Domain 2 of 6 · Chapter 8 of 8

Data Event Auditability & Accountability

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • The audit chain: four properties, in order
  • Event sources and the required attributes
  • Logging, storage, and analysis: the data-event pipeline
  • Chain of custody and non-repudiation
  • Exam-pattern recognition

Auditability vs traceability vs accountability vs non-repudiation

PropertyQuestion it answersHow you achieve itFailure if missing
AuditabilityWas the event recorded?Enable data-event logging on every protected store and operationBlind spots: actions leave no trace at all
TraceabilityWhat exactly happened, by whom, from where?Capture identity, IP, geolocation, timestamp, object/operation on each recordRecords exist but cannot reconstruct the event
AccountabilityCan the action be tied to one identity?Authenticate to individual principals; never log to a shared accountAction is known but no one is answerable for it
Non-repudiationCan the actor deny having done it?Sign records / protect log integrity cryptographicallyActor or tamperer can plausibly dispute the record

Decision tree

Is the event recordedat all?NoEnable data-event loggingon every protected storeYesCan you reconstruct it(identity, IP, geo, UTC)?Missing attributesAdd required attributes+ synchronize clocks (NTP/UTC)YesTied to one identity?no shared accountsShared accountAuthenticate per principalindividual accountabilityYesCould the actor deny it,or the record be altered?DeniableSign records / hash-chain + WORMnon-repudiation + chain of custodyNoChain completecentralize + retain + review

Cheat sheet

  • Auditability, traceability, and accountability are three cumulative layers
  • Log identity, IP, geolocation, timestamp, and object/operation on every data event
  • Authenticate to individual identities so actions are accountable
  • Non-repudiation comes from signing, not from access control or encryption
  • Encryption gives confidentiality, not integrity or non-repudiation
  • Chain of custody and non-repudiation answer different questions
  • Hash-chaining makes a log tamper-evident
  • Store logs append-only or WORM so they cannot be quietly deleted
  • Ship logs to a separate, access-restricted central store
  • Separate who can act on data from who can manage its logs
  • Synchronize clocks to a common UTC source before correlating events
  • Combine layered event sources; no single log sees the whole event
  • Control-plane (management-API) logs record who changed access and configuration
  • Log both successful and failed access to sensitive data
  • Never write secrets or raw sensitive values into the log body
  • Set log retention to the longest of business, regulatory, and legal-hold needs
  • Hash collected logs at the moment of collection to anchor chain of custody
  • Protect the log's confidentiality, integrity, and availability across its lifecycle
  • Designing data events is here; running the SOC and SIEM is operations
  • Normalize multi-cloud logs to one schema before SIEM correlation

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. OWASP Logging Cheat Sheet Whitepaper
  2. NIST SP 800-92 — Guide to Computer Security Log Management Whitepaper
  3. NIST SP 800-57 Part 1 Rev. 5 — Recommendation for Key Management Whitepaper