Activity logging refers to the process of recording and tracking activities and events within the CSPM environment. It involves capturing relevant information about user actions, system activities, and security events to maintain an audit trail for monitoring, analysis, and compliance purposes. These activities also include changes to configurations, user access and permissions, network traffic, system events, and more. The purpose of activity logging is to provide a comprehensive audit trail and visibility into actions and behaviors within the cloud infrastructure, helping organizations monitor, detect, and respond to security threats and compliance issues. Let us now understand the key elements associated with activity logging.
User activities
Activity logging records user actions within the CSPM tool, such as user logins, changes to user permissions, configuration modifications, and execution of various operations or tasks. These actions include the following:
- User authentication and authorization: Logging user logins, successful and failed authentication attempts, and authorization decisions (for example, granting or revoking user access)
- Resource provisioning and management: Tracking actions such as creating, modifying, or deleting cloud resources such as VMs, databases, storage buckets, network configurations, and so on
- Configuration changes: Recording modifications made to the configuration settings of cloud services, such as firewall rules, access controls, encryption settings, or any other parameters that affect security and compliance
- Data access and manipulation: Logging when users access or modify data stored within the cloud environment, including reading, writing, or deleting files, databases, or other sensitive information
- Account and identity management: Tracking changes related to user accounts, such as user creation and deletion, password resets, or changes to user roles and permissions such as privilege escalation
Vendor access to customer CSPM environment – benefits, risks, and best practices
Benefits: It is quite common for vendor-side engineers to have access to your CSPM environment in the deployment phase. Usually, vendors provide support for the smooth deployment of the tool, and it is quite beneficial and time-saving for customers. Sometimes, it is also beneficial to extend permissions to the vendor side when a customer needs help with investigations into abnormal behavior of tools or with some exceptional cases. These situations continue to grow and are not rare.
Risks: Having vendor access to your environment introduces risks such as exposure to security loopholes, data infiltrations, data theft, and more. Organizations need to be aware of these situations and should introduce certain measures to mitigate those risks.
Best practices: The first and most important action is to have a non-disclosure agreement (NDA) signed by the vendor that is legally binding and establishes a confidential relationship. This makes the vendor agree that sensitive information they may obtain will not be made available to others. There must not be default and forever access to the vendor. If needed, the CSPM admin should provide time-bound access to the tool and must revoke access as soon as the support task is completed. During this period, a complete activities log must be tracked, stored, and reviewed. It is also important to understand that most CSPM tools are offered as SaaS versions, and hence as a CSPM customer, you do not have visibility of the inline infrastructure of the tool. However, on the application front, the customer must have complete visibility and control of the user’s activities.