Many regulations dictate that application/system logs or audit trails be stored and retained for certain periods of time to prove compliance. For example, GDPR requires that each data controller (and processor) “maintain a record of processing activities under its responsibility”, and that the controller/processor shall “make the record available to the supervisory authority on request”. HIPAA requires to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information”, and PCI requires to “track and monitor all access to network resources and cardholder data”.
However, it is often difficult to prove that the logs have not been tampered with. Existing solutions to this problem usually rely on expensive tamper-resistant hardware or storage medium, a trusted third party to store the logs (e.g., a central log server or a trusted cloud provider) or the principle of “Separation of Duties” – replicating the log data in several places with different permissions which are not likely to collude.
The Logging for Compliance research asset enables taking any log and transforming it to be provably immutable, to enable demonstrating to an auditor/regulator that the log hasn't been changed after the fact. Our solution creates a cryptographically-immutable log which is both publicly verifiable and can be “rotated” once the retention period for certain entries has passed. It makes use of a distributed ledger (such as Blockchain) to publicly commit digitally signed checkpoints that verify the integrity of a block of log entries, thus eliminating any kind of truncation (or elongation) attack.
The application can either call the LoC service directly and send it the messages to log via REST APIs, or the service can automatically pick up messages logged by the application to a file, messaging queue or datastore, thus enabling seamless integration with existing systems. One possible configuration can be seen below: