Log Management in the Cloud:
A Comparison of In-House versus Cloud-Based Management of Log Data A SANS Whitepaper – October 2008
Written by: Jerry Shenk
Sponsored by Alert Logic
Basic Practices Questions for the Cloud Provider Considerations for In-House Log Management
In the 2008 SANS Log Management Survey, 20 percent of respondents who were satisfied with their log management systems spent more than one week each month on log analysis. Most of those companies were in the Global 2000. The remaining small- and medium-sized businesses (SMBs) and government organizations spent between a half-day to five days per month on log analysis. The survey also showed that, because of difficulties in setup and integration, most organizations have only achieved partial automation of their log management and reporting processes. These difficulties have organizations, particularly SMBs, wondering if they should turn over log management to an in-cloud provider—one that provides their log management software and log data storage over the Internet. In January, 2008, Stephen Northcutt, president of the SANS Technology Institute, wrote that there are pitfalls with putting log management in-the-cloud. On the plus side, he adds, “you will almost certainly save money. In addition, real experts on log analysis are hard to find...” 1 Recently, vendors began offering log management in-the-cloud (otherwise known as Software as a Service or SaaS), as a way to simplify log management because the provider can dedicate the material resources and retain the talented, focused personnel to do a better job for less money. This particularly makes sense not only for SMBs without the dedicated manpower, but also for enterprises whose IT resources are stretched trying to manage multiple distributed LANs. While IT managers agree that log management is difficult, they are leery about handing over their log data to a third party application provider because the data might not be available when they need it, not to mention the sensitive nature of some of the data that shows up in log files. Before deploying or overhauling log management systems, organizations need to weigh the benefits and drawbacks of each model in context of their business requirements. To simplify the process, this paper presents some questions to consider when vetting those business needs against each (and in many cases, both) of these log management models.
SANS Analyst Program
Log Management in the Cloud
When looking at both models of log management (internally or in the cloud), begin with the end in mind by clearly laying out the reasons you want to collect log data. The following are some pre-selection tenets to keep in mind when considering both models of log management:
Identify Your Goals
One of the keys to any successful project deployment is identifying the goals before starting. Log management needs are different for each business unit staking a claim in the process. The IT group may be interested in the value of log data for problem resolution; the security team may be interested in information management or event management tied into an overall SIEM; and the audit and compliance group is most likely interested in tracking what people are doing in regard to sensitive data. Other possible uses for log data include marketing, forensics and HR accounting. As they identify goals, companies would do well to consider the broader advantages of log management and analysis, and look for systems or services that will allow a migration toward a more complete use of log data in the future. Of importance to all groups is the type of reporting supplied by the service or system. Log management systems often have reporting that is geared toward compliance for PCI, SOX, HIPAA and other similar standards. Apart from required reports, log management can generate reports...
Please join StudyMode to read the full document