Markle Foundation

Markle Foundation

Implementing a Trusted Information Sharing Environment Using Immutable Audit Logs to Increase Security, Trust, and Accountability A PAPER BY THE MARKLE TASK FORCE ON NATIONAL SECURITY IN THE INFORMATION AGE zoë baird, james barksdale chairmen M A R K L E F O U N D A T I O N TASK FORCE ON NATIONAL SECURITY IN THE INFORMATION AGE MEMBERS AND ASSOCIATES, 2006 Chairmen Eric H. Holder, Jr. Richard Falkenrath Covington & Burling The Brookings Institution Zoë Baird Markle Foundation Jeff Jonas David Gunter IBM Microsoft Corporation Jim Barksdale Barksdale Management Corporation Arnold Kanter Drew Ladner The Scowcroft Group JBoss, Inc. Members Tara Lemmey Randolph D. Moss Robert D. Atkinson LENS Ventures Wilmer Cutler Pickering LLP Progressive Policy Institute Gilman Louie Bill Neugent Eric Benhamou Alsop Louie Partners MITRE 3Com Corporation, Palm, Inc., Benhamou Global Ventures, LLC John O. Marsh, Jr. Daniel Prieto Marsh Institute for Government and Public Kennedy School of Government, Harvard Jerry Berman Policy, Shenandoah University University Center for Democracy & Technology Judith A. Miller Clay Shirky Robert M. Bryant Bechtel Group, Inc. Writer and Consultant National Insurance Crime Bureau James H. Morris Peter Swire Ashton B. Carter Carnegie Mellon University Moritz College of Law, The Ohio State University Kennedy School of Government, Harvard University Craig Mundie Kim Taipale Microsoft Corporation Center for Advanced Studies in Science and Wesley Clark Technology Policy Wesley K. Clark & Associates Jeffrey H. Smith Arnold & Porter LLP Mel Taub William P. Crowell Independent Consultant Security and Intelligence Consultant Abraham D. Sofaer Hoover Institution, Stanford University Richard Wilhelm Bryan Cunningham Booz Allen Hamilton Morgan & Cunningham LLC James B. Steinberg Lyndon Johnson School of Public Affairs, Director , National Security Program Sidney D. Drell University of Texas at Austin Stanford Linear Accelerator Center, Stanford Linda Millis University Paul Schott Stevens Markle Foundation Investment Company Institute Esther Dyson Markle Foundation Staff CNET Networks Rick White former Member of Congress Karen Byers Amitai Etzioni Managing Director and Chief Financial Officer The George Washington University Associates Kim Hogg David J. Farber Laura Bailyn Assistant to the President Carnegie Mellon University Skadden, Arps, Slate, Meagher & Flom LLP Michelle Maran John Gage Rand Beers Manager, Public Affairs Sun Microsystems, Inc. Coalition for American Leadership and Security Danielle Petras John Gordon Project Assistant, Task Force on National Security United States Air Force, Retired Bruce Berkowitz in the Information Age Hoover Institution, Stanford University Slade Gorton Stuart Schear Preston Gates & Ellis LLP Scott Charney Director of Communications, Health and National Microsoft Corporation Security Programs Morton H. Halperin Open Society Institute Bob Clerman Stefaan Verhulst Mitretek Systems Chief of Research Margaret A. Hamburg Nuclear Threat Initiative Jim Dempsey Visualization Producer Center for Democracy & Technology John J. Hamre Sean Dolan Center for Strategic and International Studies Mary DeRosa LENS Ventures Center for Strategic and International Studies Implementing a Trusted Information Sharing Environment Using Immutable Audit Logs to Increase Security, Trust, and Accountability* February 2006 A Project of The Markle Foundation New York City * The Markle Foundation Task Force on National Security in the Information Age acknowledges and thanks Jeff Jonas and Peter Swire as lead authors of this monograph, as well as Daniel Prieto for initial editing. Executive Summary policies and laws. The resulting lack of trust in institutional compliance can lead to a situation in which reasonable and desirable uses of information are Widespread adoption of a trusted information sharing blocked for fear that privacy and civil liberties environment (ISE) requires that users have confidence in protections may be violated, or that data could be the security of the system. To promote confidence and misused. As such, IALs may represent an intermediate trust in the ISE and to help govern information sharing, solution between public communication and total the ISE should incorporate robust security and audit secrecy. features, including immutable audit logs (IALs). The ability to maintain tamper-resistant logs of user activity on This paper seeks to provide insight into the use of the network can increase security, build trust among IALs for the ISE by exploring the technical, policy, and users, ensure compliance with relevant policies and security issues relating to IALs. The paper explores guidelines, and improve transparency and the ability to some of the technical issues relating to IALs, including perform oversight by appropriate stakeholders outside of what can be logged effectively, the differences between the system. mutable and immutable logs, and institutional barriers to deployment of IALs. It analyzes some of the Audit logs will record activity that takes place on the potential benefits to the ISE of deploying IALs. At the information sharing network, such as, for example, same time, the paper recognizes some drawbacks, queries made by users, the information accessed, including the possibility that IALs may introduce new information flows between systems, and date- and time- vulnerabilities. Finally, the paper offers policy markers for those activities. Making such logs immutable recommendations. builds confidence that they accurately reflect actual activity and have not been altered. By providing thorough The paper intentionally does not examine or discuss recordkeeping on the activities that occur within the ISE, other potential and beneficial functions of a officials can use IALs to demonstrate that sharing comprehensive logging system, which might include: behavior complies with applicable laws and policies, and monitoring system and network functionality, or to detect violations. IALs will be a critical component for system self-awareness (for example, to discover the ISE since improved and innovative sharing behavior common interests among users, inform resource will represent a marked departure from the current decisions, or improve analysis and reporting by business and behavioral models typical within contributing to a planning process). government. ISE managers should ensure that IALs do not create their A. Benefits of using IALs own security vulnerability by using encryption, ensuring that logs are never stored in a single location, strictly Any audit—whether based on mutable or immutable limiting access to logs, and subjecting everyone reviewing logs—provides benefits, including the ability to deter, logs to audit. detect, and prove policy violations. The ability to perform audits within a system serves as a deterrent because system users will know in advance that logging Discussion and Analysis and auditing are being used to identify policy violations. The perception that a system is effectively logged and It is essential to put in place effective safeguards and will be audited may thus reduce violations by users. security measures to accompany greater sharing of Detection occurs when an actual policy violation is sensitive information within the ISE. The Markle uncovered after the fact. Detection may occur as a Foundation Task Force on National Security in the result of sampling, when one of the transactions Information Age recommended a number of such selected for random audit reveals a violation. Detection measures in its 2003 report, Creating a Trusted Information may also occur in the context of a specific Network for Homeland Security (available at investigation, when the actions of a suspect are www.markle.org). One powerful component of the ISE examined carefully and a violation is detected. Finally, should be the ability to record system activity in IALs. audits can be used to create evidence of a violation. If there is a credible recordkeeping system in place, then IALs are especially important for systems where there is records from the system can be convincing to those limited transparency, such as the ISE, which contains investigating and judging a case. classified government information. Without logging of user activity in such systems, there is no way to Typically, audit logs are maintained in the custody of a demonstrate clearly for oversight and accountability highly privileged system user, for example, a system purposes that there is compliance with established administrator with authorized access. Logs are typically MARKLE FOUNDATION 1 mutable—that is, the system administrator (or others with missing transaction is physically apparent appropriate privileges) can add, change, and delete log entries. from a gap in the paper roll. Traditional mutable logs are also vulnerable to unauthorized tampering by a malicious party other than the system In the shift to computerized administrator. Indeed, changing logs is a standard procedure recordkeeping, there are techniques for for both inside and outside hackers in order to hide evidence essentially reproducing the functionality of that would reveal their unauthorized activity. the continuous roll of paper. Electronic records can be digitally date- and time- To address deficiencies of trust in mutable logs, immutable stamped, to assure the integrity of the logs require either that log information cannot be altered by stamped record. In addition, records can anyone regardless of access privilege (true immutability) or

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    12 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us