IBM Storage Insights Uses Cloud Auditing Data Federation (CADF) Standard for Auditing
Acknowledgement: Swanand Gadre, Rajashekar Vuppala, Krishna Priya Nair
IBM Storage Insights implemented Cloud Auditing Data Federation (CADF) based auditing solution for storage management, monitoring data access, and maintaining regulatory compliance for its user-based actions. IBM Storage Insights is an advanced storage management IBM Cloud based SaaS platform that provides real-time visibility, analytics, and monitoring for storage infrastructure. It leverages AI-driven insights, predictive analytics, and proactive alerts to optimize storage performance, reduce downtime, and streamline storage operations.
IBM Storage Insights logs the audit events such as user login, logout, ransomware threat detection enabled or disabled, create, delete and update of resources such as storage systems, fabric, switches, report management and many more. Refer the following link for details on the different audit actions supported by IBM Storage Insights
https://www.ibm.com/docs/en/storage-insights?topic=gs-downloading-audit-logs-using-storage-insights-rest-api
The following sections describe the Cloud Auditing Data Federation (CADF) standard and how they have been used in IBM Storage Insights,
Cloud Auditing Data Federation (CADF) Background
Cloud Auditing Data Federation (CADF) is a standardized framework developed by the Distributed Management Task Force (DMTF) for auditing and monitoring cloud-based environments. CADF defines common data formats, event types, and metadata attributes for capturing audit data generated by cloud services, applications, and infrastructure components. By leveraging CADF, organizations can achieve comprehensive visibility, auditability, and compliance across their cloud deployments.
Benefits of Cloud Auditing Data Federation
- Enhanced Security: CADF helps organizations monitor security events in real time, allowing quick detection and response to potential threats. Security teams can analyze audit data to spot unauthorized access, suspicious activities, and compliance issues.
- Compliance Assurance: CADF aids in maintaining regulatory compliance by offering detailed audit logs and reports.
- Interoperability: It enables seamless integration with cloud management tools, security information and event management (SIEM) systems, and third-party auditing solutions, ensuring a holistic approach to cloud security and compliance.
CADF Event and Model
The CADF specification applies semantics to activities on resources within a cloud environment using a common data model using the concept of an event. CADF provides for multiple event types, and the model is common to all of them (i.e. activity, monitor and control events).
The event model uses the concept of a resource which is used within multiple defined event components. A resource is an entity that can provide or consume services or information within the context of a cloud infrastructure. Examples of resources include traditional IT infrastructure components like servers and network devices, software components such as databases and applications, operation and business entities used for security such as accounts, users and roles.
The following tables describes the event model components and the semantics for each component,
The OBSERVER is a RESOURCE which observes the actual event and creates a CADF event record based on the information known and its purpose. The OBSERVER does its best to identify and classify all other required model components (e.g., INITIATOR, TARGET, ACTION, etc.) along with any relevant data.
The conceptual diagram in the below figure shows basic components of the CADF Event Model and their interactions:
Using CADF for Audit
The CADF data model is designed to provide information auditors are looking for to track activities in cloud environments. The data in an event can record the WHO, WHAT, WHEN, WHERE, FROM WHERE and WHERE TO of an activity. This is also referred to as the 7 W’s of audit and compliance.
IBM Storage Insights Audit logs
You can download the audit logs of the actions that you perform in IBM Storage Insights. The logs for various user actions such as user login, log out, ransomware threat detection enabled or disabled and many more that are performed in the last 15 days are available to download in CSV format. The audit logs are encrypted and stored in the immutable buckets for better security of the audit data. The tenant administrators can use this feature to download the audit logs.
You can download the audit logs by navigating to Help > Download Audit Log menu option in IBM Storage Insights GUI as shown in below screen or by using IBM Storage Insights REST APIs described in https://www.ibm.com/docs/en/storage-insights?topic=gs-downloading-audit-logs-using-storage-insights-rest-api
The following screenshot gives an example of the audit log file downloaded from Storage Insights,
For more information on IBM Storage Insights security start with the Security Overview
See more IBM Storage Insights information via videos and blogs
References
- IBM Storage Insights Audit Logs feature - https://www.ibm.com/docs/en/storage-insights?topic=whats-new#tpch_saas_r_new_in__section_snk_nd2_l1c
- Audit log REST API - https://www.ibm.com/docs/en/storage-insights?topic=gs-downloading-audit-logs-using-storage-insights-rest-api
- IBM Storage Insights REST API reference blog - https://community.ibm.com/community/user/storage/blogs/ramakrishna-vadla/2024/01/20/ibm-storage-insights-ecosystem-enablement-using-re
- CADF – DMTF standard reference
https://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf
https://www.dmtf.org/standards/cadf,