Audit logging of IBM Cloud events
When you work in a cloud environment, such as the IBM Cloud, you must plan for auditing and monitoring of workloads and data. This should be guided by your internal policies together with industry and location-based compliance requirements. It’s critical to capture audit events generated by the cloud services and hosted workloads running on the cloud platform. With effective audit logging you can investigate abnormal activity and demonstrate compliance with legal and regulatory requirements. By actively monitoring audit events, you can identify and investigate potential security problems and take corrective action.
A core part of the auditing and logging capabilities for IBM Cloud is the forwarding of audit records for each IBM Cloud service through Activity Tracker Event Routing. Through this service, there is the forwarding of all audit events that record the activity of the IBM Cloud APIs and all consumers of the API, such as, the IBM Cloud CLI and console.
Activity Tracker Event Routing receives all audit events from cloud services and they're forwarded to one of three different targets:
- IBM Cloud Object Storage
- IBM Cloud Event Streams
- IBM Cloud Activity Tracker hosted event search
The architecture for IBM Cloud Activity Tracker Event Routing supports workload isolation and is hosted in selected regions.
How you process the audit event logs will depend on the data categorization of the audit events and risk appetite set by your organization. Audit event logs are designed to contain information that many organizations would not categorize as extremely sensitive. However, they do contain IP addresses and the names of cloud resources that some organizations might deem as sensitive requiring enhanced assurance through the use of IBM Cloud for Financial Services Validated services.
Activity Tracker Event Routing, IBM Cloud Object Storage and IBM Cloud Event Streams (Enterprise Plan) are all IBM Cloud for Financial Services Validated. It's recommended that you use these services for capturing and forwarding IBM Cloud platform audit events with a high data categorization.
If you organization deems the audit events aren't the highest data classification, they may decide the additional assurance of a service that's IBM Cloud for Financial Services Validated isn't required. In this case, it may be that IBM Cloud Activity Tracker hosted event search offering is an option for your organization.
Understand the handling requirements for audit logs in your organization to decide on the appropriate solution.
Activity Tracker Event Routing
Use Activity Tracker Event Routing to forward auditable events from IBM Cloud services to either IBM Cloud Object Storage or Event Streams (Enterprise Plan).
Only Event Streams using the Enterprise Plan is IBM Cloud for Financial Services Validated. For more information on Event Streams compliance, see Understanding compliance for Event Streams.
You will find further information on Activity Tracker Event Routing in the cloud documentation:
- A description of Activity Tracker Event Routing
- Configuring for Cloud Object Storage target
- Configuring for Event Streams target
- The Cloud services generating audit events
You must:
- Ensure encryption of object storage with KYOK or BYOK using keys managed either by Hyper Protect Crypto Services or Key Protect, based on the audit events data categorization and risk appetite of your organization. For information on encrypting Cloud Object Storage, see Server-Side Encryption with Hyper Protect Crypto Services.
- Configure storage capacity for audit log storage to support retention requirements with retention of at least 90 days of online records and one years’ worth of records offline to support archival. For managing retention of data, see Deleting stale data with expiration rules.
- Monitor to ensure that any limits, such as quota, aren't reached for Object Storage and are increased if necessary. For setting quotas on storage, see Setting a quota on a bucket.
- Ensure audit events are available from collection from Cloud Object Storage for log analysis or forwarded from Event Streams to your security information and event management (SIEM) solution for threat monitoring.
Online retention refers to security audit logs that are available for analysis within one hour or less, and offline retention refers to security audit logs that are available for analysis within two business days or less.
Activity Tracker hosted event search
Use IBM Cloud Activity Tracker hosted event search to capture a record of your IBM Cloud activities and monitor the activity of your IBM Cloud account. You can use this service to investigate abnormal activity and critical actions, and comply with regulatory audit requirements. The events that are collected comply with the Cloud Auditing Data Federation (CADF) standard and stored in IBM Cloud Object Storage.
As the service doesn't have Financial Services Validation, we don’t recommend it for sensitive or high category data than you may decide to use this capability if the data isn't at your highest level of categorization for your organization, as it offers additional functionality including the ability to display, search and alert on audit events without the need to hosting a log management solution. It may also be a suitable solution for application testing or a proof of concept as the events can be redirected using Activity Tracker Event Routing when the application uses more sensitive data.
You will find further information on Activity Tracker hosted event search in the cloud documentation:
- A description of Activity Tracker hosted event search
- Provisioning an instance of Activity Tracker
- The Cloud services generating audit events
You must:
- Ensure the storage is encrypted with KYOK or BYOK using keys managed either by Hyper Protect Crypto Services or Key Protect, based on the audit events data categorization and risk appetite of your organization. For Activity Tracker hosted event search, see Encrypt data with your own key for more information.
- Configure storage capacity for audit log storage to support retention requirements with retention of at least 90 days of online records and one years’ worth of records offline to support archival. For managing retention of data, see Deleting stale data with expiration rules.
- Monitor to ensure that any limits, such as quota, aren't reached for Object Storage and are increased if necessary. For setting quotas on storage, see Setting a quota on a bucket. For managing large numbers of unexpected audit events, see Managing volume spike protection and costs.
- Ensure audit events are configured to forward to Event Streams and onto to your security information and event management (SIEM) solution for threat monitoring.
Related controls in IBM Cloud Framework for Financial Services
The following IBM Cloud Framework for Financial Services controls are most related to this guidance. However, in addition to following the guidance here, do your own due diligence to ensure you meet the requirements.
| Family | Control |
|---|---|
| Access Control (AC) | AC-2 Account Management AC-2 (1) Account Management | Automated System Account Management AC-2 (4) Account Management | Automated Audit Actions AC-2 (7) Account Management | Privileged User Accounts |
| Audit and Accountability (AU) | AU-3 Content of Audit Records AU-4 Audit Log Storage Capacity AU-5 Response to Audit Processing Failures AU-6 Audit Record Review, Analysis. and Reporting AU-6 (1) Audit Record Review, Analysis. and Reporting | Automated Process Integration AU-7 Audit Record Reduction and Report Generation AU-10 Non-repudiation AU-11 Audit Record Retention |