Long-term Trusted Preservation of Electronic Documents

of 20ts.fujitsu.com/secdocs

white paperFujitsu sECDOCs POwErED by OPEnlimit®

lOng-tErm trustED PrEsErvatiOn OF ElECtrOniC DOCumEnts

white paper sECDOCs

of 20

table of contents reVision

Management summary 3Fundamental aspects 4

Paper-bound and electronic documents in long-term preservation 4

long-term trusted preservation 4

Cryptographic processes as a means for evidence

preservation 4

types of signature 5

Advantages and legal effects of the Qualified

Electronic signature (QEs) 6

signature renewal for evidence preservation 6

requirements in regard to storage systems for

long-term preservation 7

Technical directive 03125 and protection profile

aCm_PP of the bsi 7

fujitsu secdocs 8architecture 8

basic functions 10

metadata and document types 12

multitenancy 13

structure of the document storage 13

storage systems 14

Permissions concept 15

Extended functions 15

administration 16

tenant administration 17

logging of the archive operations 17

operator Models 18license 18

Preservation as a service 18

Version 1.0 / 28.10.2009authors: Herbert sattler, Peter Falk, Dr. jürgen neises, team tsP Es

Version 1.1 / 26.02.2010author: Peter Falk

changes: Detail changes

Version 2.0 / 01.11.2010authors: Herbert sattler, Peter Falk, alexander Dörner,

Holger Ebel, tobias gondrom

changes: Comprehensive changes due to technical

advancements and new legal conditions

Version 2.1 / 28.10.2011author: alexander Dörner

changes: Detail changes

white paper sECDOCs


An increasing number of business processes are presented in electronic form as this lowers costs and expedites administration in a lasting manner. Accordingly, an increasing number of electronic documents are replacing the handling of expensive paper receipts.The challenge: Electronic documents must have the same permanent evidential value and must be trustworthy in order to legally safeguard business processes. Additionally, it must be possible to provide proof of integrity and authenticity at all time – in some cases for a period of over 100 years.

As an evidence-preserving long-term archive, Fujitsu SecDocs offers the permanent protection of electronic documents with the utilisation of certified security components. Fujitsu SecDocs uses the tried and tested evidence preservation in accordance with ArchiSig and a improved concept for the standardised coupling of the evidence values to the document.

managEmEnt summary

The benefit: The evidence-preserving long-term archive creates trust in electronic businesses. The archive solution is easy to use, cost-efficient and as a web service can be quickly integrated in hetero-geneous IT infrastructures. The evidence preservation is performed in an automated manner, thereby removing the need for specialised signature knowledge or proprietary evidence preservation systems. In total, Fujitsu SecDocs leads to a lasting reduction of the complex-ity of long-term preservation and enables an easy and quick data migration.

Due to increased legal security and standardisation in evidence preservation, the transformation process to electronic documents is accelerated further. Fujitsu SecDocs supports these endeavours with the first certified evidence-preserving long-term archive as an integrated solution on the basis of open standards.

white paper sECDOCs

of 20

paper-bound and electronic docuMents in long-terM preserVation

The properties of paper-bound and electronic documents differ considerably from each other. While a paper document can be read at any time, software tools are required in order to open and read electronic documents. Without specific measures it is not possible to see whether electronic documents have remained unaltered since their creation and whether they actually have been produced by the creator specified in the document. Without additional processing, the integrity and authenticity of electronic documents cannot be ensured.

Additionally, paper documents differ from electronic documents in their permanent presentability. While paper can be read even after a long time, electronic files often can no longer be opened after the first technological migration. Therefore, corresponding technical and organisational measures must ensure that electronic documents remain both verifiably unchanged for at least the duration of the required preservation period as well as can be presented true to original.

A guarantee of the unchanged presentation in its original form is currently only warranted for PDF/A and TIFF formats. For the evidence of the integrity and authenticity of electronic documents electronic signatures have proven to be cost-efficient as well as contractually capable. For this reason, both aspects therefore are especially taken into consideration for (evidence-preserving) long-term preservation.

long-terM trusted preserVation

The goal of trusted preservation of electronic data for very long periods of time are the verifiable authentic, i.e. imputable and intact storage, conservation and availability of this data – for at least the period of time specified by the legally demanded preservation peri-ods. The safeguarding of the availability of electronic documents also includes the long-term ensuring of the marketability and connection of the data with the business cases on which they are based on the corresponding current IT systems.

Fujitsu SecDocs is an evidence-preserving long-term archive on the basis of the “Technische Richtlinie” (technical directive) 03125 of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnologie) (BSI) and fully supports this directive.

cryptographic processes as a Means for eVidence preserVation

Fundamental requirements in regard to the preservation of elec-tronic documents for evidence-preserving purposes is the availabil-ity, confidentiality, verifiability of authenticity (origin, genuineness) and integrity of the archived information for the entire duration of the storage period.

Additional technical measures are required in order to ensure the authenticity and integrity over the entire lifetime of the electronic document in the archive. According to the current state of the art, electronic signatures and time stamps are the most effective and cost-efficient measures to ensure their protection. Fujitsu SecDocs relies on these technologies for evidence preservation.

FunDamEntal asPECts

white paper sECDOCs


types of signature

The EU directive 1999/93/EC defines EU-wide general conditions for electronic signatures. In the implementation of this directive in national German legislation by means of the Signaturgesetz (SigG) (“signature law”), German legislators have defined different types of signatures in §2 SigG that feature different security levels, which also build on top of each other.

• Electronicsignaturesare“[…]DateninelektronischerForm, die anderen elektronischen Daten beigefügt oder logisch mit ihnen verknüpft sind und die zur Authentifizierung dienen” (§2No.1SigG)([...]datainelectronicform,whichisaddedtoother electronic data or is logically connected to this data and used for authentication).

• Advancedelectronicsignaturesare“[…]elektronischeSignaturen[…],die[…]ausschließlichdemSignaturschlüssel-Inhaberzugeordnetsind[und]dieIdentifizierungdesSignaturschlüssel-Inhabersermöglichen[sowie]mitMittelnerzeugtwerden,dieder Signaturschlüssel-Inhaber unter seiner alleinigen Kontrolle haltenkann,und[die]mitdenDaten,aufdiesiesichbeziehen,soverknüpftsind,daßeinenachträglicheVeränderungderDatenerkanntwerdenkann.”([...]electronicsignatures[...]which[...]areindividuallyassignedtothesignaturekeyowner[and]enabletheidentificationofthesignaturekeyowner[aswellas]are generated with means that are under the sole control of the signature key owner and are connected with the data, to which they refer, in such a manner that any later changes of the data can be recognised). (§2 No. 2 SigG).

• Qualifiedelectronicsignatures(QES)areadvancedelectronicsignatures,which“[…]aufeinemzumZeitpunktihrerErzeugunggültigenqualifiziertenZertifikatberuhenund[…]mit einer sicheren Signaturerstellungseinheit erzeugt werden.” ([...]arebasedonavalidqualifiedcertificateatthetimeoftheircreationand[...]aregeneratedwithasecuresignaturecreationunit). (§2 No. 3 SigG).

The qualified certificate is issued by a certification authority (CA) in accordance with § 5 and § 7 SigG, on which the quali-fiedelectronicsignature(QES)isbased.Inordertoreceivesuch a signature, the user must identify himself at a certification authority. The certificate, which is signed with the secret key of the CA, contains a public key for the validation of the signature of the owner. The accompanying private key for the signing of documents (signature key) is confidentially protected in the signature creation unit (e.g. a chip card).

AnothertypeofQualifiedElectronicSignature,notfurtherspecifiedinSigG,istheQualifiedTimeStamp.ThisisaQualifiedElectronicSignaturecreatedbytheTimeStampingAuthority (TSA) of the certification authority and is a confir-mation that a specific content was present at a specific point intime.Ontheotherhand,theQualifiedElectronicSignatureregisters who signed the document and thereby additionally proves the integrity of the authenticity of the author.

white paper sECDOCs

of 20

adVantages and legal effects of the Qualified

electronic signature (Qes)

OnlytheQESmayreplacethelegallyprescribedwrittenform (§§ 126, 126a, 127 BGB) and is accepted as prima facie evidence for private electronic documents and a binding declaration in lawsuits(§§371a,416ZPO).Inthecaseofpublic,qualifiedsigneddocuments, the full proof of the certified content is provided (§§371a,417ZPO).

Duetothesereason,FujitsuSecDocsrecommendstheuseofQESandtheQualifiedTimeStampforthesecuringoftheevidencevaluesof electronic documents. The evidence value of an electronically signed document is determined by means of a signature verification, which must meet the requirements set by the Signaturgesetz (signature law SigG) and the Signaturverordnung (signature regulationSigV).

signature renewal for eVidence preserVation

The strength of the algorithms (respectively their parameters) and of the processes, on which the digital signature is based, can decrease due to technological progress and new scientific insight in crypto-analysis. This means that certain algorithms or their parameters or processes are no longer applicable for electronic signature. The German “Bundesnetzagentur” (Federal Network Agency) (BNetzA) is the responsible authority as stipulated by SigG and in cooperation with the German Federal Office for Information Security (BSI) annually publishes an overview of the suitable algorithms in accord-ancewithAnnex1,Section2,SigV.

IfelectronicdocumentsattachedwithaQualifiedElectronicSignature(QES)aretobearchivedforthelong-terminanevidence-preservingmanner for the period of suitability of the utilised algorithm, appropri-ate measures must be implemented in the archiving system. In accordancewith§17SigV,thequalifiedsigneddatamustbeupdatedwith a new qualified electronic signature (signature renewal) before expiration of the suitability of the utilised algorithm. This signature renewal is performed by means of a qualified time stamp and must include the respective data, the old signatures as well as the time stamp and must be based on suitable algorithms respectively parameters.

According to experience the parameters respectively algorithms of a digital signature will no longer provide sufficient security after around 5 to 6 years and therefore will require a signature renewal. It is not necessary to renew each individual document with its own time stamp. In correspondence with the ArchiSig concept several documents can be grouped and fitted with a joint time stamp. In order to provide an attestation for the integrity of a document stored in a long-term archive, the archive system must generate an evidence record for the document (in accordance with IETF RFC 4998), which must be contain a seamless chain of valid time stamps – retroactively until the point in time at which the document was entering archive system.

This procedure is utilised in an automated manner in Fujitsu SecDocs.

“By using the global ERS standard, Fujitsu SecDocs ensures theoptimal evidence value of the archived data and the efficient and economic renewal of stored signatures.” (Tobias Gondrom, chairman of the IETF Working Group LTANS (Long-term archiving and notary services))

iMage: chain of tiMe staMps for eVidence preserVation

white paper sECDOCs


reQuireMents in regard to storage systeMs

for long-terM preserVation

Storage systems for electronic long-term preservation must meet specific technical requirements.

• Simple migration of the data to/from the storage system The preservation time of electronic documents in archives is

usually longer than the economic and technical operating time of a storage system. Therefore this inevitably results in the migration of data of a storage system to a newer storage system. The simplic-ity of data migration from the view of storage systems is achieved by usage of common access protocols such as CIFS or NFS.

• Independence of the storage system from the archive application

Due to the expected migrations, the electronic documents must be accessible on the storage systems even without access to the archive application. A proprietary connection between the archive application and the storage system, during which the access to electronic documents occurs only by means of information from the archive application, complicates the migration and is not desired.

• Technical protection against data loss by means of redundant data storage

In order to protect documents against loss that occurs due to technical malfunctions of the storage systems or due to physical destruction such as by fire, water or theft, the electronic docu-ments must be replicated at offsite storage systems. The replication should be performed automatically on a storage system level and be completely transparent to the archive application.

• Protection against data loss due to unauthorised manipulation or destruction

In order to protect electronic documents against physical loss or manipulation, archives should be protected by means of a WORM-functionality(WriteOnce,ReadMany).Inthismanner,it is safeguarded that an administrator of the archive system or the leading application can perform manipulation or deletion of data.

The combination of the complementary disciplines currently forms the safest protection for long-term trusted preservation:

The usage of cryptographic procedures proves the integrity and authenticity,theutilisationofWORM-mechanismsinthestoragesystem ensures the physical protection against deletion and manipulation.

technical directiVe 03125 and protection profile acM_pp of the bsi

In 2008 the BSI published the protection profile with the title ‘Pro-tectionProfileforanArchiSafeCompliantMiddlewareforEnablingtheLong-TermPreservationofElectronicDocuments(ACM_PP)’,which is used as the basis for a common criteria security certification of products for the evidence-preserving electronic long-term archive.

Components of the Fujitsu SecDocs product are currently in the certificationprocessinaccordancewithACM_PP.Followingthesuc-cessfulACM_PPcertification–evaluatedbyindependentinspectionauthorities and certified by the BSI – a trustworthy component will be available, which offers “certified security”.

This“ArchiSafeCompliantMiddleware”,whichisintegratedinFujitsuSecDocsinaccordancewithACM_PP,isacorecomponentof an evidence-preserving electronic long-term archive that meets thespecificationsofthetechnicaldirective03125(TR-VELS/TR-ESOR).ThecurrentversionofdirectiveTR-03125(TR-VELS,‘VertrauenswürdigeelektronischeLangzeitspeicherung’–trust-worthy electronic long-term storage) is currently being revised in regard to wording and technology and will result in an updated version of the directive TR-03125 (TR-ESOR, ‘Beweiswerterhaltung kryptographischsignierterDokumente’–evidencepreservationof cryptographically signed documents). As soon as the updated certification process of the new version has been defined, an overall certification of the Fujitsu SecDocs product in accordance with directive TR-03125 will be strived for.

white paper sECDOCs

of 20

Fujitsu SecDocs was developed on the basis of open standards in cooperation with OpenLimit SignCubes AG – an internationally leading provider of certified software for electronic signatures and identities. The solution is constructed in a modular manner, is multi-client suitable and features an integrated ArchiSig security module that has been certified in accordance with CC EAL 4+ by BSI. A unique selling point is the simplicity of use by means of the evidence valuessafeguardedbyQualifiedElectronicSignatures(QES)aswellas the automated signature renewal for the permanent and cost-efficient evidence preservation.

architecture

Fujitsu SecDocs is a solution for the long-term trusted preservation of electronic documents.

The object to be archived is submitted to Fujitsu SecDocs by the business application (client application) via a web service interface. SecDocs then takes the object to be archived and ensures in a guaranteed and verifiable manner the integrity for long periods of time and – if the object to be archived is protected by electronic signatures – also ensures there authenticity and non-deniability. Fujitsu SecDocs will generate and store a standardised evidence record for each archived object as proof of its integrity and authenticity. This evidence record can be verified by third parties at any time.

A hash value, which is generated by means of a suitable hash algorithm, is utilised for the correlation between the document and the evidence record. In correspondence with the ArchiSig concept this hash value is combined with hash values of other archived objects, sent to a certified time stamping authority, which comple-ments the objects with the current time stamp, encrypted with the

private key of the time stamping authority and then it isreturned to Fujitsu SecDocs together with the certificate of the time stamping authority. With this, Fujitsu SecDocs generates the evidence record for the corresponding archive object in accordance with a standard-ised procedure.

Subsequently, Fujitsu SecDocs hands over the document with the corresponding evidence record together with additional administra-tive information to a storage system for long-term preservation. The user respectively the operator of Fujitsu SecDocs is free in his choice of storage solution and in this manner can use the specific properties and functions that are available on the market.

In its main features, the architecture of Fujitsu SecDocs corresponds with the reference model specified in directive TR 03125, in particular in regard to the core components defined in the directive, which are used for evidence preservation and are of relevance for certification. Fujitsu SecDocs offers the basic functions demanded in the technical directive, which however have been expanded and complemented in regard to function in order to enable a wide field of use, also outside of the public sector.

Primarily the archive system is responsible for the permanent evi-dence preservation and the storage of the documents to be archived relies on state-of-the-art storage systems.

Fujitsu SecDocs is comprised of the following functional areas or core components:

Certified Security ComponentsThese contain the software components developed by OpenLimit SignCubes AG, which are of relevance for evidence preservation and cover the following function areas:

Fujitsu sECDOCsPOwErED by OPEnlimit®

white paper sECDOCs


• Validationofelectronicsignatures,whicharepossiblycontainedin documents that are transferred to Fujitsu SecDocs for preserva-tion as well as the corresponding generation of the validation reports, which also contain the OCSP responses.

• Hashvaluegenerationandhashvaluevalidationforthe corresponding relevant algorithms and parameters• Combininghashvaluesofmultiplearchiveobjectsinasingle

joint hash value in correspondence with the ArchiSig concept.• Obtainingoftimestampsfromsuitabletimestampingauthorities• Generationofevidencerecordsfortheindividualarchiveobjects• Validationofevidencerecordsandgenerationofreproducible

validation reports• Renewalofhashvaluesandtimestampsandgenerationof correspondingly extended evidence records

Archiving functionsWith basic functions that are demanded by directive TR 03125 as well as extended archive functions

Storage plug-insFor the connection to different storage systems and their specific properties. The first version of Fujitsu SecDocs is delivered with a storage plug-in for NetApp. Additional plug-ins will follow depend-ing on customer requirements.

Application interfaceAs a web service interface for the connection of client software such asDMS,ERPorBPMsystemsaswellasproprietarycustomer-specific applications.

Administration interfaceAs a web service interface for the connection of administration cli-ents. Fujitsu SecDocs will make a web-based standard client software available on the basis of this web service interface. Additionally, the administration interface can be used to utilise certain functions from existing management or monitoring systems.

iMage: coMponents in fujitsu secdocs

white paper sECDOCs

of 20

The following basic functions (web service operations) are offered:

submitSDOTransfer of Submission Data Objects, SDO, to Fujitsu SecDocs under its specified globally unique AOID. Before the call for a submitSDO, the client application must request and reserve an AOID from Fujitsu SecDocs under which the SDO shall be stored.

retrieveSDORetrieve an archive object archived under its specified AOID assigned to the document

deleteSDODelete an archive object in the archive system with the specified AOID

requestForEvidenceReading the evidence record for an archive object with the specified AOID

verifyERVerificationoftheintegrityofanarchiveobjectbymeansof the corresponding evidence record (ER) stored in the storage system, specified b itsAOID. The validation report is returned to the client application.

The following actions are performed during the archiving of documents (submitSDO) by Fujitsu SecDocs:

• XMLschema-validationofthesubmittedSDOs• IftheSDOcontainssignatures,theseareverifiedandthecor-

responding validation reports are generated. SDO and validation reports are stored in the storage system in accordance with the storage structure specified by the user.

• SettingofthestorageperiodduringwhichtheSDOmaynotbedeleted. If the storage system offers functions for the prevention

basic functions

iMage: basic functions in fujitsu secdocs

The basic services provided by Fujitsu SecDocs are oriented on the functions for the evidence-preserving storage of electronic docu-ments as stipulated by the technical directives 03125 of the German BSIandtheprotectionprofileACM_PP.Inadditiontotheactualdocuments (the content data), the data objects that are to be archived (Submission Data Objects, SDO) and are exchanged between the client software and the archive system also contain metadata, which contains information on the content of the object in a structured form. Both parts – content data and metadata – are packaged by the clientsoftwareinaXMLdatastructure,whichisdefinedbytheuser,and handed over to the archive system for archiving. Exactly these data (content data and metadata) are returned when reading the archived data objects. According to directive TR 03125, the archived objects are addressed by its so-called Archive Object ID (AOID).

white paper sECDOCs


of premature deletion, these can also be used by Fujitsu SecDocs (such as NetApp SnapLock)

• Calculationofthehashvalueofadocumentandtheaddition to a hash tree in accordance with the ArchiSig concept.

• Compilationofthestorageobject(ArchiveDataObject,ADO)and transfer to the storage system by means of the storage plug-in for the storage in the document memory

Fujitsu SecDocs does not request a dedicated qualified time stamp as proof of integrity for each individual SDO. Due to the fact that time stamping authorities usually charge for qualified time stamps, in correspondence with the ArchiSig concept, a time stamp is only requested for a definable number of SDOs. After a configurable number of SDOs or following a definable time span, hash values are calculatedforthecachedSDOs,enteredinaMerklehashtreein

accordance with the ArchiSig concept. The resulting root hash value isthentranferredtothetimestampingauthorityfor‘timestamping’.Subsequently, the corresponding evidence record with its reduced hash tree is derived from the hash tree for each SDO represented in it and stored in the storage system together with the SDO. Then the original hash tree is no longer required.

If the algorithms or their parameters, which are used for the securing the documents are declared as no longer suitable by the German Federal Network Agency, Fujitsu SecDocs then – initiated by the administrator – automatically performs a renewal of all the affected signatures in accordance with the ArchiSig concept in order to ensure evidence preservation.

iMage: eVidence preserVation in accordance with the archisig concept in fujitsu secdocs

white paper sECDOCs

of 20

Fujitsu SecDocs performs this renewal of hash values, signatures and time stamps in agreement with the signature law (Signaturgesetz) and the signature regulation (Signaturverordnung) in an automated manner and even in the case of larger data volumes, quickly and cost-efficiently. In a corresponding manner, Fujitsu SecDocs reduces the complexity of evidence preservation in accordance with the ArchiSig concept in such a manner that users and administrators of the system do not need to require any knowledge of signature technologies.

Unconditional deletion of SDOs (deleteSDO) is only possible, when their preservation period has expired. If the connected storage system enables it, the archive objects are not only deleted logically (deletion from directories and the release of the storage areas), but also physically (e.g. overwriting of the data areas occupied by the SDO with random numbers before their deletion).

In the case that the archived documents are to be deleted for specific reasons before expiration of the preservation period, the specifica-tion of a reason is mandatory when retrieving deleteSDO in accord-ance with the technical directive and protection profile. Fujitsu SecDocs will then only delete the data object after confirmation by an authorised party. In any case, Fujitsu SecDocs will perform a logical deletion and if the storage system allows, also a deletion in the storage areas.

The deletion of individual documents does not limit the proof of integrity of the remaining documents in any manner, as the reduced hash trees for each document can be verified in an independent manner.

The retrieval of functions by the client software is always performed viawebserviceinterfaces(SOAPviaHTTPS).Duetothefactthatmost client applications can utilise external services in the form of web services, the technical integration of Fujitsu SecDocs is usually possible without difficulty.

BecauseSOAPviaHTTPSdoesnotoffertransactionalsemantics,the update operations of the Fujitsu SecDocs archive system are designed in an idempotent manner, i.e. the repetition of a service operationdoesnotleadto‘SDOorphans’(garbage),whichcouldpermanently remain in the storage system. Particularly in critical use cases, a complete deletion of documents must be guaranteed for reasons of information protection, such as the complete deletion of a record.

Metadata and docuMent types

Depending on the business domain, documents of different types are archived, e.g. invoices, deeds, contracts, patents, last will and testa-ments, etc. The metadata for the individual document types describe very different circumstances and therefore must be specifically designed in regard to their structure and content by the user. From a technicalpointofview,documenttypesaredefinedasXMLschemasand registered in Fujitsu SecDocs. In this manner, Fujitsu SecDocs is able to validate SDOs that are submitted by the client software for archiving (submitSDO).

Fujitsu SecDocs requires specific information from the metadata of the SDOs for the storage and administration of the archived material, e.g. embedded content data such as PDF/A or TIFF files, corresponding electronic signatures or the preservation time of the

white paper sECDOCs


SDOs. In order to retrieve this type of data items from the SDOs, Fujitsu SecDocs requires information for each document type (SDO type) where these items are located. For this, a filter must be defined foreachSDOtype(XMLschema)andregisteredinFujitsuSecDocswith the respective SDO type.

Additionally, parameters for the SDO type can be stored in the filter definitions, which then apply for all SDOs of this type, e.g.

• Thepreservationperiod(e.g.10yearsforinvoices),whichthendoes not have to be specified in the metadata of the documents of this type

• Theformatofthedocumentsforthisdocumenttype, e.g. PDF/A with or without embedded signature

• Thedefinitionofthelogicaldirectorystructure(e.g.record/process/document or year/month/day) by using elements from the metadata

• Theselectionofelementsfromthemetadata,which should be included for auditing the archive operations

• Metadataelements,whichshouldbeusedforindexing and retrieval

The user therefore has a wide range of usage possibilities and specific methods of usage at his disposal.

Multitenancy

Fujitsu SecDocs administers documents from various customers, clients or organisational units strictly separated from each other. In this manner, a tenant can never access documents or parameters that belong to a different tenant.

Tenant-specific determinations are in regard to for instance:

• Physicallyseparateddocumentstorageintenant-specificvolumesrespectively volume sets and/or logically separated document storage in a tenant-specific directory

• Providingofadirectorystructurefordocumentswithinthetenant-specific volume sets or directories

• Separationofdocumentsofdifferentorganisationalunitsof the client (e.g. resorts) in order to prevent cross-resort access

• Databasetablesfortheadministrativedataofthearchive• Rolesandaccessauthorisation• Accesspermissionsforroles• Selectionofthetimestampingauthoritiesthatrequirepayment

In Fujitsu SecDocs the tenant-specific attributes are defined by an administrator of the tenant and not by the administrator of the archive system (see administration).

structure of the docuMent storage

Fujitsu SecDocs offers the user the highest possible degree of flexibility in regard to the selection of the storage structure in 0the storage system. Usually, documents that belong together in regard to their specific field are also filed in the storage system in a specific directory structure (e.g. record, process, document), defined by the business solution and its document structure. A tree-like directory structure is used for the storage structure for electronic documents (analogous to file directories). In the end, a document is seen as a leaf of the directory tree and is always addressed via its access path that contains and specifies all nodes above the document – including the volume designator as the root node.

white paper sECDOCs

of 20

An archived document in the storage structure (leaf node) contains the Archive Data Object (ADO), which among others contains the SDO, the validation reports and the evidence records.

The structure of the ADO has already been designed for future extension, e.g. the storage of large data objects such as audio or video data.

storage systeMs

The physical storage of archived documents is not performed by Fujitsu SecDocs itself, but instead is carried out by storage systems that are established on the market. The connection is performed by means of storage plug-ins in Fujitsu SecDocs, which have been developed for the respective storage systems and are made available. The list of plug-ins can be expanded as required without necessitat-ing fundamental changes of Fujitsu SecDocs.

The following characteristics are preferred for the evidence-preserving long-term trusted preservation, which are implemented in dependency on the respective storage system:

• Permanentwrite-protection(withTrueWORMsystems, i.e.storageonWORMmedia)• Write-protectionwithinthestorageperiod(withSoftWORM

systems such as NetApp SnapLock)• Relocationofdatathatisnotaccessedforalongertimeonto

magnetic tape• Supportofstandardisedprotocols,e.g.CIFSandNFS, for the easy migration of data• Optionalencryptionofarchiveddocuments• Databackup• Datareplication• Highavailability

The extent, to which these functions are supported, depends to a great degree on the selection of the storage system by the customer that is to be used by SecDocs.

The concrete storage structure can be specified by the user (client). The overall directory structure is logically divided in three substruc-ture areas: tenants, organisations and documents. The structure for tenant (root node of the tenant) is determined by the archive administrator during the setting-up of the tenant. The substructure of the tenant is determined by the respective tenant administrator. It describes the specific directory structure for the organisations (e.g. resorts) of the tenant. The individual organisational units are assigned in correspondence with the root node within the storage structure of the tenant. Below the root node of the organisational unit, the documents are determined in a document substructure, which can be specified for each document type. The designation of the nodes for the document directory structure can be taken from the metadata of the documents.

The clear storage structure in the document storage for tenants, organisational units and documents offers a number of decisive advantages, such as

• Thepossibilityofnavigatingthearchiveofthetenantor organisation along the directory structure• Theguaranteeofthecompletenessofthedatavolume,e.g. for export or deletion operations of logical set of documents (e.g. folder).

iMage: storage structure

Document structure

Organizational structure

Tenant

white paper sECDOCs


perMissions concept

Due to the fact that the archiving of documents is initiated by means of upstream systems (client applications), Fujitsu SecDocs is a backend system. If requests for the archiving of documents are initiated by end users, these are performed by a so called leading applications,e.g.DMSorERP-systemsorwebapplications.Theenduser is authenticated and authorised by these client systems, which then perform the archiving of documents acting for the end user. The user management and administration is handled by the leading application and not by Fujitsu SecDocs. As a user of Fujitsu SecDocs, the client system must authenticate itself ob behalf or the end-user at the archive system and is then authorised using Fujitsu SecDocs.

Due to the fact that the client application assigns different permis-sions depending on the role of the user, it is useful and necessary that a role-based authentication and authorisation is possible toward the archive system. This means that the client application logs on in the archive system with a specific role and then may use the functions that are assigned to this specific role. The role-based authentication is performed at Fujitsu SecDocs by means of the specification of tenants, the organisational unit and the role. The access is protected as selected either by means of a password-based or key/certificate-based authentication mechanism.

Following the successful authentication, the root node for the document storage is determined by means of the client and the organisational unit. New documents that are to be archived will be stored under these nodes. Operations for already archived documents are only possible, when these were stored below the root node of the organisational unit.

extended functions

iMage: extended functions in fujitsu secdocs

The above-mentioned elementary basic functions, which are oriented on directive TR 03125 address the archived data objects by means of unique identifiers (AOIDs), i.e. a document is archived under an AOID. The client software must specify the AOID in the client soft-ware of the desired data object. This means that the client software must administer the AOIDs of all of its archived documents without loss for the duration of the storage period. The loss of an AOID would be equal to the loss of the corresponding archived document.

If the user wants to process a greater number of logically connected documents (e.g. deletion of all documents in a record), then he must arrange the set of AOIDs and process one document after the other. This can become difficult when individual documents of a set of specific contiguous documents (e.g. all documents of a construc-tion permit) have been archived by using more than one client softwareinstance(e.g.byaDMS,awebapplication,aSOAbasedbusiness process or a scan process). If each of these client software instances administers the AOIDs of their archived documents in an autonomous manner, then all relevant AOIDs from the different clientsystemsmustberetrieved.However,thisisnotnecessaryifthearchiving – or at least the registration – of the AOIDs was performed by a joint leading application. This leading application must have the same properties in regard to lifetime, data security and availability as

white paper sECDOCs

of 20

the evidence-preserving long-term archive itself. In this manner, it realises the fundamental archive functions such as the searching for documents in dependence of the client and role, while the archive system merely acts as the evidence-preserving storage system.

In order to prevent being depending on a leading application that must synchronise with the archive system, Fujitsu SecDocs will be extended with a number of functions, such as:

• Navigationalongthedocumenttree,beginningwiththerootnodeof the organisational unit• Searchingfordocumentsbymeansofsearchcriteriathataredetermined for the individual document types• Exportanddeletionofdocumentsofanodeincludingallsub-nodes in a storage structure (e.g. all documents of a client, of an organisational unit, a record, a construction permit etc.)• Importofdocumentsandstorageunderthecorrespondingnode(parametrizable) in the storage structure• Segregationofdocumentsaftertheendofthestorageperiod(unconditional deletion, transfer to an archive e.g. German federal archive or following the decision on the further treatment by an authorised party)• ReadingoftheSDOschemathatwasusedduringarchiving• Archivingoflargedataobjects(e.g.audio,video)

Not all of these functions are already contained in the first version.

adMinistration

Fujitsu SecDocs offers a hierarchical administrator concept for administration. A distinction is made between the system administrator, the archive system administrator and the respective administrators of the tenants.

System administratorThe system administrator is responsible for the setting-up and administration of the operating system, the database system, the application server, the connectivity, the storage system and the archiving software (including the setting-up of the archive admin-istrator). Additionally, he is responsible for the data backup of the storageandarchivesystem.Heutilisesstandardmechanismsoftheunderlying system components for his tasks.

Archive administratorThe archive administrator supervises and administers the evidence-preservinglong-termarchive.Histasksareamongother:

• Setting-upofadditionalarchiveadministrators(ifrequired)• Setting-up,administeringanddeletionofclientsandclient

administrators• Readingoutandevaluatingthesystemlog• Setting-upofthetimestampingauthority(TSA)thatistobeused

During the setting-up of a tenant, the archive administrator deter-mines the volume set respectively the directory node under which the documents of the client are to be stored as well as the prefix for the database table of the client. This ensures that the data of the client is stored and administered separately.

The archive administrator does not gain access to the functional and organisational details of the individual tenants.

All operations that are performed by the archive administrator are logged in audit records.

white paper sECDOCs


tenant adMinistration

The client administrator is responsible for the tenant-specific settings of the archive system, i.e. each client has its own administrator; this role is comparable with that of an archivist in a traditional paper archive. The client administrator has access to functional details of his organisation, but not to that of other tenants.

Essential tasks of the client administrator are the following:

• Setting-uptherootnodeforthestorageofdocumentsintheorganisational units

• Definitionofrolesandrightsandtheiraccesspermissions• Registrationofdocumenttypes(XMLschemas)andfilter

definitions for the organisational units• Selectionofthetimestampingauthoritythatistobeused

(selection from the list of possible TSAs, which is to be set up by the archive administrator)

• Initiatingthetimestamprenewal,iftheutilisedalgorithms or parameters are classified as unreliable

All operations that are performed by the client administrator are logged in an audit.

logging of the archiVe operations

In order to be able to retrace the archive operations, the technical directive TR 03125 requires the comprehensive logging of all activi-ties, which are initiated by the client software and the administrators. This is not only the logging of changes, but also of document access. Due to the fact that log information can contain relevant functional information, these logs must also be protected against unauthorised access.

For this reason, Fujitsu SecDocs makes a distinction between logging and audit data.

LoggingLogging is viewed by Fujitsu SecDocs as the recording of activities in the form of data sets, which are primarily used for the analysis of malfunctions or abnormal system behaviour even at a later stage in order to deduce suitable measures. Potential users of the logging data are the system administrator, the archive administrator or the service technician of the manufacturer. Records in log files do not contain any information with content of archived documents.

AuditAn audit is viewed by Fujitsu SecDocs as the recording of activities in the form of data sets, in order to prove when certain operations were performed in the archive. Contrary to logging, audits primarily contain functional data and not technical data. The audits are performed in a tenant-specific manner, i.e. a tenant does not gain access to the audits of other tenants. The same applies to system and archive administrators.

The user (client) can determine which information from the metadata of the SDOs for individual document types is included in the audit data sets.

white paper sECDOCs

of 20

Fujitsu offers the user differentiated models for the operation of long-term trusted preservation.

Fujitsu SecDocs can be employed in a flexible manner in regard to operation location, price model and operational services and can be operated as a license or lease model, locally or in one of the Fujitsu highly secure computer centres, under the responsibility of the customerorasa‘ManagedServicebyFujitsu’.

The services extend along the entire Fujitsu service portfolio and run from process consulting through provision of Secure Dynamic Infra-structures up to the operation of long-term trusted preservation. Hybridtypesarepossibleandinthismannercanbeideallymatchedto specific cycles, business requirements and (ASP) operator models. Theadvantage:Highestpossibleflexibilityintheoperationunder the consideration of cost and quality.

license

The operator has the choice whether to run Fujitsu SecDocs as a license or in a software leasing model (SaaS).Own licenses can be operated both in own responsibility or in accordancewithservicelevelagreementsbyManagedServicesbyFujitsu. Application service providers can offer their own instances.

preserVation as a serVice

Managed infrastructureFujitsu will offer the long-term trusted preservation services, which ensures the standardised operation of the solution and infrastructure in a cost-efficient and reliable manner. In this manner, experience specialists with archiving and technology knowledge can adminis-trate even the largest IT environments quickly and cost-efficiently and lower operational costs due to greater capacity utilisation of their IT resources.

Infrastructure-as-a-ServiceFujitsu will offer the long-term trusted preservation as a secure, highly available service for jointly used infrastructure. Invoicing is usually performed on the basis of usage based on predefined characteristic values. The responsibility for the operation and legal conformity lies fully with Fujitsu and relieves the user from the provision of own resources.

OPEratOr mODEls

white paper sECDOCs


nOtEs

of 20

all rights reserved, in particular commercial intellectual property rights. subject to change of technical specifications as well as availability. No liability or guarantee for completeness, up-to-dateness and correctness of the specified data and images is granted. Designations used can possibly be brands and/or copyrighted material, the use of which for own purposes may infringe the rights of the respective owners. additional details can be found at: http://ts.fujitsu.com/terms_of_use.htmlPublished by: Fujitsu technology solutions gmbH; de.ts.fujitsu.com © 2010, 2011

contactFujitsu tECHnOlOgy sOlutiOns gmbH address: mies-van-der-rohe-str. 8, 80807 munich, germanyE-mail: [email protected]: ts.fujitsu.com/secdocs

Long-term Trusted Preservation of Electronic Documents

Technology

Transcript of Long-term Trusted Preservation of Electronic Documents