Access vs Access+Audit?
by Anton Chuvakin
Now, this is one of'em philosophical posts, but with direct relevance to system administration, security and audit, thus I am reposting here (original and some discussion of it that occured elsewhere). After all, I do have to justify the "Ph" in my Ph.D., right? :-) At the same time, this post will have an unmistakable stench of a rant :-) for some of my readers.
Recently, I was involved in some fun discussions on storage security. And, in most cases, you store "stuff" to let others access it, not just for archival or - gasp!- compliance purposes. One of the storage vendors I talked to recently mentioned that every year they've been in business (since early 90s), they have to add one or more audit features to their information access solution to increase the level of details, performance of their audit logging or whatever other audit related feature.
My response was: "What? You didn't build them from the very beginning?" And then I thought: why provide access without audit logging?
No, really, why have it?! Disks are cheap, bandwidth is affordable, CPUs are powerful: why provide access to any information without having an ability (at least) to log each and every successful and failed access?
Before some of you label me "a privacy Nazi", I have to disclose that I am somewhat of a fan of Scott McNealy's saying "You have no privacy. Get over it." Having access audit info is useful in so many cases, that not doing it becomes inexcusable and, frankly, stupid. Some of the many uses for such information are:
- Operational troubleshooting: knowing who failed to access the info and why
- Policy audit: who accessed what, with or without authorization?
- Regulatory compliance: legal requirement to have audit data is there to stay
- Incident response: what info got stolen and by whom?
- Information access trending and performance optimization: are we providing quick and reliable access to information?
So, what about privacy? Privacy is defined (in Wikipedia, where else) as "ability of an individual or group to keep their lives and personal affairs out of public view, or to control the flow of information about themselves." We see two completely different things here: keeping the info out of public view and controlling the info about you. The former is clearly reasonable and possible. How about the second? To be honest, it sounds like a sheer idiocy to me, because you do not control it and never did. You've got to a) become invisible and b) stay home all the time :-) for a fair shot - albeit not a certainty! - at controlling the info about yourself. I can still talk about you - and thus control the information flow about you - by saying "ah, that invisible guy that stays home all the time!" :-)
So, what is the connection between the above definition and my call for "no access without logging"? Logging is NOT a privacy risk; inappropriate use for collected data is. Before you object by invoking the infamous "guns don't kill people; gaping holes in vital organs do" :-) I have to say that the above privacy definition is about access to information about people, not about the existence of said information. And, yes, Virginia, there IS a difference!
Similarly, nowadays many folks are appalled when they see stuff like this ("Fresh calls for ISP data retention laws. US attorney general cranks up the volume."), but it actually - gasp! - seems reasonable to me, in light of the above. Admittedly, if your bandwidth is so huge that you cannot log and retain, you might be able avoid logging or at least avoid long term log retention, but that is a different story altogether.
Another thing that is tied to this is the whole "privacy vs security" debate which never made quite sense to me - until now. This is indeed the area where those who want to have logs for security and other uses will clash with those who don't trust controls on the collected log data and would prefer for such data to never get created in the first place. But that would be a subject of a follow-up post later....
So, have doing security and especially log analysis for whatever number of years gone to my head? Or am I onto a critical trend here? Comment away!!!
What doesn't exist can't be subpeonaed. This is why so many companies have policies in place mandating deletion of all email after x days. If you work for a big company, inevitably they will be sued. The mere existence of logs is an invitation for a fishing expidition.