MinSec Check: SaaS/PaaS: Logging and Auditing

[akkornel]

In MinSec for SaaS/PaaS, the Logging and Auditing item has the following:

1. Enable any available application logging that would assist in a forensic investigation in the event of a compromise. Seek vendor or ISO guidance as needed. 2. Contractually ensure that the provider can export logs at the request of Stanford within five days.

For point 1, endpoints can already be made to log the transfer of individual files, with references back to a transfer ID. The Server docs can be updated to enable this logging. General transfer details are stored with Globus, and we are able to query them directly already, using their API.

The only missing logs are logs of endpoint activations, and logs of metadata activity. For metadata activity, that's going to be logged starting with Globus Connect Server 5.1. So, Medium Risk users should move to 5.1 once it's out. And for endpoint activation logs, we'll have to get that from Globus when needed.

For point 2, we'll have to check in to this. For example, if all needed logs are available on the endpoints, then it would be up to the endpoint sysadmin (someone else at Stanford) to retrieve them.

[akkornel]

Point 1 is addressed by commit 5880275.

For point 2, I have opened Globus support ticket 309614.