The Value of Event Logging in the Public Cloud

Last month, I moved into a new apartment. In addition to the routine tasks of unpacking my boxes, meeting my new neighbors and getting used to a new neighborhood, I found myself thinking about how I could apply my cybersecurity skills to improving the safety of my new home. I realized that one of the most significant risks I face is the sheer number of people coming and going from my apartment while I’m not at home. Delivery people, maintenance staff, the landlord and others all need access to my apartment, and this access creates risk.

I set about addressing this risk by installing security cameras to monitor the key entry and exit points so I can detect activity in real time and review recorded activity if something goes wrong. The presence of these cameras gave me the peace of mind that I have monitoring in place. 

This sense of security is also important for organizations operating IT services in the public cloud. Vendors, contractors, employees and customers all regularly interact with those services. Organizations want to be able to quickly identify unusual activity and maintain a record of everything that occurs in their cloud environments.

Just as security cameras provide me with this monitoring capability in my apartment, a robust logging strategy allows organizations to monitor their cloud environments. Let’s take a look at five key pieces of advice that organizations can follow when building a public cloud logging strategy.

You can’t analyze log records after a security incident if you didn’t capture them in the first place. Organizations should configure their cloud-based systems to generate log records and store them for as long as necessary to meet their log retention standards.

IT leaders should understand who has access to these logs and configure them to minimize the risk of tampering. Ideally, logs should be sent to an immutable data store where they can be written but never modified. This prevents malicious insiders from altering or deleting log records to cover their tracks.

Alerts let an IT team create predefined rules that trigger notifications or automated responses when unusual situations occur. For example, if a firewall rule change is made to allow all internet traffic, an alert will notify an administrator to explore the modification immediately.

You’ll get the most value out of your logging efforts if you can bring together the logs from many different systems in a single location. These additional log records can add context, which security teams can use to correctly explain unusual behaviors and reduce false positives. Organizations commonly use security information and event management or security orchestration, automation and response platforms to consolidate log records from both on-premises and cloud services.

Logs aren’t just valuable from a security perspective. Developers may be able to use logs to improve the efficiency of their applications and troubleshoot performance issues. Financial managers might use alerting to provide early notification of cost overruns. Be generous with the information that your logs can reveal, and allow other organizational units to benefit in their own ways.

Cloud services generate a tremendous amount of log activity. Following these simple steps can help your organization maintain appropriate log records and keep the information it needs in the event of a security incident.

Story by Mike Mullen, a senior field solution architect for CDW’s Secure Cloud team. He is a knowledgeable cybersecurity professional focused on assisting companies as they develop security strategies for their public cloud and hybrid cloud environments. Mullen’s experience with businesses ranging from fledgling startups to expanding global corporations affords him a distinctive viewpoint for determining how security can advance business operations to achieve goals.