By Greg Keller Posted November 17, 2015
It seems as if all of the news stories we read about are brand name organizations having their data compromised by hackers. And, if it seems that way, it is – more organizations are being compromised than ever before. The urgency to lock down infrastructure by IT departments to ensure they are not the next ‘TechCrunch’ story is all consuming. These same IT departments putting in place employee access security architectures must also lay in place the ability to ‘record’ access events to have means for post mortems in the event of a breach.
To help meet this need, we’ve enabled event logging within the product in various capacities, most recently enabling the recording of Administrative Console and User Portal events. For example, it’s important to track when an admin on the account makes an access control change, granting or denying a new user certain permissions. For compliance purposes, those changes need to be turned in to the auditors. Our Event Logging API enables that, allowing IT admins the ability to query our database on demand for events on the JumpCloud console related to their account
There is an analogous feature in which events from logins onto devices like laptops, workstations and servers is also available, but we’ll discuss that separately in a different blog post. The purpose of this blog post is to highlight the events and logging available with respect to the web console.
Virtually, and literally, all changes made on the JumpCloud console are available via the Event Logging API. Changes on the Portal and Console that are made and then logged can include instances such as:
– User accounts added/terminated
– Admin accounts modified
– Active Directory bridge activated/deactivated
– Google Apps integration activated/deactivated
– LDAP activated/deactivated
– Password complexity modified
– Systems added/terminated/modified
– Tags added/terminated/modified
Any other changes made in the web console are also logged. It should be noted that not only are manual changes available via the logs, but also that any changes made by API calls are also logged. This helps ensure that any automated changes made to the system are also traced.
All of the web console event logs are available via a simple data query range mechanism through an API call. The data is returned via JSON and can be subsequently imported and integrated into larger logging initiatives managed by analysis tools such as Splunk. Plus, the data can be retained for audits or compliance events. By default, JumpCloud stores all web console event data for 30 days.
If you would like to learn more about how JumpCloud stores web console events for auditing and logging, drop us a note. We’d be happy to walk you through the functionality.