Menu

Design and Implement Auditability, Traceability and Accountability of Data Events

Definition of Event Sources and Requirement of Identity Attribution

An event is any observable action that occurs, cloud solutions have different challenges to collect events than on-prem servers. The biggest difference is the availability of the data, which varies by cloud provider. IaaS solutions will provide the most detailed logs from network, OS, and application data sources. SaaS solutions may only provide application level logs with no access to OS and network logs.

The Open Web Application Security Project® (OWASP) published guides, one of which is on logging. This is a useful guide and series of best practices to help when using cloud services. Here are some examples:

  • Synchronize time across all servers and devices: The synchronization of timestamps across devices is crucial in investigating events.
  • Differing classification schemes: Different applications will categorize events with different metadata. Having the same schema for your data across platforms will help search for events.
  • Identity attribution: This allows you to answer the question "who did what and when?"
  • Application-specific logs: Similar to differing classification schemes, applications may log the same type of data differently.
  • Integrity of log files: Not allowing the logs to be changed by users on the hosts that are generating the logs.

Logging, Storage and Analysis of Data Events

Looking at raw logs will not be very beneficial to tracking down what happened in an event. Using a central logging server and a SIEM to analyze the logs helps by:

  • Log centralization and aggregation: Having logs in one location makes it so you don't have to log into all your different hosts in the environment to access logs. Endpoints usually push logs to the SIEM.
  • Data integrity: The SIEM will have separate permissions than the hosts and will prevent users with Administrative permissions on the hosts to tamper with the logs.
  • Normalization: Sources of data will format the data in different ways. A SIEM will format data in a similar way so to allow easier searching. This is called normalizing the data. For example, usernames from one system may be labeled user.name, user, or username.
  • Automated or continuous monitoring: SIEMS use algorithms to search the logs for potential attacks or anomalous data.
  • Alerting: SIEMs will alert on the anomalous data it detects.
  • Investigative monitoring: The SIEM provides support capabilities when investigating logs becomes necessary.

Chain of Custody and Non-repudiation

Chain of custody is a defensible record of how evidence was handled and collected, and by whom. Nonrepudiation is holding a specific account responsible for a particular action.

Cloud Data Security

  1. Describe Cloud Data Concepts
  2. Design and Implement Cloud Data Storage Architectures
  3. Design and Apply Data Security Technologies and Strategies
  4. Implement Data Discovery
  5. Implement Data Classification
  6. Design and Implement Information Rights Management (IRM)
  7. Plan and Implement Data Retention, Deletion and Archiving Policies
  8. Design and Implement Auditability, Traceability and Accountability of Data Events

CCSP

  1. Cloud Concepts, Architecture, and Design
  2. Cloud Data Security
  3. Cloud Platform and Infrastructure Security
  4. Cloud Application Security
  5. Cloud Security Operations
  6. Legal, Risk, and Compliance