As a software company, you likely store audit logs internally for debugging, security, and compliance. But can your customers access these audit logs self service?
Learn about the difference between storing audit logs internally and offering your customers self service access to their own audit logs.
What are audit logs?
Audit logs are a record of activity in an application. They help answer questions like who, what, where, when, and how a specific action occurred, and what resources it affected. They are used for debugging, security, monitoring, and compliance.
Internal audit logs
A software company should store audit logs internally as a best practice. They are needed to be for developer debugging and also to be able to answer support questions like what happened during a specific incident. Maintaining audit logs is also required for compliance with common standards like SOC II.
Internal audit logs are generally stored in log providers like Cloudwatch or DataDog, or object stores like Amazon S3. They are only accessible by employees of the software company, preferably specifically the security or DevOps teams. An employee should be able to query the logs to extract specific data in response to common questions like who performed a specific action.
In a multitenant SaaS company, each audit log is likely associated with a specific tenant. For example, if we examine an audit log for a DeleteUser operation, the audit log will contain information about which tenant the operation was related to. However, employees generally have access to all tenants' audit logs.
How can a customer access their audit logs?
In a situation where a SaaS company is following best practices and storing audit logs for all actions in their application, how does a customer of the company access audit logs relating to their account? Because the audit logs are internal, not partitioned by tenant, and not accessible except to internal employees, the process for a customer to access their audit logs is manual. A common flow is a customer creates a support ticket, an engineer or support associate queries the internal logs, and posts the information back to the customer in the ticket. Companies often build internal tooling to make this process easier for their employees.
Disadvantages of only maintaining internal audit logs
Exclusively storing audit logs internally without offering a way for customers to easily consume those audit logs comes with many drawbacks. The SaaS company is essentially serving as a human proxy to the internal audit logs system. First, it is reactive, meaning the customer can only request their audit logs after an event has occurred, when often they need them most when the event is occurring (or even before to perform security monitoring). Second, the entire process is manual, which wastes both the SaaS company's and customers' time and severely limits the number of audit logs that the customer can request. Thirdly, it prevents customers from being to extract full value out of their audit logs, and keeps customers from having visibility into activity in their account.
External, or customer facing, audit logs
External audit logs are audit logs that the customers of a SaaS product can access self service.
A key first requirement here, naturally, is that each customer is only able to access their own audit logs and not any other customer's audit logs. This requires storing the audit logs so that they are partitioned by customer. It also requires building an API service that lets authenticated customers query their own logs.
Such a system allows a SaaS customer to access their audit logs automatedly without needing to involve the SaaS company.
Advantages of self service audit logs
Being able to access audit logs self service opens many usecases for SaaS customers. For example:
- The customer is free to query and retrieve as many audit logs as they want. Ideally, they should be able to continuously export all their audit logs out of the SaaS for analytics, monitoring, or archival.
- Both the SaaS owner and SaaS customer do not need to expend manual effort to exchange audit logs.
- Customers can build proactive security monitoring systems that use audit logs for threat detection, using SIEM or other tools. This allows customers to make realtime use of their audit events.
In general, externally facing audit logs give SaaS customers full insight into their SaaS activity. This enables them to consume and use SaaS audit logs themselves for security monitoring, auditing, risk management, or any other use that requires audit events.
When should I use internal or external audit logs?
Internal and external audit logs are not mutually exclusive, rather they are complementary.
When evaluating using internal or external audit logs, the answer is fairly simple. Every company should maintain internal audit logs. This is a best security practice, and is mandated by compliance standards like SOC 2. It is required for debugging and to be able to answer questions in the case of an incident.
SaaS companies should also offer their customers a way to access their own audit logs self service. This is the best way to ensure that your customers have the best security posture, and to prevent yourself from having to deal with manual audit requests.
To summarize, SaaS companies should store audit logs internally and should also offer a system for their customers to easily access their own audit logs without a manual process. To outline the differences between internal and external audit logs:
|Internal audit logs||External audit logs|
|Used by||SaaS company employees||SaaS customers|
|Implementation||Log providers, object stores||Custom: API layer + data store or managed (Apptrail)|
|Customer access||Manual||Self service|
We can see that internal and external audit logs serve two different purposes and that internal audit logs are not a substitute for external audit logs. Internal audit logs are a baseline measure that lets the employees of a SaaS company audit all API and user activity whereas external, or customer facing, audit logs allow customers to access their own audit logs.
If you're an engineer or owner working on a SaaS product, keep in mind building externally facing audit logs for your customers.