Welcome!

@DevOpsSummit Authors: Pat Romanski, Liz McMillan, Yeshim Deniz, Zakia Bouachraoui, Elizabeth White

Related Topics: @DevOpsSummit, Linux Containers, Agile Computing, @CloudExpo, Apache

@DevOpsSummit: Blog Post

Best Practices for Cloud Logging and Data Security By @TrevParsons | @DevOpsSummit [#DevOps]

Best Practices for Cloud Logging, Security, & Data Protection

Best Practices for Cloud Logging, Security, & Data Protection

This article originally published on the Logentries Blog.

When we first founded Logentries in 2010 a lot of people thought Viliam Holub (co-founder, CTO, and the brain behind processing billions and billions of log events in real time) and I were crazy. The common response was:

"People are not going to send their logs to the cloud... logs might contain very sensitive data..."

Like typical stubborn founders we persevered in spite of this, and today we have more than 35,000 users across 100 countries. Our customers also range from fortune 100 companies to individual developers across almost all verticals from SaaS companies, to healthcare, financial services, commerce and a bunch of others.

So, why do companies now trust sending log data to a cloud based service?  Id like to share some of the reasons we have found our customers are using secure, cloud-based logging.


  • For on-prem workloads: Your logs may be a lot safer in the cloud than they are on-premise. Cloud vendors like AWS, Google, Microsoft invest heavily in security and have hardcore security teams looking out for you. For example the level of security provided in Amazon's cloud platform is described in more detail here. Furthermore your logging provider should be looking out for you by making sure data is encrypted on the wire, sensitive data is stripped out before it leaves your network, and encrypting data at rest. It's unlikely that your homegrown logging solution will have your data locked down quite so securely, at least not without significant investment.
  • Sending logs to a remote location can be a MORE secure option: With cloud-based logging your logs are stored remotely from your running systems. This is recommended as a security best practice; if your system is compromised, a hacker will often delete the logs on your local system to remove any evidence of his/her activity. By storing your logs remotely this cannot be performed as you will have a redundant copy of the log data at Logentries.

As you consider moving your log management and analytics to the cloud, here are our five best practices you should look for from log management service to assure security:

  1. Website Integrity: A good indicator of how serious a company takes it's security is how it deals with website integrity. For cloud services this is often the gateway to your data. For example at Logentries we we redirect all web HTTP requests to our website to HTTPS. This ensures the integrity of the Logentries website by using SSL authentication between the Customer and the Logentries web interface. The Logentries service must show a valid SSL certificate to each Customer to initiate this link. Perfect Forward Secrecy is also used on our web servers for HTTPS. In addition to the usual confidentiality and integrity properties of HTTPS, forward secrecy adds a new property. If an adversary is currently recording all a users' encrypted traffic, and they later crack or steal Logentries private keys, by using perfect forward secrecy they should not be able to use those keys to decrypt the recorded traffic at a point in the future.
  2. What if I have sensitive data in my logs: While it's usually a not a good idea to write PII or sensitive data to your logs, it is not always unavoidable and in some cases it can occur inadvertently or as a result of an oversight. Having the ability to search for and filter out/redact/obfuscate sensitive data from your logs is a key requirement for many organizations. The Logentries Datahubhas been designed with this in mind so that you can easily filter out and redact any sensitive data before it leaves your network. It has been designed in conjunction with a number of our customers who have data protection and security requirements and in particular for those who require PCI, HIPPA or similar audits.
  3. Is your data encrypted on the wire: Sending your logs is the clear is rarely a good idea. Data sent to a cloud logging service should be done so via SSL so that it is encrypted on the wire. You should check if your log forwarding agent/collector or syslog setup is configured to support this.
  4. Is your data encrypted at rest: Data at rest should also be encrypted. I.e any data you send to a cloud service should be encrypted when it sits on disk in the cloud environment. Ask your logging provider if this is the case and what encryption they are using for this.
  5. Where does your data reside: Check where your logs actually reside. Are they in a SOC 2 compliant data center? How is it protected? What jurisdiction is it in and what are the data protection policies in that jurisdiction.

Want to learn more or chat with a cloud logging expert? Get started with a free 30-day trial here, or contact us at [email protected]

More Stories By Trevor Parsons

Trevor Parsons is Chief Scientist and Co-founder of Logentries. Trevor has over 10 years experience in enterprise software and, in particular, has specialized in developing enterprise monitoring and performance tools for distributed systems. He is also a research fellow at the Performance Engineering Lab Research Group and was formerly a Scientist at the IBM Center for Advanced Studies. Trevor holds a PhD from University College Dublin, Ireland.

@DevOpsSummit Stories
While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 brings the mainstream adoption of containers for production workloads. In his session at 21st Cloud Expo, Ben McCormack, VP of Operations at Evernote, discussed how data centers of the future will be managed, how the public cloud best suits your organization, and what the future holds for operations and infrastructure engineers in a post-container world. Is a serverless world inevitable?
Wooed by the promise of faster innovation, lower TCO, and greater agility, businesses of every shape and size have embraced the cloud at every layer of the IT stack – from apps to file sharing to infrastructure. The typical organization currently uses more than a dozen sanctioned cloud apps and will shift more than half of all workloads to the cloud by 2018. Such cloud investments have delivered measurable benefits. But they’ve also resulted in some unintended side-effects: complexity and risk. End users now struggle to navigate multiple environments with varying degrees of performance. Companies are unclear on the security of their data and network access. And IT squads are overwhelmed trying to monitor and manage it all.
With more than 30 Kubernetes solutions in the marketplace, it's tempting to think Kubernetes and the vendor ecosystem has solved the problem of operationalizing containers at scale or of automatically managing the elasticity of the underlying infrastructure that these solutions need to be truly scalable. Far from it. There are at least six major pain points that companies experience when they try to deploy and run Kubernetes in their complex environments. In this presentation, the speaker will detail these pain points and explain how cloud can address them.
Dhiraj Sehgal works in Delphix's product and solution organization. His focus has been DevOps, DataOps, private cloud and datacenters customers, technologies and products. He has wealth of experience in cloud focused and virtualized technologies ranging from compute, networking to storage. He has spoken at Cloud Expo for last 3 years now in New York and Santa Clara.
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.