Data Masking: Don’t Let Your Audit Logs Be the Cause of a Data Breach

July 27, 2021

Exposure of sensitive data through log files and unprotected databases is a story that makes headlines almost every day. Millions of users have been impacted, and millions of records exposed. Passwords, private keys, PII, etc., and other highly restricted information can be captured in plain text in log files and stored in plain text in audit databases.

For example, in April 2021, the DreamHost database leaked 814 million records online, including customer data. The monitoring and file logs exposed many internal records that should not have been publicly accessible.

Earlier in 2018, the Twitter data breach impacted 330 million users when an internal log exposed all user passwords, which were stored unmasked in the log, accessible to the internal network.

Not that we need to be reminded in today's world of data breaches and cyber-attacks, but here's how you'd define a data breach: an incident that results in confidential or sensitive information stolen or taken from a system without the knowledge or authorization of the system's owner.

So, what are the primary avenues of a data breach?

  • Insecure storage of sensitive data, and
  • Intentional or unintentional authorization and access to sensitive or critical data

In a world of relentless data breaches and cyber-attacks, protecting data is essential for all organizations and enterprises. Unprotected data, whether in transit (data actively moving from one location to another) or at rest (stored or archived on device or network), leaves organizations vulnerable to attacks.


Nearly 35 percent of unstructured data is business-critical – that’s 3.1 million files in an average organization. Of those business-critical files, 14 percent can be seen by internal or external users who should not have access.

Concentric Q1 2021 quarterly Data Risk Report


As an industry leader in privileged access security solutions, we've shared numerous helpful resources on securing access to your data. In this post, let's talk about how you can ensure data protection by securing the audit logs at the source. The goal is to considerably reduce the risk of unauthorized access to sensitive data stored in these audit logs.

Audit logs are highly vulnerable

What are audit logs? An audit log is a record of computer events about an operating system, an application, or user activities. Depending on the individual administrator activity, the audit log events may contain passwords, usernames, IP addresses, SSH keys, PII, etc., and other highly sensitive information recorded in plain text. Audit logs allow organizations to identify and analyze events and operational issues and are critical for supporting compliance reporting.

And since these audit logs may need to be viewed from time to time by IT admins and auditors and shared with other third parties, the risks resulting from insider-driven data leaks, or an account compromise is extremely high.

The risk of not encrypting before the data is in transit

Encryption plays a significant role in protecting data and adds an extra layer of defense in protecting data, in transit, and at rest. However, there have been instances where encrypted data in transit, though encrypted, was compromised.

For example, in the recent Morgan Stanley data breach on its Accellion FTA server, investigation officials disclosed that the compromised files were encrypted; however, attackers were able to obtain the decryption key during the breach.

Consider the case of the audit logs, which are often viewed by IT administrators, managers, and their delegates. They are frequently shared with third parties for auditing, reporting, and incident response purposes and forwarded to enterprise applications such as Splunk.

You must ensure that the sensitive data in these audit log files is protected by obfuscating it as soon as it’s written to the audit log file, before the data leaves its origin and gets in transit.

Secure data by masking at the source

The solution lies in securing data at the source. Data masking is a process to obscure or anonymize data elements to protect sensitive information from unauthorized access. As a proactive approach to security, data masking at the source is one of the most effective ways to limit exposure of PII or other sensitive events captured in the audit logs.

Continuing to enhance our solutions, the latest version of Server Suite’s Audit and Monitoring Service now includes data masking capabilities for UNIX to reduce the risk of exposing potentially sensitive or highly restricted data during audit sharing. This capability ensures that all sensitive data is masked before the final audit log is generated.

"We believe ThycoticCentrify's agent-based solution is superior to other vendors in the market today. Because our platform has an agent, we can mask your sensitive information irrespective of whether it is part of the command output or entered via command line. Since sensitive data in audit logs, including session replay and command logs, are masked at the source, we can offer more secure treatment of all the sensitive data such as passwords, private keys, PII, etc. as compared to other solutions that rely on masking at the server level," explains Yogesh Dandekar, senior engineering manager at ThycoticCentrify.

For regulatory compliance, you are required to retain your audit logs for a certain period of time. The longer you have to preserve them, the greater the risk of exposure. As a best practice, masking at the source mitigates this risk.

Learn more about how Server Suite can up level privilege escalation to support Zero Trust and Privileged Access Management goals.

Contact us to know more about how ThycoticCentrify enables organizations to reduce the risk of security breaches by minimizing the attack surface.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.