Right from day 1 of building our service, we were wondering how people would react to the idea of sending their logs to a third-party service. Would they trust the concept and would they trust us in the first place? However this is becoming less and less of an issue for our prospective customers and we find questions around ‘cloud security’ are raised a lot less often than when we first set out in 2010. Through 2011 it seems the market has become a lot more accepting of software as service.
Still, from time to time, we are asked why we should be trusted with customer log data, or why customers should trust any third party. Over the next few posts I would like to share a few thoughts on the topic of security and how security is often perceived.
For starters we’ll take a look at the on-premise security.
There are a wide range of log management software products that can are installed on-premise. Having your data on-premise can feel more secure than an on-line service. As we’ll discuss in the next few paragraphs – this perception is often false.
First, as with an on-line provider, you have to trust the software producer. The software installed is a black box so you do not really know what it does. Even the biggest and “best” companies have a bad track of misbehaving software or unwanted hidden functionality, including Microsoft and Apple. If you do not know what your software is doing it can be difficult to be completely confident in the security of the data its managing.
One of the main reasons why logs should be stored remotely however is highlighted in answering this next question: what is the first thing the attacker does when she breaks into your system? She manipulates the logs in order to hide herself. In this case storing logs locally is a major drawback as if your network is compromised, it may be difficult to identify that a breach has taken place. Without logs that you can trust you may never know about an attack that has already happened. To provide log integrety, PCI compliance standards require that you generate security hashes of your logs and so you can detect log manipulation (it assumes the attacker won’t be able to regenerate those hashes however). But better again – store your logs remotely from your network so that if your network is compromised, your logs are not!
Also, surprisingly a majority of attacks are performed from inside the network rather than from outside. Once inside a network, the attack surface is much larger (e.g. from local computers) than on the outside. For instance, RSA (a company in the business of security) has been a victim of a malicious flash script inside an Excel document run on an employee’s desktop. This minor penetration in a random unprivileged user opened the door for further internal attacks leading to a disastrous loss of random seeds for their security tokens.
I hope I’ve piqued your brain a little and eroded the perception that on-premise installed software is a priori more secure than online services. I’ll continue on this topic with more thoughts in following posts. In meantime, feel free to drop your questions or comments either directly to us or below in discussion.