could accept only evidence that is recorded on
"inviolate" media, they would have literally no hard evidence at all since
every storage medium in existence can be altered. Optical storage and
other computer-based technologies are no exception.
Recognizing that fact, and concerned by the explosive growth of
computer-based information systems, the NIST published a two-part
guide, the Computer User's/Manager's Guide to the Protection of
Information Resources, a comprehensive checklist for safeguarding data.
The guide says, in part, that data security is largely a matter of common
sense: Information carelessly left on top of desks and in unlocked storage
can be casually observed, or deliberately stolen. Every employee who
works with sensitive information should have lockable space available for
storage when information is not in use.
While the NIST goes on to provide basic guidelines for protecting data,
the courts through their rulings have provided legal precedents. In
general, U.S. courts agree that if evidence is "handled well"--in other
words, if it is handled consistently, securely, and with common sense as
outlined by the NIST--then it is admissible as evidence. This rule applies
without regard to media, recording processes, or physical formats.
The key, then, is more about process (the way we handle data) and less
about technology (the way we record data). True, technology is critical
to data security, and some technologies are inherently more stable than
others. For example, a WORM disk is much harder to alter than a
signature. But, in fact, both are vulnerable to someone with sufficient
access, the right tools, and adequate knowledge. As we'll show in the
following pages, technology is just part of the answer. If your in-house
process controls break down, no technology in the world can protect
your data.
*******************************************************
"Technology is just part of the answer. If
your in-house process controls break
down, no technology in the world can
protect your data."
*******************************************************
PROCESS CONTROLS
In managing and safeguarding computer-based information,
companies worldwide should address the following areas of
concern as outlined in the NIST guide:
Environmental Conditions
Control of Media
Control of Physical Hazards
Contingency Planning
Configuration Management
Maintaining Accurate Records
Complying with Terms of Software Licenses
Protecting Against Malicious Software and Hardware
Data Security
Monitoring and Review
A good storage strategy always begins with these issues. But to
realistically guarantee the security of data, a WORM-based storage
solution must also address three additional areas of in-house process
control:
1.Access to optical disks must be restricted. Ideally the disks should
be stored in a secure place, preferably under lock and key.
2.Access to the operating system and optical drivers must be limited
to a trusted system administrator.
3.Sufficient system securities must be in place so that users cannot
easily circumvent the built-in safeguards of the technology. The
ideal in-house process includes additional safeguards to deter,
prevent, or detect unauthorized modification of data.
With these controls in place, data on WORM media is permanent,
secure, and invulnerable to accidental or intentional tampering. But if any
one of these in-house process controls is missing, your data is at risk
regardless of the technology you prefer. Here's why...
TODAY'S WORM TECHNOLOGIES
Even with minimal process controls, WORM offers a secure, long-term
storage strategy that virtually eliminates accidental erasure of data. To
understand just how stable the technology is, consider these descriptions
of today's most common WORM recording formats: Ablative WORM
uses a laser to burn pits in the recording surface of an optical disk.
Continuous Composite Write-once (CCW WORM) uses a laser and
magnet to alter magnetic flux directions in the recording surface of an
optical disk. Bubble-forming and Dye-polymer WORM use a laser to
form small bubbles on the recording surface of an optical disk.
Phase-change WORM uses a laser to change the molecular structure of
a disk's recording surface from an amorphous to crystalline state.
Alloy-forming WORM uses a laser to form a metal alloy on the disk
itself.
In all cases, the write process depends on the extreme heat of a laser to
momentarily raise the temperature of a disk's recording surface by
hundreds of degrees centigrade. In the case of ablative WORM, the heat
of the laser actually removes a small amount of material from the disk's
recording surface. In the case of CCW WORM, the heat of the laser
allows a magnet to change magnetic flux directions on the disk. With all
WORM products, the disk is changed in some way during writes; during
reads, a laser detects those changes in the form of reflected signals that
bounce off the disk surface.
Due to these similar recording processes and the attributes of optical
disks, all types of WORM are inherently stable. Only the power of a
laser can perform writes. Once recorded, data does not change and the
disks do not degrade like other recording media. But as important as
lasers and disks are to optical recording and long-term security, the real
protection of data comes from the WORM drives themselves, all of
which provide the following safeguards:
Disk identification. Optical drives are programmed to identify
disks and treat them appropriately. The drives look for codes
which are physically stamped into disks at production. These
identification codes provide key information to the drive, telling it
to enable only WORM commands and specifying the amplitude of
laser power required for reads and writes. This is especially
important in the multifunction context, where one optical drive may
be used for both write-once and rewritable functions.
Blank sector detection. Write-once optical drives perform a read
pass prior to writing data. When the drives see a sector with
previously written data, writing is disallowed to prevent data from
being overwritten and corrupted. Blank sector detection and
overwrite prevention are central to the operation of all WORM
drives.
Defect management. Like other data storage devices, optical
drives perform defect management: if a drive discovers a corrupt
data sector on optical disk, the drive can automatically "spare out"
the bad sector, flag it as corrupt, and disallows future writes and
reads to that sector. The data is then remapped to a clean
unwritten sector in the "spare" area of the disk.
With these safeguards, WORM drives provide virtual fail-safe protection
against accidental erasure of data. However, no optical technology is safe
against malicious tampering since even the best security measures of
optical drives can be defeated.
DEFEATING THE SAFEGUARDS
How hard is it to compromise data on optical disks? If your in-house
process controls break down, it's difficult at best, but still possible if the
following conditions are met:
1.Malicious intent plus in-depth technical knowledge. A technical
specialist must have a deep understanding of the inner workings of
optical technology, operating systems, and optical drive firmware.
2.Access to the operating system and/or device drivers. Assuming a
high degree of technical knowledge, a specialist who has
unrestricted access to the deepest levels of the operating system
and optical drivers can cause a lot of damage, though not without
detection.
3.Access to optical disks and drive firmware. A technical guru with
unrestricted access to optical disks and drive firmware can alter
data on optical disks, and do it without detection using selective
manipulation of individual data sectors. The technician would need
to disable the drive's built-in overwrite prevention capabilities to
accomplish the task in the following way: First, the drive's
firmware would need to be altered to allow overwrites of a
previously written sector. With the disk inserted in the drive, the
technician could then overwrite a chosen data sector to corrupt the
existing data, making the sector unreadable. The logical block
address corresponding to this "bad" sector could then be
remapped to a spare sector, and fraudulent data could be placed
in the new sector to quietly replace the original data.
The entire procedure would look like normal defect management. There
would be no evidence whatsoever that the remapping was intentional and
malicious. When the disk is replaced in operation, users would see only
the altered data. Unless an anomaly was noticed in the data itself, users
would not realize the data had been altered.
This scenario is possible--though extremely difficult to implement--in all
optical drives due to the way common disk defects are "spared out" and
remapped to new locations. Defect management is a key function of the
drive firmware, and unavoidable due to the imperfect nature of any
recording medium. On one hand, it assures that data written to optical
disks is as perfect and accurate as the media allows, a considerable
benefit. Unfortunately, the same defect management scheme opens the
door to malicious tampering--but not without extreme effort, a deep
understanding of the technology, and unrestricted access optical disks
and drive firmware.
LEGAL PRECEDENTS
Due to the effort required to compromise WORM data and the
inherent stability of optical disks, the Commodities Future Trading
Commission of the United States announced in 1993 that optical
disks were an acceptable storage medium for the Commission's
required computer-generated records. The changes to Rule 1.31
were published on May 10, 1993 in the Commission's Federal
Register, which stated specifically that the use of multifunctional
CCW WORM drives is acceptable for Commission records. The
Commission further clarified its ruling the following year by stating
that CCW WORM media, as approved in the ISO standard, is a
form of WORM media and is therefore acceptable under Rule
1.31.
In June 1993, the U.S. Securities and Exchange Commission
(SEC) proposed that broker-dealers be allowed to preserve
records using optical storage technology as long as the technology:
a.preserves records in a non-rewritable, non-erasable format;
b.verifies automatically the quality and accuracy of the optical
storage recording process;
c.duplicates in a separate optical disk all information originally
preserved and maintained by means of optical storage
technology;
d.serializes original and duplicate optical disks containing
records, and time-dates permanently the information placed
on such optical disks; and
e.has the capacity to download indexes and records
preserved on optical disks into paper, microfilm or
microfiche.
All WORM types satisfy these requirements. In the same
proposal, the SEC went on to cite the economic benefits of optical
storage for broker-dealers:
According to the SIA (Securities Industry Association, Inc.),
optical storage technology will provide economic as well as
time-saving advantages for broker-dealers. For example, the SIA
estimates that savings for space, equipment and material expenses,
resulting from a change to optical disk from microfilm, range from
$250,000 a year for a medium-sized firm to more than $1.6
million a year for a large firm."
In general, a U.S. court of law will accept as evidence any type of
medium if it is handled securely and consistently, and if it is
considered a normal part of business practices. The rule applies
regardless of the technical attributes of the medium: if paper files or
audio tape--two media which are easily altered--are well
protected and used as primary business tools, they are normally
admissible as evidence. Similarly, if WORM disks are
incorporated as part of normal business practices, they can be
entered into evidence to provide an electronic "paper trail."
THE ISSUE OF INDUSTRY STANDARDS
Technological considerations being equal, any evaluation of a WORM
solution must consider industry standards. This is a critical consideration,
not just for cost per megabyte but also for accessibility of data over the
long-term, which is the most compelling reason for adopting optical
technology.
Of all WORM types, only CCW WORM has been standardized by
ANSI, ISO and ECMA. Today, multiple suppliers are selling CCW
WORM drives and media, whereas other types of WORM products are
generally single-sourced and proprietary. Due to free-market competitive
pressures, CCW WORM continues to increase in functionality and
capacity (from 0.65 MB to 1.3 GB to 2.6 GB as of this writing) even as
storage cost per megabyte has fallen.
That trend should continue as long as multiple vendors serve the CCW
WORM market. Also, since CCW WORM development is controlled
by industry standards, all CCW WORM products are
backward-compatible--the earliest 1X CCW WORM disks and drives
are fully compatible with the 2X disks and drives being manufactured
today and the 6X drives currently under development.
*******************************************************
"Long-term accessibility, not just cost per
megabyte, is the most compelling reason
for adopting standards- based optical
technology."
*******************************************************
FREQUENTLY ASKED QUESTIONS
Q: Is it possible to alter a CCW WORM disk using a big magnet?
A: A CCW WORM disk requires both a magnet and a precise laser to
write data. The laser momentarily heats a tiny portion of the disk’s
recording surface to 150 degrees C (the recording material’s Curie
point). At that temperature the disk can be altered i.e. written using the
targeted magnet that is part of the drive. At room temperature, however,
the disk cannot be altered or erased by magnets found in a typical
business or industrial setting. For example, it would take a
superconductor magnetic field, the kind of force used in a linear
accelerator, to destroy data on a CCW WORM disk at room
temperature.
Q: Is there really any difference between types of optical disks? Why
do some have a longer archival life than others?
A: Each WORM technology uses a different type of write-once disk
based on the technology used to record data. Ablative disks use a
sputtered thin film in the disk's recording layer; bubble-forming disks use
a heat-absorbing film; phase-change disks use a metal film that changes
from amorphous to crystalline state. Some disks must be vented to the
atmosphere and are therefore susceptible to corrosion, while others are
completely enclosed. Some disks are limited to a certain number of read
and write passes. Due to these many differences, it's hard to make an
apples-to-apples comparison. Yet one thing holds true: all WORM disks
offer a minimum offline archival life of at least 25 years, and most are
expected to last much longer than that. Projections are based on
accelerated-life wear testing, and all tests show that optical disks are
extremely stable for most long-term storage purposes.
Q: Does any one WORM technology provide a better trail to detect
malicious tampering?
A: No. Despite some claims, all WORM technologies can be maliciously
altered without a trace. Using the defect management scheme outlined
earlier in this document, any WORM technology, whether ablative,
phase-change, dye-polymer, bubble-forming, alloy-forming, or CCW
WORM, can be altered by someone with malicious intent and sufficient
access. An investigator looking at an altered disk under a microscope
would not be able to determine conclusively whether the disk was
maliciously altered or if it had merely conducted a normal defect
management procedure.
CONCLUSIONS
No technology or storage medium is tamper-proof, whether
optical, tape, magnetic disk, paper or film.
Data security depends as much on processes as technology. When
security is paramount, data must be protected by in-house process
controls including restricted, offline storage of critical disks.
All WORM technologies are equally reliable and inherently safe.
All WORM technologies provide overwrite prevention and blank
checking functions that prevent accidental erasure of data.
Once written, WORM disks are extremely difficult to alter without
being detected.
WORM disks are stable, offering an archival life of at least 25
years.
WORM technologies are accepted by the SEC.
CCW WORM is the only write-once technology governed by
industry standards and served by multiple vendors who compete
equally in the marketplace.
FOOTNOTES
* Computer User's Guide to the Protection of Information Resources,
developed by the National Institute of Standards and Technology
(NIST), Computer Security Program Office, A-216 Technology,
Gaithersburg, MD 20899, (301) 975-5200. NIST is responsible for
developing standards, providing technical assistance, and conducting
research for computers and related systems. These activities provide
technical support to government and industry in the effective, safe, and
economical use of computers. With the passage of the Computer
Security Act of 1987 (P.L. 100-235), NIST's activities also include the
development of standards and guidelines needed to assure the
cost-effective security and privacy of sensitive information in Federal
computer systems.
This guide is just one of three brochures designed for a specific audience.
The "Executive Guide to the Protection of Information Resources," and
the "Managers Guide to the Protection of Information Resources"
complete the series. This guide was written by Cheryl Helsing of Deloitte,
Haskins & Sells in conjunction with Marianne Swanson and Mary Anne
Todd, National Institute of Standards and Technology. United States
Securities and Exchange Commission Report, June 18, 1993, regarding
optical storage technology and preservation requirements under rules
17a-3 and 17a-4.
Technical information in this document subject to change without notice.
(C) 1995 Hewlett-Packard Company
1998 S. Shipman | Created 3-8-98 | Updated never