IBM Operations Analytics Log Analysis considerations for GDPR readiness

Note: This document is intended to help you in your preparations for GDPR readiness. It provides information about features of Log Analysis that you can configure, and aspects of the product's use, that you should consider to help your organization with GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM® does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Table of Contents

1. GDPR

2. Product Configuration - Considerations for GDPR Readiness

4. Data Life Cycle

3. Data Collection

5. Data Storage

6. Data Access

7. Data Processing

8. Data Deletion

9. Data Monitoring

10. Responding to Data Subject Rights

GDPR

General Data Protection Regulation (GDPR) has been adopted by the European Union ("EU") and applies from May 25, 2018.

Why is GDPR important?

GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for processors
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification

Product Configuration - Considerations for GDPR Readiness

Offering Configuration

The following sections provide considerations for configuring Log Analysis to help your organization with GDPR readiness.

Log Analysis helps users analyze the full scope breadth of their operational data types, helping them to identify, isolate, and resolve problems. The solution integrates data from multiple sources including logs, events, metrics, support documents and problem tickets. Users can use the features to consolidate operational data by type and to search this data to get deeper insights into their IT operations.

Data is loaded into Log Analysis where it is parsed, annotated, and ingested into Log Analysis. It can be processed further according to the needs of your organization. For example, users can view it in dashboards and search pages, it can be passed to helpdesk systems, logged in databases, replicated on remote systems, and used to trigger automatic alerts. Data that is loaded into Log Analysis and indexed for search is used by multiple users, who are usually agents in your Network Operations Center (NOC). Access is controlled by a role based access (RBAC) model. You assign roles to users to govern what data they can see and use. Additional actions may be triggered if you configured the alerting feature to trigger such actions.

Standard Edition users can use Hadoop to store long term data.

Data Life Cycle

What is the end-to-end process through which personal data go through when using our offering?

Log Analysis processes the following types of personal data:

  • Authentication credentials includes data such as username and passwords.
  • Technically identifiable personal information includes data such as device IDs, usage based identifiers, IP address, etc�that can be linked to an individual.

This offering is not designed to process any special categories of personal data. Where there is a possibility to add custom fields, these should be reviewed for potential inclusion of personal data.

The processing activities with regard to personal data within this offering include:

  • Receipt of data from data subjects and/or third parties
  • Computer processing of data, including data transmission, data retrieval, data access, and network access to allow data transfer if required.
  • Storage and associated deletion of data

This offering can be integrated with the following IBM offerings, which may process personal data content:

  • IBM Tivoli® Netcool® Operations Insights
  • IBM Cloud Application Performance Management, Private
  • IBM WebSphere® Application Server
  • IBM Open Platform Hadoop
  • IBM Control Desk

This offering may integrate with the following third party products, which may process personal data content:

  • Service desk / trouble ticketing solutions
  • ServiceNow
  • Remedy

Personal data used for online contact with IBM

Log Analysis clients can submit online comments/feedback/requests to contact IBM about Log Analysis subjects in a variety of ways, primarily:

  • Public comments area on pages in the Log Analysis community on IBM developerWorks®
  • Public comments area on pages of Log Analysis IBM documentation.
  • Public comments in the Log Analysis space of dWAnswers
  • Feedback forms in the Log Analysis community

Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement.

Data Collection

Types of data collected

This offering collects the Types of Personal Data listed below:

  • Authentication credentials such as username and password

Data Storage

User names and Passwords can be managed in a number of ways in Log Analysis. Users can be authenticated against its internal DB based user management or an external repository, such as an LDAP directory. For ease of user administration it is recommended that users are centrally managed using the organizations central directory service. For more information about how to configure Log Analysis to use an external directory service as an authentication source, see: Configuring LDAP authentication.

  • Storage of client data

The primary data processed by Log Analysis primarily processes data that is related to log or event data which can belong to you or your clients, depending on how you deployed Log Analysis and where it collects data from. Log Analysis provides role based access controls to control what data users can access. For more information, see Users and roles.

Backups are written to a filesystem (either local or network mounted). Therefore access control to the backed up data is controlled by the permissions configured on the filesystem.

  • Storage in archives Log Analysis does not support archiving.

Standard Edition users can store data in Hadoop and search this data in Log Analysis. Access to this data is also controlled by RBAC.

Data Access

Log Analysis provides two roles out of the box, unityuser and unityadmin. Users and roles can be created in Log Analysis for controlling access to the data sources. For more information, see Users and roles.

Activity logs

Logging is maintained for diagnostic and support purposes. Details of the default logs and how to configure them can be found here:

In addition there is an audit logging capability for recording actions performed by users. These should be reviewed regularly as part of your overall security process. For more information, see Configuring auditability.

Data Processing

  • Encryption of data arriving and being sent on For data transferred from different sources to Log Analysis, Single Socket Layer (SSL) authentication is used. Log Analysis can be configured to use SSL communications internally. For more information, see Configuring secure communication and authentication

  • Encryption if it is being stored Log Analysis user names and passwords are stored in a Derby database. The passwords stored are encrypted. It does not store any other passwords apart from the encrypted Log Analysis user passwords.

Log Analysis is designed to work within a secure intranet inside the enterprise. The ingested data stored in SOLR is not encrypted. If Hadoop is integrated with Log Analysis, the ingested data in Hadoop is encrypted.

  • Flow through your product and potentially on to other sub-systems For data transferred from different sources to Log Analysis, Single Socket Layer (SSL) authentication is used. Log Analysis can be configured to use SSL communications internally. For more information, see Configuring secure communication and authentication.

Data Deletion

  • Client Data deletion Removal of users from either the Log Analysis or external directory service will prevent the user from logging into Log Analysis. As part of your deployment, you should review the period for which data should be deleted.

  • Account Data deletion Where Log Analysis is being used in a managed service environment and a single deployment is being used to ingest logs/events from multiple data sources, consideration should be given to the processes for adding and removing data sources and what mechanisms need to be in place to remove a specific application data source.

Data Monitoring

Personal data in Log Analysis is limited to:

  • Basic personal information: For example user names for authentication)
  • Technical personal information: For example IP addresses or host names from systems that are used by the user to access the solution and potentially captured in debug or trace logs.

Log Analysis can be configured to audit access to specific objects or actions performed by specific users in audit logs, as previously mentioned.

Log files are not encrypted. If log files need to be archived for operational or audit requirements then consideration should be given to encrypting any archived logs.

Responding to Data Subject Rights

The personal data that is stored and processed by Log Analysis is divided into the following categories:

  • Basic personal data for example user names and passwords that are used for authentication)
  • Technically identifiable personal information such as IP addresses and host names to which user activity could potentially be linked.

This data is intrinsic to the effective operation of Log Analysis. Removal of data, modification of historical data, and sharing of this data is likely to be counter to your enterprises policies.

However, consideration may need to be given to the following:

  • Data is only retained for a reasonable period based on the pertaining operational, compliance and industry audit requirements.
  • Data is secured appropriately when in backup format.
  • When Log Analysis is used for managing your enterprises own IT/network environment and the users of the solution are employees/contractually engaged staff, that the contract terms are GDPR compatible.
  • When any field is customized to augment the defaults with additional data sourced from other data sources available in your environment, whether these customizations add personal data and what implications there are on doing this from a GDPR compliance perspective.