Logging of user activity is fully configurable by the Customer so that you control what is passed to strongDM. You can choose to log with us, log locally, or both.
Stored with strongDM
Logs stored with strongDM are written to an immutable, write-once S3 bucket.
Stored with the Customer
When a Customer chooses to log locally, logs are written to the SDM Gateway's local storage. This allows the Customer to configure how and where to ship logs (e.g. shipping to an internal SIEM or log aggregation tool).
Logs with strongDM are always encrypted at some level. What level a Customer chooses is up to them. We currently support three different methods of encryption within the strongDM Platform.
Platform Encryption (the default mode)
Logs generate by the strongDM Platform are encrypted with a Customer-unique key by the strongDM application before being written to AWS S3, on top of the default at rest encryption enabled on the S3 bucket.
Using the strongDM Platform encryption provides two key functions:
- Log are able to be displayed in the Admin UI in plaintext
- Logs cannot be viewed in plaintext from the raw storage (e.g. S3)
By encrypting all logs with a unique application key, strongDM is able to provide another layer of assurance that Customer information is not inadvertently disclosed.
Public Key Encryption
Log data from the strongDM gateway is encrypted at the strongDM Gateway using the public component of a public/private key pair before being sent to the strongDM Platform. Log metadata is still sent to strongDM for plaintext display within the Admin UI.
When using public key encryption to protect log data:
- Log contents will be returned in encrypted form in the AdminUI and as query results from an
- Metadata will be present in the AdminUI in plain text
- Customer administrator must use the private component of the key pair to decrypt the log contents for review
- strongDM will never be able to see the plain text log contents
If you have configured the local log storage option on your strongDM Gateway, local logs will not be encrypted, as encryption occurs as part of the log shipping process to the strongDM Platform.
If you store logs with strongDM, they will be retained for a period of 13 months, and then permanently deleted.
If you require a longer log retention period to comply with your own policies or regulations, you should configure a local logging facility to additionally ship the logs generated by the SDM gateway to a logging repository you control.