When IT managers consider logging and archiving, they are faced with a dilemma: Keep enough data, and audit and regulatory needs are met, business continuity is maintained, and recovery after disaster goes off smoothly.
Keep too much data, though, and the cost associated with storing that data and the resources needed to maintain the archives could skyrocket, outweighing many of the benefits.
What's needed is a careful, business-based balance between security and storage. Simple storage of the data isn't enough. How data is stored and how the associated threats to it are mitigated are critical parts of the puzzle. Even the most sophisticated storage-area network (SAN) isn't much use if an attacker can access the logs and delete or otherwise tamper with them. In this article, we'll take a look at some of the questions that companies should ask to understand how to store and archive logs reliably.
Do you need it on demand?
Stored log data may differ in its overall value to the organization. For example, log files from a development server that contains old builds of phased-out code may have a different weight than the logs from the corporate human resources, enterprise resource planning and mail servers. Because the cost of data storage varies depending on the ways in which it will be used and accessed, old copies of log files from testing and prototype machines may lend themselves to less expensive storage methods, such as off-line digital archive tapes, while ERP system logs may need to be available around the clock via the corporate SAN.
Assign a value weight to each set of logs that will be archived and then determine the most cost-effective storage method. If the data can't be accessed when it's needed, it's not of much use. Archived data that has been stored in a third-party, off-site facility, where it may take days or weeks to retrieve, could cause a breach of a service-level agreement or be in potential violation of audit policies.
One of the most important contributors to data availability is management of the SAN and all of the archives. If more storage space is needed, can it be discovered, provisioned and made available automatically? If not, what are the consequences? Is data lost? Does someone gets paged at 3 a.m. on a Sunday to go into the data center and provision additional storage? Are there metrics to provide alerts for anomalous storage usage and for strategic planning of storage needs?
How safe does it need to be?
With a valuation in place, the acceptable risk level of the stored data can be assessed. First, you must understand the types of threats to the data, the ease with which they can be executed and the cost of potential damage.
Next, perform an analysis that defines the types of threats and the effect, ease, frequency and probability of exploitation. Where there are more users physically near the data or with access to it, if the right controls aren't in place, exploiting a vulnerability can be very easy and can be repeated frequently. Logs that are stored on a SAN that's connected to a corporate network need to be protected with best-practice techniques, such as access-control systems and firewalls.
As redundant as this may sound, logs of access to the logs should be kept. Keep in mind that these are the records of what has gone on in the network and on critical systems and servers. These logs should be encrypted from prying eyes and provide tamper-proofing or, at the very least, evidence of tampering that can increase reliability and reduce risk.
When looking at threat attributes, don't just concentrate on the data. Data storage is just that, storage, so many of the threats that need to be mitigated include physical safety, such as protection from fires, floods or power failures.
Legal matters
Regulations such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and California's SB 1386 privacy law affect storage of log-file data because they're related to proving that best practices and controls for data are in place.
The log-file archive is the forensic tool for proving what has occurred on a network or application. A log file that tracks all access to a system or an archive of all e-mails sent could be the only thing that stands between your company and court action. Deleted e-mails and tampered call records were critical pieces of evidence in the cases of Enron Corp. and Martha Stewart. So, examine with your corporate counsel what information needs to be tracked to maintain compliance.
Some questions to consider: Do the logs reflect that best practices have been followed? Or, will the company be able to generate usage and access reports from the stored logs?
Summary
Log files are snapshots of activity in a corporation. Not only must the correct information be tracked; it must also be stored securely and managed for accessibility and availability. Storing the data any old way, without understanding the security requirements and potential risks, isn't sufficient. Audit, recoverability and regulations require that companies not only log and archive critical data, but also that they do this in a secure manner. Having appropriate risk management in place is critical for all business processes, but it's exceptionally important in the realm of stored-log and archive data. This data is the final proof point for history and forensics. Guard it wisely and guard it well.
Diana Kelley is a security strategist for the eTrust brand of security management solutions at Computer Associates International Inc. Her experience includes creating secure network architectures and business solutions for large corporations. Prior to joining Islandia, N.Y.-based CA, she founded Security Curve, an independent provider of strategy, consulting and education to the security industry.