Long-term Trusted Preservation of Electronic Documents


Published on

An increasing number of business processes are presented in
electronic form as this lowers costs and expedites administration
in a lasting manner. Accordingly, an increasing number of electronic
documents are replacing the handling of expensive paper receipts.
The challenge: Electronic documents must have the same permanent
evidential value and must be trustworthy in order to legally safeguard
business processes. Fujitsu SecDocs supports these endeavours
with the first certified evidence-preserving long-term archive as
an integrated solution on the basis of open standards.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Long-term Trusted Preservation of Electronic Documents

  1. 1. Page 1 of 20ts.fujitsu.com/secdocs white paper Fujitsu SECDOCS powered by openlimit® Long-term Trusted Preservation of electronic documents
  2. 2. white paper Secdocs Page 2 of 20 Table of contents REVISION Management summary 3 Fundamental aspects 4 Paper-bound and electronic documents in long-term preservation 4 Long-term trusted preservation 4 Cryptographic processes as a means for evidence preservation 4 Types of signature 5 Advantages and legal effects of the Qualified Electronic Signature (QES) 6 Signature renewal for evidence preservation 6 Requirements in regard to storage systems for long-term preservation 7 Technical directive 03125 and protection profile ACM_PP of the BSI 7 Fujitsu Secdocs 8 Architecture 8 Basic functions 10 Metadata and document types 12 Multitenancy 13 Structure of the document storage 13 Storage systems 14 Permissions concept 15 Extended functions 15 Administration 16 Tenant administration 17 Logging of the archive operations 17 Operator Models 18 License 18 Preservation as a service 18 Version 1.0 / 28.10.2009 Authors: Herbert Sattler, Peter Falk, Dr. Jürgen Neises, Team TSP ES Version 1.1 / 26.02.2010 Author: Peter Falk Changes: Detail changes Version 2.0 / 01.11.2010 Authors: Herbert Sattler, Peter Falk, Alexander Dörner, Holger Ebel, Tobias Gondrom Changes: Comprehensive changes due to technical advancements and new legal conditions Version 2.1 / 28.10.2011 Author: Alexander Dörner Changes: Detail changes
  3. 3. white paper SECDOCS Page 3 of 20ts.fujitsu.com/secdocs An increasing number of business processes are presented in electronic form as this lowers costs and expedites administration in a lasting manner. Accordingly, an increasing number of electronic documents are replacing the handling of expensive paper receipts. The challenge: Electronic documents must have the same permanent evidential value and must be trustworthy in order to legally safeguard business processes. Additionally, it must be possible to provide proof of integrity and authenticity at all time – in some cases for a period of over 100 years. As an evidence-preserving long-term archive, Fujitsu SecDocs offers the permanent protection of electronic documents with the utilisation of certified security components. Fujitsu SecDocs uses the tried and tested evidence preservation in accordance with ArchiSig and a improved concept for the standardised coupling of the evidence values to the document. Management summary The benefit: The evidence-preserving long-term archive creates trust in electronic businesses. The archive solution is easy to use, cost-efficient and as a web service can be quickly integrated in hetero- geneous IT infrastructures. The evidence preservation is performed in an automated manner, thereby removing the need for specialised signature knowledge or proprietary evidence preservation systems. In total, Fujitsu SecDocs leads to a lasting reduction of the complex- ity of long-term preservation and enables an easy and quick data migration. Due to increased legal security and standardisation in evidence preservation, the transformation process to electronic documents is accelerated further. Fujitsu SecDocs supports these endeavours with the first certified evidence-preserving long-term archive as an integrated solution on the basis of open standards.
  4. 4. white paper Secdocs Page 4 of 20 Paper-bound and electronic documents in long-term preservation The properties of paper-bound and electronic documents differ considerably from each other. While a paper document can be read at any time, software tools are required in order to open and read electronic documents. Without specific measures it is not possible to see whether electronic documents have remained unaltered since their creation and whether they actually have been produced by the creator specified in the document. Without additional processing, the integrity and authenticity of electronic documents cannot be ensured. Additionally, paper documents differ from electronic documents in their permanent presentability. While paper can be read even after a long time, electronic files often can no longer be opened after the first technological migration. Therefore, corresponding technical and organisational measures must ensure that electronic documents remain both verifiably unchanged for at least the duration of the required preservation period as well as can be presented true to original. A guarantee of the unchanged presentation in its original form is currently only warranted for PDF/A and TIFF formats. For the evidence of the integrity and authenticity of electronic documents electronic signatures have proven to be cost-efficient as well as contractually capable. For this reason, both aspects therefore are especially taken into consideration for (evidence-preserving) long- term preservation. long-term trusted preservation The goal of trusted preservation of electronic data for very long periods of time are the verifiable authentic, i.e. imputable and intact storage, conservation and availability of this data – for at least the period of time specified by the legally demanded preservation peri- ods. The safeguarding of the availability of electronic documents also includes the long-term ensuring of the marketability and connection of the data with the business cases on which they are based on the corresponding current IT systems. Fujitsu SecDocs is an evidence-preserving long-term archive on the basis of the “Technische Richtlinie” (technical directive) 03125 of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnologie) (BSI) and fully supports this directive. Cryptographic processes as a means for evidence preservation Fundamental requirements in regard to the preservation of elec- tronic documents for evidence-preserving purposes is the availabil- ity, confidentiality, verifiability of authenticity (origin, genuineness) and integrity of the archived information for the entire duration of the storage period. Additional technical measures are required in order to ensure the authenticity and integrity over the entire lifetime of the electronic document in the archive. According to the current state of the art, electronic signatures and time stamps are the most effective and cost-efficient measures to ensure their protection. Fujitsu SecDocs relies on these technologies for evidence preservation. Fundamental aspects
  5. 5. white paper SECDOCS Page 5 of 20ts.fujitsu.com/secdocs Types of signature The EU directive 1999/93/EC defines EU-wide general conditions for electronic signatures. In the implementation of this directive in national German legislation by means of the Signaturgesetz (SigG) (“signature law”), German legislators have defined different types of signatures in §2 SigG that feature different security levels, which also build on top of each other. • Electronic signatures are “[…] Daten in elektronischer Form, die anderen elektronischen Daten beigefügt oder logisch mit ihnen verknüpft sind und die zur Authentifizierung dienen” (§2 No. 1 SigG) ([...] data in electronic form, which is added to other electronic data or is logically connected to this data and used for authentication). • Advanced electronic signatures are “[…] elektronische Signaturen […], die […] ausschließlich dem Signaturschlüssel-Inhaber zugeordnet sind [und] die Identifizierung des Signaturschlüssel- Inhabers ermöglichen [sowie] mit Mitteln erzeugt werden, die der Signaturschlüssel-Inhaber unter seiner alleinigen Kontrolle halten kann, und [die] mit den Daten, auf die sie sich beziehen, so verknüpft sind, daß eine nachträgliche Veränderung der Daten erkannt werden kann.” ([...] electronic signatures [...] which [...] are individually assigned to the signature key owner [and] enable the identification of the signature key owner [as well as] are generated with means that are under the sole control of the signature key owner and are connected with the data, to which they refer, in such a manner that any later changes of the data can be recognised). (§2 No. 2 SigG). • Qualified electronic signatures (QES) are advanced electronic signatures, which “[…] auf einem zum Zeitpunkt ihrer Erzeugung gültigen qualifizierten Zertifikat beruhen und […] mit einer sicheren Signaturerstellungseinheit erzeugt werden.” ([...] are based on a valid qualified certificate at the time of their creation and [...] are generated with a secure signature creation unit). (§2 No. 3 SigG). The qualified certificate is issued by a certification authority (CA) in accordance with § 5 and § 7 SigG, on which the quali- fied electronic signature (QES) is based. In order to receive such a signature, the user must identify himself at a certification authority. The certificate, which is signed with the secret key of the CA, contains a public key for the validation of the signature of the owner. The accompanying private key for the signing of documents (signature key) is confidentially protected in the signature creation unit (e.g. a chip card). Another type of Qualified Electronic Signature, not further specified in SigG, is the Qualified Time Stamp. This is a Qualified Electronic Signature created by the Time Stamping Authority (TSA) of the certification authority and is a confir- mation that a specific content was present at a specific point in time. On the other hand, the Qualified Electronic Signature registers who signed the document and thereby additionally proves the integrity of the authenticity of the author.
  6. 6. white paper Secdocs Page 6 of 20 Advantages and legal effects of the Qualified Electronic Signature (QES) Only the QES may replace the legally prescribed written form (§§ 126, 126a, 127 BGB) and is accepted as prima facie evidence for private electronic documents and a binding declaration in lawsuits (§§ 371a, 416 ZPO). In the case of public, qualified signed documents, the full proof of the certified content is provided (§§ 371a, 417 ZPO). Due to these reason, Fujitsu SecDocs recommends the use of QES and the Qualified Time Stamp for the securing of the evidence values of electronic documents. The evidence value of an electronically signed document is determined by means of a signature verification, which must meet the requirements set by the Signaturgesetz (signature law SigG) and the Signaturverordnung (signature regulation SigV). Signature renewal for evidence preservation The strength of the algorithms (respectively their parameters) and of the processes, on which the digital signature is based, can decrease due to technological progress and new scientific insight in crypto- analysis. This means that certain algorithms or their parameters or processes are no longer applicable for electronic signature. The German “Bundesnetzagentur” (Federal Network Agency) (BNetzA) is the responsible authority as stipulated by SigG and in cooperation with the German Federal Office for Information Security (BSI) annually publishes an overview of the suitable algorithms in accord- ance with Annex 1, Section 2, SigV. If electronic documents attached with a Qualified Electronic Signature (QES) are to be archived for the long-term in an evidence-preserving manner for the period of suitability of the utilised algorithm, appropri- ate measures must be implemented in the archiving system. In accordance with § 17 SigV, the qualified signed data must be updated with a new qualified electronic signature (signature renewal) before expiration of the suitability of the utilised algorithm. This signature renewal is performed by means of a qualified time stamp and must include the respective data, the old signatures as well as the time stamp and must be based on suitable algorithms respectively parameters. According to experience the parameters respectively algorithms of a digital signature will no longer provide sufficient security after around 5 to 6 years and therefore will require a signature renewal. It is not necessary to renew each individual document with its own time stamp. In correspondence with the ArchiSig concept several documents can be grouped and fitted with a joint time stamp. In order to provide an attestation for the integrity of a document stored in a long-term archive, the archive system must generate an evidence record for the document (in accordance with IETF RFC 4998), which must be contain a seamless chain of valid time stamps – retroactively until the point in time at which the document was entering archive system. This procedure is utilised in an automated manner in Fujitsu SecDocs. “By using the global ERS standard, Fujitsu SecDocs ensures the optimal evidence value of the archived data and the efficient and economic renewal of stored signatures.” (Tobias Gondrom, chairman of the IETF Working Group LTANS (Long-term archiving and notary services)) Image: Chain of time stamps for evidence preservation
  7. 7. white paper SECDOCS Page 7 of 20ts.fujitsu.com/secdocs Requirements in regard to storage systems for long-term preservation Storage systems for electronic long-term preservation must meet specific technical requirements. • Simple migration of the data to/from the storage system The preservation time of electronic documents in archives is usually longer than the economic and technical operating time of a storage system. Therefore this inevitably results in the migration of data of a storage system to a newer storage system. The simplic- ity of data migration from the view of storage systems is achieved by usage of common access protocols such as CIFS or NFS. • Independence of the storage system from the archive application Due to the expected migrations, the electronic documents must be accessible on the storage systems even without access to the archive application. A proprietary connection between the archive application and the storage system, during which the access to electronic documents occurs only by means of information from the archive application, complicates the migration and is not desired. • Technical protection against data loss by means of redundant data storage In order to protect documents against loss that occurs due to technical malfunctions of the storage systems or due to physical destruction such as by fire, water or theft, the electronic docu- ments must be replicated at offsite storage systems. The replication should be performed automatically on a storage system level and be completely transparent to the archive application. • Protection against data loss due to unauthorised manipulation or destruction In order to protect electronic documents against physical loss or manipulation, archives should be protected by means of a WORM-functionality (Write Once, Read Many). In this manner, it is safeguarded that an administrator of the archive system or the leading application can perform manipulation or deletion of data. The combination of the complementary disciplines currently forms the safest protection for long-term trusted preservation: The usage of cryptographic procedures proves the integrity and authenticity, the utilisation of WORM-mechanisms in the storage system ensures the physical protection against deletion and manipulation. Technical directive 03125 and protection profile ACM_PP of the BSI In 2008 the BSI published the protection profile with the title ‘Pro- tection Profile for an ArchiSafe Compliant Middleware for Enabling the Long-Term Preservation of Electronic Documents (ACM_PP)’, which is used as the basis for a common criteria security certification of products for the evidence-preserving electronic long-term archive. Components of the Fujitsu SecDocs product are currently in the certification process in accordance with ACM_PP. Following the suc- cessful ACM_PP certification – evaluated by independent inspection authorities and certified by the BSI – a trustworthy component will be available, which offers “certified security”. This “ArchiSafe Compliant Middleware”, which is integrated in Fujitsu SecDocs in accordance with ACM_PP, is a core component of an evidence-preserving electronic long-term archive that meets the specifications of the technical directive 03125 (TR-VELS/ TR-ESOR). The current version of directive TR-03125 (TR- VELS, ‘Vertrauenswürdige elektronische Langzeitspeicherung’ – trust- worthy electronic long-term storage) is currently being revised in regard to wording and technology and will result in an updated version of the directive TR-03125 (TR-ESOR, ‘Beweiswerterhaltung kryptographisch signierter Dokumente’ – evidence preservation of cryptographically signed documents). As soon as the updated certification process of the new version has been defined, an overall certification of the Fujitsu SecDocs product in accordance with directive TR-03125 will be strived for.
  8. 8. white paper Secdocs Page 8 of 20 Fujitsu SecDocs was developed on the basis of open standards in cooperation with OpenLimit SignCubes AG – an internationally leading provider of certified software for electronic signatures and identities. The solution is constructed in a modular manner, is multi- client suitable and features an integrated ArchiSig security module that has been certified in accordance with CC EAL 4+ by BSI. A unique selling point is the simplicity of use by means of the evidence values safeguarded by Qualified Electronic Signatures (QES) as well as the automated signature renewal for the permanent and cost- efficient evidence preservation. Architecture Fujitsu SecDocs is a solution for the long-term trusted preservation of electronic documents. The object to be archived is submitted to Fujitsu SecDocs by the business application (client application) via a web service interface. SecDocs then takes the object to be archived and ensures in a guaranteed and verifiable manner the integrity for long periods of time and – if the object to be archived is protected by electronic signatures – also ensures there authenticity and non-deniability. Fujitsu SecDocs will generate and store a standardised evidence record for each archived object as proof of its integrity and authenticity. This evidence record can be verified by third parties at any time. A hash value, which is generated by means of a suitable hash algorithm, is utilised for the correlation between the document and the evidence record. In correspondence with the ArchiSig concept this hash value is combined with hash values of other archived objects, sent to a certified time stamping authority, which comple- ments the objects with the current time stamp, encrypted with the private key of the time stamping authority and then it isreturned to Fujitsu SecDocs together with the certificate of the time stamping authority. With this, Fujitsu SecDocs generates the evidence record for the corresponding archive object in accordance with a standard- ised procedure. Subsequently, Fujitsu SecDocs hands over the document with the corresponding evidence record together with additional administra- tive information to a storage system for long-term preservation. The user respectively the operator of Fujitsu SecDocs is free in his choice of storage solution and in this manner can use the specific properties and functions that are available on the market. In its main features, the architecture of Fujitsu SecDocs corresponds with the reference model specified in directive TR 03125, in particular in regard to the core components defined in the directive, which are used for evidence preservation and are of relevance for certification. Fujitsu SecDocs offers the basic functions demanded in the technical directive, which however have been expanded and complemented in regard to function in order to enable a wide field of use, also outside of the public sector. Primarily the archive system is responsible for the permanent evi- dence preservation and the storage of the documents to be archived relies on state-of-the-art storage systems. Fujitsu SecDocs is comprised of the following functional areas or core components: Certified Security Components These contain the software components developed by OpenLimit SignCubes AG, which are of relevance for evidence preservation and cover the following function areas: Fujitsu Secdocs powered by openlimit®
  9. 9. white paper SECDOCS Page 9 of 20ts.fujitsu.com/secdocs • Validation of electronic signatures, which are possibly contained in documents that are transferred to Fujitsu SecDocs for preserva- tion as well as the corresponding generation of the validation reports, which also contain the OCSP responses. • Hash value generation and hash value validation for the corresponding relevant algorithms and parameters • Combining hash values of multiple archive objects in a single joint hash value in correspondence with the ArchiSig concept. • Obtaining of time stamps from suitable time stamping authorities • Generation of evidence records for the individual archive objects • Validation of evidence records and generation of reproducible validation reports • Renewal of hash values and time stamps and generation of correspondingly extended evidence records Archiving functions With basic functions that are demanded by directive TR 03125 as well as extended archive functions Storage plug-ins For the connection to different storage systems and their specific properties. The first version of Fujitsu SecDocs is delivered with a storage plug-in for NetApp. Additional plug-ins will follow depend- ing on customer requirements. Application interface As a web service interface for the connection of client software such as DMS, ERP or BPM systems as well as proprietary customer- specific applications. Administration interface As a web service interface for the connection of administration cli- ents. Fujitsu SecDocs will make a web-based standard client software available on the basis of this web service interface. Additionally, the administration interface can be used to utilise certain functions from existing management or monitoring systems. Image: Components in Fujitsu SecDocs
  10. 10. white paper Secdocs Page 10 of 20 The following basic functions (web service operations) are offered: submitSDO Transfer of Submission Data Objects, SDO, to Fujitsu SecDocs under its specified globally unique AOID. Before the call for a submitSDO, the client application must request and reserve an AOID from Fujitsu SecDocs under which the SDO shall be stored. retrieveSDO Retrieve an archive object archived under its specified AOID assigned to the document deleteSDO Delete an archive object in the archive system with the specified AOID requestForEvidence Reading the evidence record for an archive object with the specified AOID verifyER Verification of the integrity of an archive object by means of the corresponding evidence record (ER) stored in the storage system, specified b itsAOID. The validation report is returned to the client application. The following actions are performed during the archiving of documents (submitSDO) by Fujitsu SecDocs: • XML schema-validation of the submitted SDOs • If the SDO contains signatures, these are verified and the cor- responding validation reports are generated. SDO and validation reports are stored in the storage system in accordance with the storage structure specified by the user. • Setting of the storage period during which the SDO may not be deleted. If the storage system offers functions for the prevention Basic functions Image: Basic functions in Fujitsu SecDocs The basic services provided by Fujitsu SecDocs are oriented on the functions for the evidence-preserving storage of electronic docu- ments as stipulated by the technical directives 03125 of the German BSI and the protection profile ACM_PP. In addition to the actual documents (the content data), the data objects that are to be archived (Submission Data Objects, SDO) and are exchanged between the client software and the archive system also contain metadata, which contains information on the content of the object in a structured form. Both parts – content data and metadata – are packaged by the client software in a XML data structure, which is defined by the user, and handed over to the archive system for archiving. Exactly these data (content data and metadata) are returned when reading the archived data objects. According to directive TR 03125, the archived objects are addressed by its so-called Archive Object ID (AOID).
  11. 11. white paper SECDOCS Page 11 of 20ts.fujitsu.com/secdocs of premature deletion, these can also be used by Fujitsu SecDocs (such as NetApp SnapLock) • Calculation of the hash value of a document and the addition to a hash tree in accordance with the ArchiSig concept. • Compilation of the storage object (Archive Data Object, ADO) and transfer to the storage system by means of the storage plug-in for the storage in the document memory Fujitsu SecDocs does not request a dedicated qualified time stamp as proof of integrity for each individual SDO. Due to the fact that time stamping authorities usually charge for qualified time stamps, in correspondence with the ArchiSig concept, a time stamp is only requested for a definable number of SDOs. After a configurable number of SDOs or following a definable time span, hash values are calculated for the cached SDOs, entered in a Merkle hash tree in accordance with the ArchiSig concept. The resulting root hash value is then tranferred to the time stamping authority for ‘time stamping’. Subsequently, the corresponding evidence record with its reduced hash tree is derived from the hash tree for each SDO represented in it and stored in the storage system together with the SDO. Then the original hash tree is no longer required. If the algorithms or their parameters, which are used for the securing the documents are declared as no longer suitable by the German Federal Network Agency, Fujitsu SecDocs then – initiated by the administrator – automatically performs a renewal of all the affected signatures in accordance with the ArchiSig concept in order to ensure evidence preservation. Image: Evidence preservation in accordance with the ArchiSig concept in Fujitsu SecDocs
  12. 12. white paper Secdocs Page 12 of 20 Fujitsu SecDocs performs this renewal of hash values, signatures and time stamps in agreement with the signature law (Signaturgesetz) and the signature regulation (Signaturverordnung) in an automated manner and even in the case of larger data volumes, quickly and cost-efficiently. In a corresponding manner, Fujitsu SecDocs reduces the complexity of evidence preservation in accordance with the ArchiSig concept in such a manner that users and administrators of the system do not need to require any knowledge of signature technologies. Unconditional deletion of SDOs (deleteSDO) is only possible, when their preservation period has expired. If the connected storage system enables it, the archive objects are not only deleted logically (deletion from directories and the release of the storage areas), but also physically (e.g. overwriting of the data areas occupied by the SDO with random numbers before their deletion). In the case that the archived documents are to be deleted for specific reasons before expiration of the preservation period, the specifica- tion of a reason is mandatory when retrieving deleteSDO in accord- ance with the technical directive and protection profile. Fujitsu SecDocs will then only delete the data object after confirmation by an authorised party. In any case, Fujitsu SecDocs will perform a logical deletion and if the storage system allows, also a deletion in the storage areas. The deletion of individual documents does not limit the proof of integrity of the remaining documents in any manner, as the reduced hash trees for each document can be verified in an independent manner. The retrieval of functions by the client software is always performed via web service interfaces (SOAP via HTTPS). Due to the fact that most client applications can utilise external services in the form of web services, the technical integration of Fujitsu SecDocs is usually possible without difficulty. Because SOAP via HTTPS does not offer transactional semantics, the update operations of the Fujitsu SecDocs archive system are designed in an idempotent manner, i.e. the repetition of a service operation does not lead to ‘SDO orphans’ (garbage), which could permanently remain in the storage system. Particularly in critical use cases, a complete deletion of documents must be guaranteed for reasons of information protection, such as the complete deletion of a record. Metadata and document types Depending on the business domain, documents of different types are archived, e.g. invoices, deeds, contracts, patents, last will and testa- ments, etc. The metadata for the individual document types describe very different circumstances and therefore must be specifically designed in regard to their structure and content by the user. From a technical point of view, document types are defined as XML schemas and registered in Fujitsu SecDocs. In this manner, Fujitsu SecDocs is able to validate SDOs that are submitted by the client software for archiving (submitSDO). Fujitsu SecDocs requires specific information from the metadata of the SDOs for the storage and administration of the archived material, e.g. embedded content data such as PDF/A or TIFF files, corresponding electronic signatures or the preservation time of the
  13. 13. white paper SECDOCS Page 13 of 20ts.fujitsu.com/secdocs SDOs. In order to retrieve this type of data items from the SDOs, Fujitsu SecDocs requires information for each document type (SDO type) where these items are located. For this, a filter must be defined for each SDO type (XML schema) and registered in Fujitsu SecDocs with the respective SDO type. Additionally, parameters for the SDO type can be stored in the filter definitions, which then apply for all SDOs of this type, e.g. • The preservation period (e.g. 10 years for invoices), which then does not have to be specified in the metadata of the documents of this type • The format of the documents for this document type, e.g. PDF/A with or without embedded signature • The definition of the logical directory structure (e.g. record/ process/document or year/month/day) by using elements from the metadata • The selection of elements from the metadata, which should be included for auditing the archive operations • Metadata elements, which should be used for indexing and retrieval The user therefore has a wide range of usage possibilities and specific methods of usage at his disposal. multiTenancy Fujitsu SecDocs administers documents from various customers, clients or organisational units strictly separated from each other. In this manner, a tenant can never access documents or parameters that belong to a different tenant. Tenant-specific determinations are in regard to for instance: • Physically separated document storage in tenant-specific volumes respectively volume sets and/or logically separated document storage in a tenant-specific directory • Providing of a directory structure for documents within the tenant-specific volume sets or directories • Separation of documents of different organisational units of the client (e.g. resorts) in order to prevent cross-resort access • Database tables for the administrative data of the archive • Roles and access authorisation • Access permissions for roles • Selection of the time stamping authorities that require payment In Fujitsu SecDocs the tenant-specific attributes are defined by an administrator of the tenant and not by the administrator of the archive system (see administration). Structure of the document storage Fujitsu SecDocs offers the user the highest possible degree of flexibility in regard to the selection of the storage structure in 0the storage system. Usually, documents that belong together in regard to their specific field are also filed in the storage system in a specific directory structure (e.g. record, process, document), defined by the business solution and its document structure. A tree-like directory structure is used for the storage structure for electronic documents (analogous to file directories). In the end, a document is seen as a leaf of the directory tree and is always addressed via its access path that contains and specifies all nodes above the document – including the volume designator as the root node.
  14. 14. white paper Secdocs Page 14 of 20 An archived document in the storage structure (leaf node) contains the Archive Data Object (ADO), which among others contains the SDO, the validation reports and the evidence records. The structure of the ADO has already been designed for future extension, e.g. the storage of large data objects such as audio or video data. Storage systems The physical storage of archived documents is not performed by Fujitsu SecDocs itself, but instead is carried out by storage systems that are established on the market. The connection is performed by means of storage plug-ins in Fujitsu SecDocs, which have been developed for the respective storage systems and are made available. The list of plug-ins can be expanded as required without necessitat- ing fundamental changes of Fujitsu SecDocs. The following characteristics are preferred for the evidence- preserving long-term trusted preservation, which are implemented in dependency on the respective storage system: • Permanent write-protection (with TrueWORM systems, i.e. storage on WORM media) • Write-protection within the storage period (with SoftWORM systems such as NetApp SnapLock) • Relocation of data that is not accessed for a longer time onto magnetic tape • Support of standardised protocols, e.g. CIFS and NFS, for the easy migration of data • Optional encryption of archived documents • Data backup • Data replication • High availability The extent, to which these functions are supported, depends to a great degree on the selection of the storage system by the customer that is to be used by SecDocs. The concrete storage structure can be specified by the user (client). The overall directory structure is logically divided in three substruc- ture areas: tenants, organisations and documents. The structure for tenant (root node of the tenant) is determined by the archive administrator during the setting-up of the tenant. The substructure of the tenant is determined by the respective tenant administrator. It describes the specific directory structure for the organisations (e.g. resorts) of the tenant. The individual organisational units are assigned in correspondence with the root node within the storage structure of the tenant. Below the root node of the organisational unit, the documents are determined in a document substructure, which can be specified for each document type. The designation of the nodes for the document directory structure can be taken from the metadata of the documents. The clear storage structure in the document storage for tenants, organisational units and documents offers a number of decisive advantages, such as • The possibility of navigating the archive of the tenant or organisation along the directory structure • The guarantee of the completeness of the data volume, e.g. for export or deletion operations of logical set of documents (e.g. folder). Image: Storage structure Document structure Organizational structure Tenant
  15. 15. white paper SECDOCS Page 15 of 20ts.fujitsu.com/secdocs Permissions concept Due to the fact that the archiving of documents is initiated by means of upstream systems (client applications), Fujitsu SecDocs is a backend system. If requests for the archiving of documents are initiated by end users, these are performed by a so called leading applications, e.g. DMS or ERP-systems or web applications. The end user is authenticated and authorised by these client systems, which then perform the archiving of documents acting for the end user. The user management and administration is handled by the leading application and not by Fujitsu SecDocs. As a user of Fujitsu SecDocs, the client system must authenticate itself ob behalf or the end-user at the archive system and is then authorised using Fujitsu SecDocs. Due to the fact that the client application assigns different permis- sions depending on the role of the user, it is useful and necessary that a role-based authentication and authorisation is possible toward the archive system. This means that the client application logs on in the archive system with a specific role and then may use the functions that are assigned to this specific role. The role-based authentication is performed at Fujitsu SecDocs by means of the specification of tenants, the organisational unit and the role. The access is protected as selected either by means of a password-based or key/certificate- based authentication mechanism. Following the successful authentication, the root node for the document storage is determined by means of the client and the organisational unit. New documents that are to be archived will be stored under these nodes. Operations for already archived documents are only possible, when these were stored below the root node of the organisational unit. Extended functions Image: Extended functions in Fujitsu SecDocs The above-mentioned elementary basic functions, which are oriented on directive TR 03125 address the archived data objects by means of unique identifiers (AOIDs), i.e. a document is archived under an AOID. The client software must specify the AOID in the client soft- ware of the desired data object. This means that the client software must administer the AOIDs of all of its archived documents without loss for the duration of the storage period. The loss of an AOID would be equal to the loss of the corresponding archived document. If the user wants to process a greater number of logically connected documents (e.g. deletion of all documents in a record), then he must arrange the set of AOIDs and process one document after the other. This can become difficult when individual documents of a set of specific contiguous documents (e.g. all documents of a construc- tion permit) have been archived by using more than one client software instance (e.g. by a DMS, a web application, a SOA based business process or a scan process). If each of these client software instances administers the AOIDs of their archived documents in an autonomous manner, then all relevant AOIDs from the different client systems must be retrieved. However, this is not necessary if the archiving – or at least the registration – of the AOIDs was performed by a joint leading application. This leading application must have the same properties in regard to lifetime, data security and availability as
  16. 16. white paper Secdocs Page 16 of 20 the evidence-preserving long-term archive itself. In this manner, it realises the fundamental archive functions such as the searching for documents in dependence of the client and role, while the archive system merely acts as the evidence-preserving storage system. In order to prevent being depending on a leading application that must synchronise with the archive system, Fujitsu SecDocs will be extended with a number of functions, such as: • Navigation along the document tree, beginning with the root node of the organisational unit • Searching for documents by means of search criteria that are determined for the individual document types • Export and deletion of documents of a node including all sub- nodes in a storage structure (e.g. all documents of a client, of an organisational unit, a record, a construction permit etc.) • Import of documents and storage under the corresponding node (parametrizable) in the storage structure • Segregation of documents after the end of the storage period (unconditional deletion, transfer to an archive e.g. German federal archive or following the decision on the further treatment by an authorised party) • Reading of the SDO schema that was used during archiving • Archiving of large data objects (e.g. audio, video) Not all of these functions are already contained in the first version. Administration Fujitsu SecDocs offers a hierarchical administrator concept for administration. A distinction is made between the system administrator, the archive system administrator and the respective administrators of the tenants. System administrator The system administrator is responsible for the setting-up and administration of the operating system, the database system, the application server, the connectivity, the storage system and the archiving software (including the setting-up of the archive admin- istrator). Additionally, he is responsible for the data backup of the storage and archive system. He utilises standard mechanisms of the underlying system components for his tasks. Archive administrator The archive administrator supervises and administers the evidence- preserving long-term archive. His tasks are among other: • Setting-up of additional archive administrators (if required) • Setting-up, administering and deletion of clients and client administrators • Reading out and evaluating the system log • Setting-up of the time stamping authority (TSA) that is to be used During the setting-up of a tenant, the archive administrator deter- mines the volume set respectively the directory node under which the documents of the client are to be stored as well as the prefix for the database table of the client. This ensures that the data of the client is stored and administered separately. The archive administrator does not gain access to the functional and organisational details of the individual tenants. All operations that are performed by the archive administrator are logged in audit records.
  17. 17. white paper SECDOCS Page 17 of 20ts.fujitsu.com/secdocs Tenant administration The client administrator is responsible for the tenant-specific settings of the archive system, i.e. each client has its own administrator; this role is comparable with that of an archivist in a traditional paper archive. The client administrator has access to functional details of his organisation, but not to that of other tenants. Essential tasks of the client administrator are the following: • Setting-up the root node for the storage of documents in the organisational units • Definition of roles and rights and their access permissions • Registration of document types (XML schemas) and filter definitions for the organisational units • Selection of the time stamping authority that is to be used (selection from the list of possible TSAs, which is to be set up by the archive administrator) • Initiating the time stamp renewal, if the utilised algorithms or parameters are classified as unreliable All operations that are performed by the client administrator are logged in an audit. Logging of the archive operations In order to be able to retrace the archive operations, the technical directive TR 03125 requires the comprehensive logging of all activi- ties, which are initiated by the client software and the administrators. This is not only the logging of changes, but also of document access. Due to the fact that log information can contain relevant functional information, these logs must also be protected against unauthorised access. For this reason, Fujitsu SecDocs makes a distinction between logging and audit data. Logging Logging is viewed by Fujitsu SecDocs as the recording of activities in the form of data sets, which are primarily used for the analysis of malfunctions or abnormal system behaviour even at a later stage in order to deduce suitable measures. Potential users of the logging data are the system administrator, the archive administrator or the service technician of the manufacturer. Records in log files do not contain any information with content of archived documents. Audit An audit is viewed by Fujitsu SecDocs as the recording of activities in the form of data sets, in order to prove when certain operations were performed in the archive. Contrary to logging, audits primarily contain functional data and not technical data. The audits are performed in a tenant-specific manner, i.e. a tenant does not gain access to the audits of other tenants. The same applies to system and archive administrators. The user (client) can determine which information from the metadata of the SDOs for individual document types is included in the audit data sets.
  18. 18. white paper Secdocs Page 18 of 20 Fujitsu offers the user differentiated models for the operation of long-term trusted preservation. Fujitsu SecDocs can be employed in a flexible manner in regard to operation location, price model and operational services and can be operated as a license or lease model, locally or in one of the Fujitsu highly secure computer centres, under the responsibility of the customer or as a ‘Managed Service by Fujitsu’. The services extend along the entire Fujitsu service portfolio and run from process consulting through provision of Secure Dynamic Infra- structures up to the operation of long-term trusted preservation. Hybrid types are possible and in this manner can be ideally matched to specific cycles, business requirements and (ASP) operator models. The advantage: Highest possible flexibility in the operation under the consideration of cost and quality. License The operator has the choice whether to run Fujitsu SecDocs as a license or in a software leasing model (SaaS). Own licenses can be operated both in own responsibility or in accordance with service level agreements by Managed Services by Fujitsu. Application service providers can offer their own instances. Preservation as a service Managed infrastructure Fujitsu will offer the long-term trusted preservation services, which ensures the standardised operation of the solution and infrastructure in a cost-efficient and reliable manner. In this manner, experience specialists with archiving and technology knowledge can adminis- trate even the largest IT environments quickly and cost-efficiently and lower operational costs due to greater capacity utilisation of their IT resources. Infrastructure-as-a-Service Fujitsu will offer the long-term trusted preservation as a secure, highly available service for jointly used infrastructure. Invoicing is usually performed on the basis of usage based on predefined characteristic values. The responsibility for the operation and legal conformity lies fully with Fujitsu and relieves the user from the provision of own resources. Operator Models
  19. 19. white paper SECDOCS Page 19 of 20ts.fujitsu.com/secdocs Notes
  20. 20. Page 20 of 20 All rights reserved, in particular commercial intellectual property rights. Subject to change of technical specifications as well as availability. No liability or guarantee for completeness, up-to-dateness and correctness of the specified data and images is granted. Designations used can possibly be brands and/or copyrighted material, the use of which for own purposes may infringe the rights of the respective owners. Additional details can be found at: http://ts.fujitsu.com/terms_of_use.html Published by: Fujitsu Technology Solutions GmbH; de.ts.fujitsu.com © 2010, 2011 Contact FUJITSU TECHNOLOGY SOLUTIONS GMBH Address: Mies-van-der-Rohe-Str. 8, 80807 Munich, Germany E-mail: secdocs@ts.fujitsu.com Website: ts.fujitsu.com/secdocs