Bank Technology News  |  Tuesday, January 22, 2008

George Clooney's minor motorcycle accident last fall eventually led to the suspension of 27 hospital employees who unlawfully accessed the star's file in a patient information database.

Hospital administrators can feel confident that their database audit logs caught every nurse or doctor who snooped for celebrity scoop, but if the IT director or any of his skilled employees also crossed HIPPA lines, they more than likely knew how to cover their tracks.

The reality that audit logs remain vulnerable to tampering by privileged and savvy programmers highlights a significant health risk to transaction and system integrity, which are the heart of IT-based regulatory compliance. The inoculation against this flaw is immutable audit logs---those that aren't just tamper resistant, but also tamper evident. The technology to solve the problem has only recently developed, but data-watchers say market demand in financial services won't be far behind.

If audit logs were immutable, "Even people with privileges couldn't cover up their tracks," says Jeff Jonas, chief research scientist with IBM's identity analytics solutions group. Jonas has become a bit obsessed with the topic, blogging about it frequently (jeffjonas.typepad.com)

"Not only does a tamper-evident log create facts you can look at to see how things unfolded, when users know it's occurring it creates a chilling effect on misbehavior," he says.

That "chilling effect" Jonas pines for is a compelling argument, especially given the percentage of fraud that originates inside organizations. But there's also the reality that courts have been demanding proof that digital records presented in cases can be certified as authentic, says Christophe Primault, managing director of Barcelona-based Kinamik. It's the current legal and regulatory environment that Primault hopes will attract customers to Kinamik's kSuite product, which claims to be the first on the market with immutable audit logs.

The creation of these immutable audit logs was a side benefit from Kinamik's parent company's endeavors to create a secure electronic voting mechanism. Scytl, which is the technology vendor behind an initiative that will let a few hundred soldiers cast electronic votes in this year's Presidential election from kiosks set up outside their military bases overseas, created the immutable audit logs as a way to give election authorities absolute certainty as to the election results being monitored.

Realizing they had a standalone product in their portfolio, Scytl spun off Kinamik, which now markets its immutable audit logs as a plug-in security and compliance product. Here's how it works: Kinamik first uses symmetric encryption to split up the process of building hashes for every electronic record, and then chains each record to the next so that if any links in the chain are disrupted it's easily evident. Then a digital signature is applied to each block of records.

Researchers at the University of Arizona, with funding from the National Science Foundation, are tackling the problem of secure audit logs from a different direction.

The current records management industry does a great job securing individual records using digital signatures, says Richard Snodgrass, professor in UA's computer science department. But that requires each record to be saved as a file. A database can't be secured this way because of the dynamic nature of databases; users have to be able to make changes to them. "That would change the file, so the file would not be immutable," Snodgrass says. "Our research is trying to take the concept of a record management system, or compliant data, instead of being at the granularity of a file or record, have it at the granularity of a single row in a database."

Snodgrass's patented approach to solving the problem has several stages: First is the validator process, which is a scan of the entire database to see if anything has been changed or corrupted. If so, the next step invokes digital forensic analysis to determine which part of the data was changed and when. That's where the automated investigation ends, from there forensic experts must pick up the trail by asking who would want to modify that record on that day.

An important problem addressed by Kinamik and the University of Arizona researchers is the ability of a database administrator or other privileged user to delete records or segments of audit logs, thereby rendering them inaccurate. Kinamik tackles the problem by tying each audit record to the next. Snodgrass utilizes an external notarization service; after each scan of a database they send the external provider a hashed value of the document, which is digitally notarized by the vendor. "If the insider really wanted to corrupt the database, they'd have to collude with the digital notarization service," Snodgrass says.

The other technology challenge is the amount of processing power that these additional cryptography functions would gobble up. Kinamik's product claims to add only five percent overhead to systems; Snodgrass's is around 10 percent. While not insignificant, these are dimensions below what it would take to certify each transaction with a digital signature.

The value of immutable audit logs is easy to see, from a security point of view. But from an investment point of view, it's a tougher sell. The proof? Kinamik, though it has two bank pilots underway, is still a "pre-revenue" company, Primault says. Snodgrass is eager to have any interested vendors contact University of Arizona's technology transfer office about licensing their patents.

Jonas says it's going to take a major incident, or a regulatory mandate, to force the issue. "Organizations tend to optimize their spending towards what's going to create more revenue and reduce risk," Jonas says. "Unless there's a legal requirement, or something really bad happens."

-C- 2008 Bank Technology News and SourceMedia, Inc. All Rights Reserved. SourceMedia is an Investcorp company. Use, duplication, or sale of this service, or data contained herein, except as described in the Subscription Agreement, is strictly prohibited.