Introduction
The Authentic8 Service collects certain log data in order to provide administrators with visibility into their users’ activities. Logged data includes:
- User’s navigation history
- Administrator actions
- Authentication events
- Session parameters
- Web form post data (Log Encryption required)
Customer specific log data is stored for 90 days after which it is deleted from the Authentic8 system. During this 90 day period, the service can be configured to store log data in unencrypted or encrypted format based on customer requirements.
Logs are stored in unencrypted format by default, and summary results are made available to administrators via the reporting panel in the Admin Console. Additionally, log data can be extracted from the service via the use of a RESTful API for ingestion into other reporting tools.
Encrypted Logging:
If you are concerned about an Authentic8 employee seeing your log data, or if you have regulated content in the data logged-like a patient ID number as part of a URL an employee visits, you can configure the service to encrypt the Authentic8 log data by providing your own public key. In this configuration, log data is only written to the logging database in encrypted format, and is never written to disk prior to this point. By choosing to encrypt log data, the reporting panel in the Admin Console will be rendered non-functional. Encrypted log data should be extracted using the RESTful API as opposed to using the Admin Console.
Additional sensitive data becomes accessible when the logs are encrypted. Silo Administrators have control over which sensitive data are included with their encrypted logs. Below are some of the optional categories:
- Clipboard Contents
- Cookies
- POST Data
- SMS Inbox Messages
Note: When enabled, the additional log data types will be recorded for the entire organization, or at any sub-org level where the log types are set.
Configuring Log Encryption:
To configure log encryption, the administrator navigates to the Policy section of the Admin Console and clicks ‘Edit’ for the ‘Log Encryption’ policy. The default (selected) is ‘User activity logs are stored in clear text’. Selecting the ‘User activity logs are stored encrypted’ option will reveal the log encryption configuration details. The two fields that must be filled in are ‘Key Name’ and ‘Public Key’.
The ‘Key Name’ field is used to identify which key was used to do the encryption.
The ‘Public Key’ field is where the actual public key should be entered (using copy-paste is recommended).
Encryption Key Pair:
ECIES
Authentic8 uses Elliptic Curve Integrated Encryption Scheme (AES256GCM-SHA384) with a NIST P-256 curve key (Secp256R1/Prime256v1) to encrypt logs. The Elliptic Curve Public Keys can be generated using standard tools such as OpenSSL or any other commonly available options.
Generating an EC private key, and output it to a file named key.pem:
openssl ecparam -name prime256v1 -genkey -noout -out key.pem
Extracting the public key from the key pair (this key will be used in Silo):
openssl ec -in key.pem -pubout -out public.pem
SECCURE
The Authentic8 will continue support existing implementations utilizing SECCURE.
This toolset must be installed and working to generate an appropriate key pair. The toolkit can easily be installed on Debian based Linux distros with the command:
$ sudo apt-get install seccure
Once this toolset is installed and working, the key pair can be created with the command:
$ sudo seccure-key -c p256
This command will ask for a private key to be entered. This is just plain text that is typed in. This private key must be remembered as it is required to decrypt the encrypted logs and cannot be retrieved after the fact. A public key will be printed on the screen. The public key is to be entered into the Authentic8 Admin Console and will be used to encrypt all the user activity logs.
The SECCURE toolset can be used on Linux only, reference the SECCURE website for more details.
Note: Strong private keys are highly encouraged.
Refer to the Silo Logs Reference Guide for more information, please contact Support if you have any additional questions.