In case of a regular server an external or a malicious internal user may gain unauthorized access to the sensitive information and then perform acts to conceal the breach by removing or editing audit log files. These log files contain crucial information that is needed to prove regulatory compliance and to conduct forensic analysis in case of an actual breach.
The logging information must be stored in real-time on servers that are located outside of the administrative control of the entity that is trying to preserve such information.
Let me explain how do we do it – in order to provide extended auditing capabilities, as well as to comply with regulatory requirements, all activities related to the Server General agent installed on a host server that is located within our customer’s network are logged in real-time at four different locations – on the host server itself and three servers that are located within our network and operated by our security staff. Take a look at the diagram.
You’ll notice that the host server is located within our customer’s network shown on the left hand side of the diagram is being used to store the logging information and three additional servers shown on the right hand side which are under our administrative control are also being used to store each and every log entry in real-time. This way a malicious person who has successfully compromised the host server located within our customer’s network will also have to modify or delete entries from the log files that are located within our cloud infrastructure (which is being monitored on a 24x7x365 basis). Just the fact that entries have to be changed at four different locations under two different administrative controls makes it very difficult for a malicious entity to successfully cover up their actions.
This type of a setup preserves sanctity of the logged information and allows our customers to claim that they have tamper-resistant log files since no one from within their organization can make changes to all four servers and we can not make changes to the logging information controlled by our customers. Auditors love it!