"A risk assessment of the Piql Services" by FFI

Once the processing is done, the prepared file in Piql format is stored on a shared hard disk between the Piql computer and the Piql I/O computer. The shared hard disk is utilising a Network File System (NFS), which is a distributed file system allowing several servers access to certain files. This is the manner in which the prepared file is transferred between the Piql computer and the Piql I/O computer, shown in figure 5.3 as where the black line moves between the computers via the NFS. The physical interconnection is through 10G Ethernet cables, i.e. there is no air gap between the computers. 13 The file with the processed client data is then written onto the piqlFilm. After the film is developed and processed, it is read back on the piqlReader to verify its contents against the checksum generated for the client data when it was first uploaded to the Piql system. As the client data is now converted into its physical form, the digital client data is no longer needed. It is deleted from all computers in the Piql IT system, and only the metadata collected earlier in the process is connected to external networks. Additionally, a unique film reel ID is generated once the piqlFilm is printed. Figure 5.3 depicts this newly created information as blue. The unique reel ID is stored on a shared catalogue with the database in the Element Logic Warehouse Management System (EWMS), the control system of the piqlVault system, while the finished piqlFilm is labelled, packed and transported to the storage facility. Separated from the specific processes and steps of the production, but equally important to consider when designing the security infrastructure of an IT system, are the measures put in place to mitigate the threat of the insider, i.e. operators of the Piql computers and components or other personnel who can, for whatever reason, cause damage to the client data. The Piql complete IT system is designed so that regular operators have no access to client content: only administrative users have this access. This is enforced by the design of the operator interface controlling the workflows. The machine design is another measure. For example, the cover of the piqlReader must be down during the scanning of data so that the operator cannot see what is being scanned [33]. Piql does not provide protection in the form of encryption of the data to its clients. The information on the piqlFilm must remain readable without a separate key to break the encryption, as the PiqlFilms are supposed to be self-contained, i.e. that they can be found in 500 years and all the instructions needed to read the information again is stored right there on the first few frames of the piqlFilm. The client, or user of the Piql Preservation Service, does of course have the option to encrypt the data themselves before transferring the files to the Piql partner. Yet this is not part of the Piql partner’s service: the users do this at their own cost and risk, and they are themselves responsible for managing the personal key.

Figure 5.4 illustrates the next steps the digital data take after being processed in the internal Piql IT system. It explains the architecture design of the IT system used in the piqlVault system

13 The specifications regarding the physical interconnection was as part of an email correspondence with Ole Liabø, Director R&D at Piql AS, on 24.02.16.

42

FFI-RAPPORT 16/00707