Audit events in the identity and access management system are a key component to demonstrate that your company is compliance with some legislation like SOX. Also, it will help to your systems administrators to generate reports to identify an intruder if the identity and management system is being compromised.

Auditing involves logging security-critical operations that occur within the identity and access management system domain. Auditing of such operations can be useful in trying to track down the sequence of events that led to a hack or, perhaps, in determining the identity of the hacker. Auditing is usually performed during authentication (logins), logouts, trusted resource access (for example, file access), and any modification of the security properties of a system.

This is the typical information logged during a security audit:

• Audit event type
• Timestamp of the event
• Identity of the principal initiating the event
• Identification of the target resource
• Permission being requested on the target resource
• Location from which the resource request is made

Because audit logs are used to provide evidence with respect to security-critical operations, the audit process and log itself tend to be security-critical. Therefore, they must be protected in some way from hackers corrupting, denying, or perhaps replacing log information.

During your identity and access management implementation is very important that you determine what information needs to be stored in the audit files or database.

Some of the task required during your identity and access management implementation are:

• Analyze what audit events needs to be enable / disable
• Analyze if the audit needs to be in a file or database
• Analyze if the audit needs to be pushed to an external database for reporting
• Analyze if the audit events after sometime (1 or 2 years ) needs to be removed from your current IAM system and stored in another database for historical purpose