Fig-14: Auditing an authorization decision.
No central audit log. There will not be any central audit log. Only audit data released routinely out of an organization or Service Provider are references to audit events and anonymized summary data. If an audit needs to drill into the audit trail, the authorized auditor will be given access, upon escalation, to fetch or view the local audit trails and ability to correlate the events to form a "big picture". Without such authorization correlation will not be possible. This principle applies to the User's Dashboard as well.
The audit domain is essential to maintain the validity of the trust fabric in the infrastructure. The domain will receive data on authorisation decision as illustrated in Fig-14. This enables the domain to become a central point for monitoring of authorisation processes in individual TAS3 instances.
Fig-14: Auditing an authorization decision.
The services in the auditing and monitoring domain will receive other forms of data linked to trust from the TAS3 infrastructure. This data will also include information on service invocations and workflow execution. The data from the results of these events will be stored in two main sets of services in the auditing and monitoring domain, there are auditing and compliance tools and operation monitoring tools.
It is important to note that these two sets of information will be handled quite separately. The operation monitoring tools will be operated by the applications code and will be application specific, whereas the auditing and monitoring will be operated by the TAS3 security layer and will be application independent.
Fig-15: Monitoring operation of the network using the configured model.
The data collected from the monitoring in the audits can be then used by elements in the infrastructure such as the Dashboard. This will enable users to look at both how their data has been used in the infrastructure and also if any services have failed in this execution. In cases of failure or rogue behaviour the negative feedback from this can be fed to the Trust and Reputation service.
Some Audit Principles:
Nobody should be able to tamper with the audit trail without detection. This includes insertion or removal of audit records, altering of audit records and deletion of entire audit files.
Nobody should be able to put together the entire audit trail without proper authorization
When answering a user audit request, the initial answer may have coarse granularity, such as organizations that have accessed. Only upon more thorough, authorized, investigation more detail, such as employees that have accessed would be revealed.
Relevant prior art will be incorporated in a future version of this document including regulatory compliance and best practises from
Directive 95/46/EC and other guarantees offered by EU wide data protection legislation
SAS70
COBIT
ISO/IEC 27001
Liberty Alliance
COSO