Audit Logs for SaaS Enterprise Customers

Why they matter, who should use them, and what to expect when you do

Companies use audit logs to trace back everything that’s going on within their organization and across the different IT products they use. 

An audit log (aka “audit trail”) is defined as a security-relevant chronological record. It provides documentary evidence of the sequence of activities that have affected a specific operation, procedure, or event. The concept is simple: when a change is applied to a system that correlates with a change in the system’s behavior, that change should be documented in an audit log. They provide answers to questions regarding data, security, and system state and are therefore crucial for security and compliance — as well as for tracking systems by multiple organization stakeholders (“activity tracking”). 

As a SaaS vendor, many of your prospects will require that an audit logging feature is included in your product (regulations actually require enterprise-grade companies to keep audit logs of all the platforms they use). Your clients will require abilities for audit log management and audit log review. Their main audit logs use cases will be activity tracking and compliance & security. 

Activity tracking

Management, product, IT and other company stakeholders use activity tracking internally to gain critical insights. Management can gain visibility to ensure adherence to system access procedures. Product and dev can gain knowledge of system conditions prior to the time of an error as a way to prevent future failures. Dev can get an additional layer of transparency in troubleshooting configuration changes. 

Compliance & Security

Internal compliance. Activity log helps organizations meet stringent internal compliance requirements. This ensures that systems remain stable and users are held accountable for their actions, which are tracked by event logs. 

External compliance. Audit logs are also necessary from an external compliance standpoint since there are many legal concerns that companies need to adhere to. Industry compliance and certification standards like SOC2 mandate audit logs that conform to strict security, availability, processing integrity, confidentiality and privacy requirements. Failing to meet compliance standards had consequences for accreditation and legal liability. 

Security. Finally, audit logs also capture security-related data, and are indispensable for tracking security-related incidents even when other prevention and protection solutions are in place. Essentially, audit logs may be used to “replay” events in sequence to help understand how a damaging event has occurred. For example, an event log will reveal when a user account may have been breached, and if user account privileges were escalated to access specific files or directories with sensitive information.

Audit Logs Considerations

As you consider the implementation of audit logging for your product, you need to factor in the scale, user personas, use cases, data retention, and privacy and sensitivity issues for their audit trails. Based on our accumulated experience, below is a breakdown of the audit logs considerations you need to make: 

Scale

Scale basically depends on how many admin actions could be done in the specific product, so in most scenarios scale is usually not that high. Business event logging, on the other hand, that sometimes gets mixed up with system audit logs, can lead to an increase of scale. For example if you’re a cybersecurity company that does user activity scanning and you audit each activity scan, that means that you can reach a HUGE amount of logs. Usually this is not the intention of Audit Logs, but if it is for your case, the scale demand should be considered.

User Personas

Administrators of the SaaS product will be the principal users and gatekeepers of the audit logs. However, once an issue occurs, CISO and CIOs might come into play to trace back what happened. Compliance managers are also stakeholders, as they’ll need to make sure that the logs meet a certain level of compliance required by their organization.

Use cases in SaaS Products

As mentioned above, use cases of audit logs run the gamut of insights that need to be produced regarding the systems’ operations, including traceability on a SaaS account, troubleshooting, and permission enforcement. Here are some common audit logs scenarios: 

1. Log activities performed on the management level of the account. This use case usually applies to any kind of SaaS management app (login, logout, authorizations, user/team management, closing accounts).
2. Logs on internal product actions performed by the admin on the account. This use case is specific to the product (change of policies, adding/editing/deleting records of different entities within the product, changing alerting settings, adding/editing/removing 3rd party app integrations, changing the look and feel settings).
3. Logs on automatic asynchronous actions performed in the context of the account. For example, if there’s an engine in the product which periodically runs in intervals of 24 hours (or as set by the vendor or customer) and looks for anomalies or runs different ML models on the data, then usually we will add one audit log on when the engine has started it’s scan and another one when it has finished (with free form data on the findings or a link to the finding page).

Retention

Retention of audit logs varies depending on your customers, and is higher for enterprises and lower for small companies. To satisfy audit and/or regulatory requirements, log data needs to be retained for a period of time. As a general rule, storage of audit logs should include 6 months of “hot” storage that allows you to actively search/report on them with your tools – although enterprises usually ask for longer retention. At the end of the hot storage period, companies usually archive logs on cheaper and less approachable storages.

Privacy and sensitivity  

Since they pertain to customer data, audit logs need to closely comply with privacy and data sensitivity standards. Here are some scenarios:

1. PII leakage. Customer and business-sensitive information should not be exposed externally. To avoid such cases from happening, protection layers should be added.
2. GDPR makes it clear on where data should be stored and requires the ability to remove data on a certain person once they ask for it (“right to be forgotten”). GDPR controls must be stringently applied. 
3. Risk of exposure is on the customers. From a legal standpoint, the company is responsible for its customers’ data and is held accountable for its security.

Conclusion

Audit logs are an essential part of your SaaS application. Just because they’re an essential part of your customers’ organizational requirements. Your ability to play with big players rides on making your product an enterprise-ready SaaS app that delivers enterprises’ strict audit logs certification and security requirements. 

Developing an Audit log feature necessitates understanding the architecture of your system and its different components. Making the right considerations regarding scale, retention, use cases, etc. is critical for the success of the endeavor. The security and compliance requirements for audit logs add additional configuration and operational complexity.

In the next posts in this series we’ll delve deeper into the unique considerations of audit logs — and how to solve them.