Date

November 9, 2017

Description

During internal testing a bug revealed an issue with log encryption

Duration

October 2016 - present

Affected components

Logs related to admin actions.

Affected customers

Customers with log encryption enabled

Root cause analysis

A bug was introduced in a log encryption function that left a small number of logs viewable by Authentic8 technical staff.



Issue

A release made in Oct. 2016 introduced a regression to a logging method that encrypts a small number of admin audit logs. This log type describes actions taken by admins on either users and/or orgs, such as add, delete, and move.  These logs do not contain any user related browsing activity.  


The admin audit logs were stored in the Authentic8 log database in a way that made them viewable to Authentic8 technical support staff.  No other parties or Authentic8 staff were able to view these logs as log transmissions and storage are protected by encrypted channels and file systems.


This bug impacted the additional layer of log encryption that prevents Authentic8 technical staff from viewing customer logs.  Logs relating to user activity were not impacted by this bug.


As soon as the bug was uncovered, engineering immediately shifted focus to understand the scope of the problem and remediate the issue. In reviewing the data, 3,360 log entries were incorrectly stored in the past 90 days, representing 0.003% of the total logs stored.  All other development and testing activities were paused while a patch was developed.

  

Resolution

The patch is scheduled to be applied 11/10/2017 at 10 PM PST which remediates the issue. Authentic8 support staff will be contacting individual customers over the next few days asking for guidance with the impacted logs.  Customers will be given a chance to download their logs. Authentic8 technical staff will help delete logs immediately if required. If customers take no action, logs will be deleted in 90 days per our standard log retention policy.   


Moving Forward

Authentic8 is immediately working on expanded monitoring and testing specifically looking for this issue.  There is a straightforward test that will be converted to a continuous monitor.  We expect to have that monitor in place in the next 2-3 weeks.