Keep Sensitive Data Out of Your Logs: 9 Best Practices

Robust logging is a core part of software development.

However, the security measures for logs can sometimes be lax, making them a point of vulnerability. 

And, there’s a temptation to log sensitive customer data as an easy way to identify event owners and create audit trails.

Regardless of your company’s industry, logging sensitive data is both a security and compliance risk. It’s been the culprit behind several high profile data breaches.

So how can we keep sensitive data out of logs?

Sensitive data includes:

• Personally Identifiable Information (PII) like full names, addresses, email addresses, driver’s license numbers, etc
• Financial data like credit card information
• Medical history and records
• Passwords
• IP addresses

There are two big reasons for keeping sensitive data out of your logs:

1) Compliance

Under privacy laws like the EU’s GDPR and California’s CCPA, users have the right to request details about their personal data. 

Complying with these requests becomes difficult when user data is duplicated across systems, logs, database dumps, and backups.

2) Security

Logs are often the target of data breaches or the source of accidental data leaks. 

Attacks are going to happen, but by keeping sensitive data out of your logs, you’re significantly reducing the value of any data that gets compromised.

Now that we understand what sensitive data is and the dangers of logging it, let’s take a look at the best practices for avoiding these problems:

1) Isolate Sensitive Data

You want to minimize the exposure your systems have to sensitive data by isolating it within a single source of truth like a data privacy vault.

2) Log Tokens, Not Values

Log a reference to any raw value through a process like tokenization. With tokenization, you swap the sensitive data for a token.

3) Encrypt During Transit and at Rest

It’s imperative to encrypt data during transit and at rest. If your data is encrypted at rest, then even if someone steals your database backup or log file, they’ll need the key to do anything with the data.

4) Keep PII Out of URLs

Replace the use of sensitive user identifiers in URLs like names and emails with an arbitrary ID. 

This could be the row ID of the user, or if you need different URLs to map to different field values you could utilize tokenization here as well.

5) Redact and Mask Data

Redaction and masking is another method to keep sensitive data out of logs.

Masking creates a version of data structurally similar to the original, but hides the most sensitive parts. Redaction is similar, but hides all of the information.

6) Governance

Data governance is a collection of policies and processes that help ensure that data is managed, secured, accurate, audited, and documented.

7) Code Reviews

Code reviews are a standard engineering best practice. 

As part of this process, reviewers should pay attention to log statements and call out any potentially problematic logging practices.

8) Structured Logging

With structured logging, your logs are relational data sets, like key/value pairs, rather than just text. 

Structured logging has the advantage of being more easily searched and analyzed. It can also help with keeping sensitive data out of your logs.

9) Automated Alerts

The final step is to create a service that proactively searches existing logs for sensitive data and if found, notifies the team. 

This might seem like a lot of trouble, but it can help to catch mistakes.

Ultimately, we live in a world where breaches happen, but with these best practices in place, you can deter attackers and minimize fallout.

To learn more, read our blog post on the topic.