1

I was discussing with my friend the topic of the importance of log analytics/correlation and real-time response for an organization. Then, he mentioned that some people consider sending logs (collected from a network: IDS, firewall) to the cloud for storage purposes. Is this good idea? What are the problem/issue he should solve ?

All I could think of is the following

  • Trust issues security: He is sending sensitive data to the cloud, will he trust a service cloud provider with this information? Is encryption really enough?
  • Real-time response to security incidents: If an organization sends data to the cloud, will that affect its response in real time? Especially, if he needed to perform some operations in the cloud before sending the logs for analytics.

Is it a good decision to do? Did I mention all the problems he should solve if he determined on that decision?

U. User
  • 180
  • 8
  • Most companies are at least partially already in the "cloud". So either you are sending data from the cloud to your prem or from cloud to cloud or prem to cloud it is transferring to or from cloud for most enterprises these days. Is your friend's infrastructure purely on prem, hybrid or "fully cloud based" – DarkMatter May 15 '19 at 14:48
  • From my understanding, he only want to send logs to a "cloud" server, so he won't have to deal with physical storage issues, etc. So I will say hybrid. It's true that most companies are already in the "cloud" as you have said, but my issue the kind of data he will be sending to the cloud. Security data that needs to be processed in real-time! – U. User May 15 '19 at 14:59
  • I wouldn't worry about the real-time aspect...the network latency is the least of your problems in real-time analysis IMO...it might be faster in the cloud if it is running on optimized hardware that you wouldn't have access to on-prem on a budget. – DarkMatter May 15 '19 at 15:20
  • So what do you think? What are the other things he should consider? – U. User May 15 '19 at 15:59
  • There's at least one more issue to consider. Many organizations have been caught when they don't secure cloud based data. It seems every week there's a headline "organization X found to have leaked data Y to world+dog though not securing Amazon EC2 instance". Also, if you encrypt the data, where do you store the encryption password where it'll be both easy to find, but hard for bad guys to find? – Steve Sether May 15 '19 at 19:39

1 Answers1

2

As usual: threat-risk-mitigation.

Sending security logs from a highly secured zone to a less secured one can be harmful if the content of the security logs can help attackers to better know the security practices hence the way to circumvent them - which is a common use case for security logs.

But being in the cloud in not the only determinant for a security zone. Furthermore, if the application platform is already in the cloud, the question can be quite different.

So IMHO the only questions are: what is the security level at the place where the logs are produced, what is the reason for that level, and what is the security level of the place where the logs will be transfered. In there is a strong decrease in security level and a risk analysis had concluded that the current security level was required it is a bad idea. If the cloud storage is compatible with the global security requirements, I can not see any problem.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • Mmm interesting, I think this will take some time and a lot of research, because the change of security level is not the only thing to take into account, but also the loss of control of log: "The cloud service provider may choose how and where data is stored; how often it is backed up; which encryption scheme is used, if one is used at all;" This will invoke other problems (log management and compliance, disaster recovery, etc.) – U. User May 15 '19 at 22:18