Scaling Data Access Auditing with Immuta’s Unified Audit Model

The Challenge with Data Access Auditing

The amount of data and number of data users continues growing at an exponential rate, increasing the surface area of risk for unauthorized access. Data teams are grappling with the challenge of sieving through an enormous amount of audit data across a disparate set of external systems, correlating the logs across the systems like Snowflake and Databricks, and determining who accessed what data and when.

With Immuta’s Unified Audit Model (UAM), it is now faster and easier to push a consistent audit log structure and metadata from various systems to storage platforms like AWS S3, and then to SIEMs like Splunk for simplified filtering and analysis across a range of events.

In this blog, we’ll explore the objectives of Immuta’s UAM, how it works in practice, and what it can mean for your team’s data security and management.

Immuta’s Vision for Comprehensive Data Monitoring and Access Auditing

Our vision in establishing a unified audit model is predicated on having comprehensive data access management for the enterprise that span three key pillars: Discovery, Security, and Monitoring. With that in mind, we are continuously working to innovate around each of those pillars.

With an eye on improving our current data monitoring capabilities, we want to make it easier and more efficient for end users like governance, risk, and compliance (GRC) stakeholders, audit teams, and security teams to leverage the volumes of audit logs that Immuta generates. Customers today must manually load data into their analytics tool of choice and sieve through a massive amount of log data for tasks like compliance verification. Immuta’s UAM provides a stepping stone towards comprehensive access management monitoring which will provide:

• Consistent audit log structure and metadata across audit events
• Simple search and filtering capabilities
• Automatic pushes of data into choice systems for storage and analysis

Immuta’s Unified Audit Model

Immuta’s UAM is a standalone enterprise-scale audit service that helps simplify and accelerate the filtering and analysis of audit data by data teams, as well as GRC, audit, and security teams. The service comes with a new API, audit log exporter, and CLI. Initially, it will provide audit events for Snowflake and Databricks, but will be rolled out for other platforms over time.

Some of the key capabilities and attributes of Immuta’s UAM include:

Consistent Audit Log Structures and Metadata

Consistent audit log structure and metadata across data access audit events from all native integrations and the Immuta platform, which centralizes and simplifies filtering and analysis. In the near future, Immuta policy configuration events will also be available.

Below is an example of how the audit events that Immuta generates would appear for users:

Data Access Audit Events

• Action Names (e.g QUERY) + Target (e.g. data source)
• Action Status (SUCCESS, FAILED, UNAUTHORIZED)
• Action Status Reason (why something failed)
• Actor IP (when available)
• Session ID (when available, enables chaining events together during the same session)
• Start/End Time for the query (now only in Snowflake)
• DENIED logs for Databricks
• Policy Set – now embedded in Databricks audit events so customers can perform root cause analysis of why a user was able (or not able) to query. UAM will support any other native integration that enables this.

Support for Additional Event Metadata

When more detail can be derived from fields, Immuta’s UAM is able to incorporate the additional audit event metadata, enabling richer, more holistic analysis. This includes user attributes, impersonated users, session IDs, Actor IPs, table names, and technologies.

Search and Filtering Capabilities

The integration of consistent metadata enables support for advanced filtering, as well as grouping by variables like action and target. This increases efficiency by returning only the requested information, which in turn reduces payload. As functionality is further developed, Immuta’s UAM will also enable custom queries.

Audit Log Export for SaaS

Immuta’s UAM acts as a push mechanism for audit information from Immuta’s SaaS data security environment. This includes a scheduled export capability, as well as a generic audit exporter that is ready to support additional destinations.