Cloud audit logs: Track and report on file access in the cloud
Here’s what to expect when auditing file access in the cloud, how moving files to the cloud impacts auditing, and how cloud audit logs help you track file access across on-premise and cloud environments.
Updated December 24, 2024If some of your files aren’t already in the cloud, they will be soon. The problem is, it can be a challenge to review cloud audit logs without a single, consolidated view of all file activity — both in the cloud and on-premises. Here's how to reduce risk by tracking user access to files in the cloud.
Critical data — intellectual property, financial data, patient information, personal data, credit cards, and more — all end up in files. Word documents, spreadsheets, presentations, and the like, are all part of the natural order of business and hold much of your organization’s most precious data.
Traditionally stored on file servers, on-premises files have a certain level of security against improper use. Native Windows file security allows only approved access to file data by the organization’s users, and there's no built-in ability to share data with external parties.
But as organizations shift critical services and applications to the cloud, many now store these same critical files in cloud-based apps and services. Since using the cloud for file storage allows for easier document sharing and integration with other cloud services such as email, the adoption of cloud-based file services has become a staple.
Moving your file storage to the cloud doesn't change the need to audit the access to, and use of, file data. Frequent security audits, compliance mandates, and government regulations all require IT to demonstrate control over access to and use of critical, sensitive, and protected data — no matter where the data resides.
Enter, cloud audit logs. On-premises file auditing has been around since Windows NT in the mid-'90s. Microsoft provides basic Windows auditing tools to functionally audit the use of its file systems. As organizations move file data to the cloud, this same basic functionality has found its way into enterprise cloud-sharing solutions as well.
But, what does it take to truly audit file access and use in the cloud?
Anywhere that you store sensitive, protected, or valuable data can be involved in data breaches, data theft, espionage, etc. There are four primary use cases of cloud audit logs that include file access:
Compliance: Whether focus is on data protection (e.g., PCI or HIPAA), or on proving data is properly handled (e.g., GDPR), compliance mandates usually make no distinction around where the data needs to reside. What they want to see are are controls around access to the data. And, to prove compliance, you need some level of file access auditing across data on-premises and in the cloud.
Security audits: Organizations with a mature security posture run quarterly, semi-annual, or annual audits. They look at overall file security, changes since the last audit, and even drill down into specific actions of individual users. The goal of most security audits is to understand what has changed, and whether that has had a negative impact on the company’s security posture.
Threat detection: Threats are getting more sophisticated, and both insider threats and external threats alike can result in data theft, manipulation, or deletion. Cloud audit logs that track file access events can help IT identify early indicators of an attack, such as: abnormal access times and days of week, larger than normal data transfers, successive deletions, etc.
Forensics: After IT identifies a threat, having a record of file access, and tying each access event to a specific user, helps the security team understand the scope of the threat. For example, if IT determines a data breach occurred with a specific user account, performing an audit of every file that account touched within a relevant period will add context.
In all of these cases, valuable data exists within files. This makes file auditing a necessary part of any of the initiatives listed above — whether files live on-premises or in the cloud.
So, what can you expect from file auditing in the cloud?
Whether you use the native tools within your Operating Systems of choice or opt for third-party file auditing software to automate and simplify the work of file access auditing, here are some common functionalities that every IT pro expects.
Tracking: File auditing must monitor the access to, and use of, files on every system and platform hosting files.
Auditing: A clear, searchable overview of all file activity is necessary for IT decision making. Audits should record actions such as attempted and successful read/write/delete events, as well as changes to ownership, permissions, and attributes. And, in the case of the cloud, all activity around sharing, including any use of sharing links by external parties.
Reporting: Both scheduled and run-time reporting are useful to IT teams looking to understand the current state of access to critical data. Important data points include (when applicable): server, filename, action type, success or failure, date, time, the user performing the action, machine name, and IP address.
Alerts: IT and Security teams need real-time notifications around suspicous access to files containing critical data. Alerts should be customizable, so that organizations can tailor the monitoring for specific data sets, users, actions, timeframes, etc.
Responses: Sometimes when an alert is triggered, we can’t wait for when IT intervenes. IT needs a solution to take automatic action, before the damage is done.
Delegation: In addition, the delegation to trusted users closest to the actual use of the data can provide additional benefits to the security-aware organization. Delegated users can more easily spot inappropriate activity and notify IT.
In some cases, going the “DIY” route may involve some custom scripting, or creative use of multiple native tools. Regardless of whether you use a prebuilt solution or build your own, all of the above helps IT to speed up the process of searching, analyzing, and reporting on file audit data.
So, what changes when you move file storage to the cloud?
When you move file services from on-premises to the cloud, IT faces three common challenges:
A lack of visibility: Because file services are managed by a third-party, IT has limited visibility into how the service is used, and whether that use is appropriate and compliant with organizational requirements and external mandates.
A lack of control: Cloud file services usually provide basic IT controls, but don’t necessarily provide IT teams with technical security tools they need. Remember, cloud providers are in the business of providing the service, not necessarily making security easy for IT.
A lack of consideration for on-premise: Even if file sharing services have some degree of auditing capability, there is little to no integration (on the part of the cloud provider) with any on-premises auditing capabilities.
It’s critical that your cloud audit logs address each of the challenges above. With cloud-based file sharing, the possibility of data theft and negligent sharing of data publicly increases significantly, especially given the amount of control handed to users.
There are many business-focused cloud-sharing solutions available today. Consumer-facing file-sharing services — such as Box and Dropbox — have developed corporate versions of their services, which include varying degrees of auditing capabilities.
Where they’re lacking is in their ability to tie on-premises and cloud-based actions together. Take the following data breach example. A user wishes to steal exported .csv files containing the organization's customer lists. They copy the export files from an on-prem file server to a local folder that syncs with your cloud file service. They then share it out to a third party, who quickly connects to the cloud service and retrieves them. That’s it. That was all it took to steal data from your organization.
This is why IT teams need a complete picture of what's happening across the network — both on-premises and in the cloud.
However you choose to go about file auditing, you should look for the following:
Complete visibility: Whether you use a SIEM solution to consolidate on-premises and cloud data, or you use a file auditing solution that already addresses both environments simultaneously, you need visibility across all files in your environment.
Inclusion of every cloud service: The average enterprise uses multiple cloud-based services. This means it’s possible to have one part of the organization using, say, Dropbox, and another using OneDrive. Be certain that either each cloud sharing service can provide you the audit data you need or use a solution that supports every service in place.
An intelligent view: You can’t expect cloud services to make sense of audited actions for you. You may find that finding what you need in cloud audit logs is as “needle in the haystack-ish” as Windows file auditing remains after two decades. Put in place a solution that allows you to intelligently filter, record, and present audit data in a way that allows IT and security teams to make smart decisions.
Compliance, security, and incident response requirements make the need for file auditing — whether in the cloud or on-premises — a necessity. Organizations must achieve the same levels of visibility and control over access to and usage of file data in the cloud as they have enjoyed for years on-prem.
Beyond putting cloud audit logs in place, it's key to ensure a single, consolidated view of all file activity — both in the cloud and on-premises. That's why FileAudit extends file auditing to data stored on major cloud platforms. With this, you'll lower the risk associated with allowing users anytime, anywhere, any device access to cloud-based file data.