An immutable audit log is a tamper-resistant recording of how a system has been used – everything from when data arrives, changes, departs, to how users interacted with the system. Each event is recorded in an indelible manner - even the database administrator with the highest level of system privileges cannot alter the past … kinda like the paper tape on an adding machine tape, etched in stone … only more high-tech.
I think (and hope) tamper-resistant audits will become common place in settings ranging from health care patient records to government surveillance systems. The primary value being twofold:
a) Accountability. Enable policy folks charged with oversight and accountability to validate that a computer system has been used within policy and law: and,
b) Deterrence. The "chilling effect" caused by the knowledge that a tamper resistant audit log is in place – deterring a corrupt person or two from bad behavior.
Well, good news. I stumbled onto a software company in Spain called Kinamik which has been dedicating its technical resources towards the creation of … a tamper-resistant audit log!
Now what? What if no one wants to pay for one? Will tamper resistant audit logs need to be built-in to commercial off-the-shelf systems to reach the market? If so, will organizations actually pay for the additional disk space and processing requirements to turn such a log on? Or, will they simply turn the feature off?
This is important technology and one that really needs to see the light of day, especially in conjunction with non-transparent government systems.
If any of my readers have thoughts as to what kind of incentives or levers will be needed to make such audit logs a reality, I would love to hear from you. As well, if you discover any other companies selling tamper-resistant logs, please let me know. I would like to compile a list.
RELATED POSTS:
Yesterday’s Technology Review Story: Blinding Big Brother, Sort of
I do think immutable audit logs are usually adopted to enforce compliance if the implications of abuse are severe.
But, to be able to sell immutable audit logs to a large base of customers, maybe the logs can be used for other purposes such as rewarding users for correct use or preventing accidental deletions.
I am not sure how tamper-resistant these logs can be, since the log designer has to be trusted and the technology does not seem simple enough to be understood (by me).
Posted by: Clifton Phua | November 11, 2007 at 05:17 AM
Sadly I think it's going to take some sort of compliance initiative before anyone even realises they need this level of security.
The technology itself is simple enough to understand. I was the Product Manager for Kinamik until recently though, so maybe I have a head start.
The tamper resistance comes from building a chain of mini signatures. The signatures are of smaller blocks of the original data. Therefore if any one part of the chain is affected, you only lose a small part of the data rather than the whole as with normal signatures, the tampered data is pinpointed, and the whole operation can be completed faster than the normal signing process.
It's great technology, but whereas a lot of people will accept that they need it, it doesn't tick any boxes yet and doesn't actively make money for an organisation, so is a hard sell. Having said that, encryption was a hard sell 5 years ago and that's doing very well now. It's only a matter of time and I for one would be very pleased to see Kinamik do well.
Posted by: Rob | November 12, 2007 at 03:09 AM
One issue that such a technology might have is how to transparently audit something that can change significantly over time. For instance, if your auditor asks for all changes to Customer information between X and Y date, and you went into your tracking system and returned all changes related to the PARTY_TABLE, it might be difficult to know that in the previous version of the Customer system (that was upgraded in between X and Y date) stored customer information in the CUSTOMER_TABLE (which no longer exists in the current version). It seems for this immutable log idea to be most effective, you would need to apply them to systems built using associative data modeling techniques (e.g. Kalido, Oracle Designer, Lazysoft Sentences, etc.) that not only track the start and end date for each object, but also track the start and end date of each association. Indeed in the case of Kalido, a byproduct of this approach allows you to not only report auditing changes across data, but across structure as well, and even generate reports using any standard BI tool using any hierarchy or model that had ever existed. However, market-wise, I think companies like Kinamik would want to keep a close eye on the database vendors themselves. If they perceive this to be a market, I could certainly see Oracle, IBM, and Microsoft jumping into this, and I think that is where this type of thing would ultimately end up if I had to guess. Outside of your auditability and deterrence criteria, Oracle 11g has added some new security features to try and address some of your access abuse concerns--for instance, being able to limit the DBA viewing tables they manage, etc. I would expect more of that filtering down as companies wake up to dangers of internal support staff having the capability of downloading confidential customer data to a USB drive and walking out the door with it.
Posted by: Stephen | November 12, 2007 at 04:07 PM
A technically great idea. One which, alas and of course, many, many people and organizations will run away from, or resist vehemently.
What politician will seriously allow this to happen? Geez, there are many representatives and senators that have their remarks put into the Congressional Record as if they were actually in the legislative chamber and read them. Being made to be held accountable for their words? Politicians? Gimmeabreak!
Bureaucrats, high-level appointments, unable to skip around their words? Where would that place them? Nowhere they want to be caught.
Look at Sarbanes-Oxley: a law passed in reaction to Enron, no sooner was the ink dry on the legislation than corporate executives were decrying its excesses and costs and screaming for legislative relief. Enron is now but a dim memory for most, a kind of scar on the public psyche, and even politicians are calling for Sox to be rewritten, if not repealed.
I worked on the business side for a good number of years, and I well recall a joke that was made when we would sit around and shoot the breeze after a long day: we keep three sets of books, one for shareholders, one for the IRS, and the real one. I never found it very funny, but did find it telling of the culture.
Posted by: Sal Weir | November 28, 2007 at 05:04 PM
Hi Jeff,
Remember us please.
http://www-304.ibm.com/jct09002c/gsdod/solutiondetails.do?solution=16896&expand=true&lc=en
From a past conversation, you might remember that Trustifier is a security sub-system that adds internal controls at the kernel level to enforce security policies. It can be dropped on to a running *nix system in software format or be added in appliance form to a mixed platform environment.
Trustifier does not use encryption, but digital separation of data to enforce domain separation, writing permanent time-stamped audit logs that are not accessible by system personnel, or security officers.
Trustifier also allows integrity and secrecy rankings of data and users, providing additional tools to not only assure accountability, but iron-clad non-repudiation necessary for secure data hand-offs and data sharing.
Posted by: Rob Lewis | February 15, 2008 at 08:36 AM
Hi Jeff,
Remember us please.
http://www-304.ibm.com/jct09002c/gsdod/solutiondetails.do?solution=16896&expand=true&lc=en
From a past conversation, you might remember that Trustifier is a security sub-system that adds internal controls at the kernel level to enforce security policies. It can be dropped on to a running *nix system in software format or be added in appliance form to a mixed platform environment.
Trustifier does not use encryption, but digital separation of data to enforce domain separation, writing permanent time-stamped audit logs that are not accessible by system personnel, or security officers.
Trustifier also allows integrity and secrecy rankings of data and users, providing additional tools to not only assure accountability, but iron-clad non-repudiation necessary for secure data hand-offs and data sharing.
Posted by: Rob Lewis | February 15, 2008 at 08:38 AM
I can see that this post is a couple of years old now, can you tell me if during this time this has become a reality? I'm very amateur in terms of this area but I think this kind of system sounds very useful and would certainly enable accountability. I'm in the middle of corresponding with a company and I'd like to suggest this to them - only if it's relevant though! Thanks
Posted by: Security Tape | February 08, 2011 at 02:23 AM