Securing your data in IBM Cloud Logs
To ensure that you can securely manage your data when you use IBM Cloud Logs, it is important to know exactly what data is stored and encrypted and how you can delete it.
How your data is stored and encrypted in IBM Cloud Logs
IBM Cloud Logs manages two types of data on behalf of customers: service configuration data and log data.
Information about managing configuration data is available in Configuring your account preferences. Configuration data is considered 'metadata'. Additional types of metadata includes alerts, parsing rules, TCO policies and similar configuration data. Configuration metadata is encrypted using service provider key management.
Log data can come from many sources: agents, IBM Cloud services, APIs, and so on. Log data is processed by IBM Cloud Logs. You can control data that is ingested, and is available for search in IBM Cloud Logs. For more information, see Controlling data ingested for search in IBM Cloud Logs.
The type of encryption used with log data depends on how IBM Cloud Logs is configured to process the data. Users configure TCO policies to manage how their log data is processed.
-
Data processed in motion by IBM Cloud Logs is done using service-managed encryption.
-
Data stored at rest with Priority insights is managed with service-managed encryption.
-
Data stored at rest in an IBM Cloud® Object Storage (COS) bucket can be managed with customer-managed encryption.
Data stored in IBM Cloud® Object Storage is a copy of data in Priority insights and the data retained in Analyze and alert and Store and search.
If the data must be protected by a customer-managed encryption, then TCO policies need to be configured to exclusively process data with Analyze and alert or Store and search. For more information, see Configuring the TCO Optimizer.
Protecting your sensitive data in IBM Cloud Logs
Log data managed in an IBM Cloud® Object Storage (COS) bucket supports the bring your own key method or keep your own key method, allowing you to meet the data control requirements if you need this level of assurance. For more information, see Data security.
Two key management options often selected are:
-
Key Protect – a full-service encryption solution that allows data to be secured and stored in IBM Cloud using the latest encryption techniques that leverages FIPS 140-2 Level 3 certified cloud-based hardware security modules.
-
Hyper Protect Crypto Services – a dedicated key management services and hardware security module (HSM) based on IBM Cloud.
Follow IBM Cloud® Object Storage (COS) bucket configuration guidance from each of these services’ configuration. No unique IBM Cloud Logs configuration is required beyond connecting your IBM Cloud Logs instance to a COS bucket.
Deleting your data in IBM Cloud Logs
When you delete your IBM Cloud Logs instance, all of the user data that is associated with the instance is also deleted. When the instance is deleted, a 7-day reclamation period begins. During that time, you are able to restore the instance and all of its associated user data. However, if the instance and data are permanently deleted, it can no longer be restored.
Deleting the IBM Cloud Logs instance
If you no longer need an instance of IBM Cloud Logs, you can delete the instance and any data that is stored. Once the instance is deleted, you will no longer have access to it. The instance will remain in the pending reclamation phase for 7 days. If you choose to reclaim the instance within this period, the reclamation process can be initiated and will complete successfully. See Removing an instance for the steps to delete an instance.
Restoring deleted data for IBM Cloud Logs
When an IBM Cloud Logs instance is deleted, it is put in a suspend state for 7 days after which its removed from the IBM Cloud. If the instance is reclaimed and re-enabled, you can regain access to it. Any previously stored data will be available and accessible again. If the instance is not reclaimed within the 7-day pending reclamation period, the data will be permanently deleted within 90 days. See Recovering a deleted instance for the steps to recover an IBM Cloud Logs instance.
Data retention in Priority insights depends on the service plan configured for the instance.