Heterogenious logging

Interconnecting systems in a service oriented architecture (SOA) pose no solution to security auditors. Quite the contrary.

System logging is a very important mechanism for documenting what has actually happened – also called non-repudiation. In the old days when an application exclusively handled a particular task without much integration to other systems, it was sufficient to examine that system’s log.

Now, let’s consider an Intranet portal. The portal consists of, say, 5 portlets which collects data from various backend systems such as HR, mail, corporate news, education etc. This means that logs will be spread on all the visited systems thus making it very difficult to resolve the audit trail of a suspected user and determining what the user actually did on the systems. 

Recently I’ve been on two engagements with customers who had identified the need for such a clear audit trail. IBM’s solution for this is called Tivoli Compliance Insight Manager (TCIM) and is basically a system that consolidates logs from various systems (windows, unix, z/OS, etc.) as well as applications and network boxes.
 

TCIM is a step in the right direction and can be used within the internal perimeter. In an external SOA we once again stumble upon the need for standard ways to communicate logs. A standard approach is important because otherwise the cost of integrating would be too high, and probably not all information would be made available.

… and when that information is there we need to consider which info to share.