Welcome!

Cloud Security Authors: Liz McMillan, Yeshim Deniz, Elizabeth White, Ed Featherston, Pat Romanski

Related Topics: Cloud Security

Cloud Security: Blog Feed Post

Log Files Do Not Improve Security

Logs are for auditing, accountability, and tracking down offenders – not for providing real-time security

A new law signed into effect in February 2009 requires that health care providers and organizations  subject to HIPAA notify affected customers in the event of a breach affecting more than 500 records. There was very little discussion of this new requirement in the blogosphere which was surprising given this statement hidden amongst one of the few articles on the subject.

Dominique Levin, executive vice president of marketing and strategy for log management vendor LogLogic, told SCMagazineUS.com on Thursday that there are security and privacy concerns with the move to digital health care records.

“Hospitals are now targeted by insiders and professional criminals trying to access health information for financial gain,” Levin said.

But, ultimately, computerized health care records could reduce costs, result in easy backups and data recovery, and actually improve security, Levin said.

“Electronic health care records can be more secure than paper records,” Levin said.

For example, companies can implement technologies that keep a record of everyone that has accessed the records -- something they can't do with paper records, Levin said.

shortstoryThe example of “better security” here is the implementation of a record, i.e. audit/log file, of everyone that accesses the records.

 


RECORDING A BREACH DOES NOT PREVENT IT


Audit files do not improve security. Neither do log files. Both are simply tracking mechanisms that are little more than CYA mechanisms for organizations that help in the event security is breached. They are part of the forensic trail of evidence that can be used to assist in determining who may have had access and ultimately whether everyone who did access the resource was authorized to do so. Just take a look at the number of “hidden camera” footage videos on the Internet and you’ll quickly discover it’s not really a deterrent, it just forces criminals to take greater pains at disguising themselves and hiding their tracks. Take a good look at any generalized rootkit and you’ll find tools included for mucking with the log file – either to remove evidence or obfuscate it in such a way as to make it useless. Taking care of log files is merely one more item to be covered on the lengthy “to do after a successful breach list” of miscreants.

 

This is a recording of activity, it is not preventative. It does not improve security at all and it does absolutely nothing to assuage the concerns of those who may be able to see that making anything electronic – and available over the Internet – immediately degrades the security of those records because there are suddenly myriad additional attack vectors that must be identified and secured.

Paper records – health care records in this case – are accessed by medical folks. If you’ve ever tried to get a copy of your own personal records you know it requires signatures, notes from your parents, a completely filled out form specifying why you want the thing in the first place, and who can access it. HIPAA regulations require that only those so designated be allowed to see your records – at least those outside the medical organization – and even restrict to whom information can be given over the phone or e-mail. It is unlikely that electronic versions of these same records would involve the running of the gauntlet of forms and signatures required to access paper versions. They’ll be electronic - consumers and advocates hope available via the Internet - and absolutely open to attack.

That’s less secure, not more secure.

Now I’ll be more forgiving for a moment and note that Levin is quoted as saying electronic health care records can be more secure, not they will be.

But that’s a fine line to walk and the reality is that adding log or audit files does not improve security. Log and audit files are created after the event. The fact that Johnny asked for access is noted and that he was granted access is noted. There’s no participation, no collaboration, no prevention involved in logging an event. It is the recording for posterity (or the police) of an event. Period. It neither degrades nor improves security, it merely is what it is: another record. It is likely true that electronic records can provide better and more complete logs of who accessed records and when, but it doesn’t do anything to control that access in the first place.

Is it important? Yes. Should you have such records? Yes, you should. Are they required by some regulations? Absolutely.

Do they improve security? No.


SO HOW WOULD YOU IMPROVE SECURITY?


There are plenty of options for improving security of any kind of records that are stored and accessed digitally:

  1. Data leak prevention (DLP) The security of “last resort” that prevents the breach from succeeding. A security breach has happened, technically, but the results are kept from being delivered [PDF] and thus the sanctity of the records.
  2. Context-Aware Authentication A username and password is good, but when it’s coming from a Starbucks in New Foundland and the user is sitting in the office in Seattle, well, c’mon – there’s something fishy about that situation, isn’t there? Context-aware authentication systems and specifically those employing endpoint inspection capable of enforcing specific conditions such as location or peculiar identifying applications/machine properties before allowing access go a long way toward improving security.
  3. Web-application Firewall If access is provided via a web application, this should be a default additional solution. Preventing some of the ways in which people unlawfully gain access (XSS, SQLi) reduces the chances of a successful breach in the first place.
  4. Full stack security Security of the entire OSI stack – from layer 1 to layer 7 – is important in preventing existing and new vulnerabilities in platforms and protocols from being exploited at the expense of the security of data.

That’s in addition to – not in place of – a secure development life cycle (SDLC), well-defined organizational-wide security policy, and auditing of that policy and its technical implementation to ensure that every possible precaution against a breach is taken.

Logging is an integral part of organizational security policies and best practices and well it should be. But don’t make the mistake of thinking that logging access to records is the same as securing them.

Follow me on Twitter View Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share

 

Related blogs & articles:

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Organizations planning enterprise data center consolidation and modernization projects are faced with a challenging, costly reality. Requirements to deploy modern, cloud-native applications simultaneously with traditional client/server applications are almost impossible to achieve with hardware-centric enterprise infrastructure. Compute and network infrastructure are fast moving down a software-defined path, but storage has been a laggard. Until now.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
The best way to leverage your CloudEXPO | DXWorldEXPO presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering CloudEXPO | DXWorldEXPO will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at CloudEXPO. Product announcements during our show provide your company with the most reach through our targeted audienc...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. All In Mobile is a mobile app development company from Poland. Since 2014, they maintain passion for developing mobile applications for enterprises and startups worldwide.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
JETRO showcased Japan Digital Transformation Pavilion at SYS-CON's 21st International Cloud Expo® at the Santa Clara Convention Center in Santa Clara, CA. The Japan External Trade Organization (JETRO) is a non-profit organization that provides business support services to companies expanding to Japan. With the support of JETRO's dedicated staff, clients can incorporate their business; receive visa, immigration, and HR support; find dedicated office space; identify local government subsidies; get...
"We view the cloud not as a specific technology but as a way of doing business and that way of doing business is transforming the way software, infrastructure and services are being delivered to business," explained Matthew Rosen, CEO and Director at Fusion, in this SYS-CON.tv interview at 18th Cloud Expo (http://www.CloudComputingExpo.com), held June 7-9 at the Javits Center in New York City, NY.
DXWorldEXPO LLC announced today that the upcoming DXWorldEXPO | CloudEXPO New York event will feature 10 companies from Poland to participate at the "Poland Digital Transformation Pavilion" on November 12-13, 2018.
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smart...
Major trends and emerging technologies – from virtual reality and IoT, to Big Data and algorithms – are helping organizations innovate in the digital era. However, to create real business value, IT must think beyond the ‘what’ of digital transformation to the ‘how’ to harness emerging trends, innovation and disruption. Architecture is the key that underpins and ties all these efforts together. In the digital age, it’s important to invest in architecture, extend the enterprise footprint to the cl...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost and risk of entering new markets has leveled the playing field for business. Today, any ambitious innovator can easily introduce a new application or product that can reinvent business models and transform the client experience. In their Day 2 Keynote at 19th Cloud Expo, Mercer Rowe, IBM Vice President of Strategic Alliances, and Raejeanne Skillern, Intel Vice President of Data Center Group and ...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.