Lots of recently introduced regulations require audit logging as one of the measures for data protection in fintech. We know from practice that cryptographically signed audit logging can be a secure and pragmatic way to cover this point. Let's cut through complexity.

Audit logs, or audit trails, capture evidence about any activity in your software solution. They keep records about who did what and the system's response. From a data security perspective, logs are sensitive data too — they can help to see when a system was compromised, define trust scope, and reconstruct the attack (see NIST SP 800-92). 

At the same time, audit logs are a security source of truth which looks like... text messages, an easy target to manipulate and tamper. But fintech customers expect tamper-free secure logging and verification for any modern finance app. So, audit logs need protection from modification and deletion of log entries.

In this context, cryptographically signed audit logs (also known as “verifiable audit logs”) can be a simple and elegant solution. To get acquainted with it, you can read this paper that influenced secure logging a lot.

Cryptographic signature protects audit logs from unnoticed adversarial changes. Each log message contains a special signature that depends on log content and previous log content — thus, creating a chain-of-signed-logs. This logging process guarantees that logs are created one-by-one and depend on each other. 

To prove their validity, log chains can be verified — a special utility reads log messages one-by-one, re-calculates their signatures and compares them with the log. If all signatures are valid, the log chain is valid. Otherwise, the first invalid signature indicates that something went wrong — software was compromised or someone tried to tamper logs.

In fintech apps, from a security perspective it makes sense to generate crypto-signed audit logs for every tool that has access to users’ data (PII, transactions). With each current and previous log entry integrity checks calculated, you create a verified and authentic log chain. Your data is protected, and you control it.

In concert with other security controls, crypto signed audit logs and their verification is one layer in “defence in depth” approach: 

• If your system’s logs contain sensitive data, you can use data encryption for the log files.

• To ensure that logs are untouched, configure audit log backups into different locations. Use special storage devices (like WORM drives) to keep backups in independent locations, track sudden changes in log files’ size, etc.

• Configure host-based intrusion detection system (HIDS) to alert on creating or copying file errors and log verification failures.

• Configure the ongoing verification of audit logs (every X hours, every Y days, or on log rotate event) — it helps to detect potential issues earlier and act.

---

This blog post is written by Pavlo Farb, a Security Engineer at Cossack Labs. We help companies to protect their sensitive and valuable data.