« PCI Takes A Twist | Main | Logging Glossary: Audit Logging »
Keep Those Logs. But Keep Them Right...
One of the important lessons from the AOL log saga was secure your logs (and think twice before letting them out of the building).
Another thing it highlighted was the value of logs outside of the security context - that doesn't mean they aren't really important to security and Information Asset Protection. In fact, Google has been quick to highlight the security value of logs:
"Immediate deletion of IP addresses from our logs would make our systems more vulnerable to security attacks, putting the personal data of our users at greater risk. Historical logs information can also be a useful tool to help us detect and prevent phishing, scripting attacks, and spam, including query click spam and ads click spam," says Fleischer.
Nate Anderson has a great piece on why Google retains log data. Retention laws around the planet differ by country and regulation. Nate makes a good point:
Two months ago, Google announced a plan to anonymize its logs, but only after retaining the data for 18 to 24 months. After that time, user searches will still be stored, but it should be impossible to link search queries up with individual users. Of course, this is what AOL researchers thought when they released their own search logs, but queries often turn out to be highly specific things... the sort of things that can eventually be used to identify individuals.
Fisher also points out that one of the emerging European laws is, well, emerging - complicating things:
"Since these laws do not yet exist, and are only now being proposed and debated," Fleischer says, "it is too early to know the final retention time periods, the jurisdictional impact, and the scope of applicability. It's therefore too early to state whether such laws would apply to particular Google services, and if so, which ones." Even though the laws are not yet in force in Europe and won't apply retroactively, Google still uses the law as an argument to retain data now, and to do so for the longest possible period the law provides for.
One of the challenges is that privacy, telecommunication and labor law differs greatly from one country to another around the world. For instance, in France, log Data can be retained for up to 6 months in the maximum (the penalty is up to 5 years of imprisonment term and a 300,000 euros fine) while in Germany it is recommended that log data should be deleted as soon as it is no longer needed for fulfilling the purpose for which it was are stored - this should typically not exceed 2-3 months.
Compliance mandates also vary in either direct or implied retention requirements:
This is where automating storage, chain of custody and securing of log data can ease much of the pain. Through a log data warehouse regional and regulatory requirements can easily be reconciled and managed. So whether the Government may or not require it today, or, regulations related to your business probably do require it - collecting and storing log data makes good commercial sense and shouldn't be either a pain or a risk.
Posted May 16, 2007 in Compliance | Permalink
TrackBack
TrackBack URL for this entry:
http://www.loglogic.com/mt/mt-tb.cgi/189
June 2008
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 |
Categories
Archives
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005