Compliance Considerations#

Audience: Security Professionals, Compliance Officers
Prerequisites: Understanding of security compliance requirements
Outcome: Understand Kleidia’s compliance features and audit capabilities

Overview#

Kleidia provides comprehensive audit logging and compliance features to meet enterprise security and regulatory requirements. The system logs all operations, maintains complete audit trails, and provides reporting capabilities.

Audit Logging#

What is Logged#

All operations are logged for compliance:

User Actions#

  • Authentication: Login, logout, failed login attempts
  • Device Operations: Registration, PIN/PUK changes, certificate operations
  • Profile Changes: Password changes

Administrative Actions#

  • User Management: User creation, modification, deletion
  • Policy Changes: Security policy updates
  • System Configuration: System setting changes
  • Certificate Operations: Certificate generation, revocation

Security Events#

  • Failed Authentications: Invalid login attempts
  • Permission Denials: Unauthorized access attempts
  • Session Events: Session creation, expiration, revocation
  • Agent Events: Agent registration, key rotation

Audit Log Structure#

{
  "id": 12345,
  "user_id": 1,
  "action": "login",
  "resource": "user",
  "resource_id": 1,
  "details": {
    "os": "macOS 14.0",
    "ip_address": "192.0.2.1"
  },
  "ip_address": "192.0.2.1",
  "hostname": "workstation.example.com",
  "user_agent": "Mozilla/5.0...",
  "created_at": "2025-01-15T10:30:00Z"
}

Log Storage#

  • Database: Audit logs stored in PostgreSQL
  • Retention: Configurable retention policies
  • Search: Full-text search capabilities
  • Export: CSV and PDF export for compliance reports

Compliance Features#

Complete Audit Trail#

  • All Operations: Every operation logged with timestamp
  • User Attribution: All actions attributed to specific users
  • Resource Tracking: Resources accessed tracked
  • IP Address Logging: Source IP addresses logged
  • User Agent Logging: Browser/client information logged

Reporting Capabilities#

Device Inventory Report#

  • Complete list of all registered YubiKeys
  • Device details (serial, owner, status)
  • Certificate status
  • Registration dates

Certificate Status Report#

  • All certificates across all devices
  • Expiration dates
  • Revocation status
  • Certificate details

User Activity Report#

  • User authentication events
  • Device operations
  • Time periods
  • Filtered by user or date range

Security Events Report#

  • Failed authentication attempts
  • Permission denials
  • Suspicious activity
  • Policy violations

Data Retention#

  • Configurable Retention: Set retention periods per log type
  • Automatic Cleanup: Expired logs automatically archived
  • Archive Support: Export logs before cleanup
  • Compliance Periods: Support for regulatory retention requirements

Security Compliance#

Access Control#

  • RBAC: Role-based access control
  • Least Privilege: Users have minimum required permissions
  • Session Management: Secure session handling
  • Token Security: Secure token generation and validation

Data Protection#

  • Encryption at Rest: Vault encryption for secrets
  • Encryption in Transit: HTTPS/TLS for all communication
  • Password Security: Argon2id hashing for passwords
  • Secret Management: Vault-first secret storage

Audit Requirements#

Who#

  • User ID and username
  • IP address
  • User agent

What#

  • Action performed
  • Resource accessed
  • Operation details

When#

  • Timestamp (UTC)
  • Date and time
  • Timezone information

Where#

  • IP address
  • Hostname
  • Geographic location (if available)

Regulatory Compliance#

GDPR Considerations#

  • Data Minimization: Only necessary data collected
  • Right to Access: Users can view their data
  • Right to Deletion: Users can request data deletion
  • Data Portability: Export capabilities for user data
  • Audit Trail: Complete logging for compliance

SOC 2 Considerations#

  • Access Controls: RBAC and authentication
  • Audit Logging: Complete audit trail
  • Change Management: All changes logged
  • Incident Response: Security event logging
  • Monitoring: System health and security monitoring

HIPAA Considerations (if applicable)#

  • Access Controls: User authentication and authorization
  • Audit Logging: Complete audit trail
  • Encryption: Data encryption at rest and in transit
  • User Management: User account lifecycle management

Compliance Reporting#

Report Generation#

Reports are available in PDF format and can be downloaded from the admin user interface:

  • PDF: Formatted reports for compliance documentation
  • Download: Available in admin panel under Reports section
  • Manual Generation: Reports generated on demand by administrators

Best Practices#

For Compliance Officers#

  • ✅ Review audit logs regularly
  • ✅ Generate compliance reports monthly
  • ✅ Monitor security events
  • ✅ Review user access patterns
  • ✅ Verify data retention policies
  • ✅ Test audit log integrity

For Administrators#

  • ✅ Enable all audit logging
  • ✅ Configure appropriate retention periods
  • ✅ Monitor failed authentication attempts
  • ✅ Review administrative actions
  • ✅ Export logs before cleanup
  • ✅ Secure audit log storage

Audit Log Access#

Viewing Audit Logs#

  • Web Interface: Admin dashboard for audit log viewing
  • API Access: REST API for programmatic access
  • Export: CSV/PDF export for compliance documentation

Audit Log Security#

  • Access Control: Only admins can view audit logs
  • Immutable Logs: Audit logs cannot be modified
  • Secure Storage: Audit logs stored securely in database
  • Backup: Audit logs included in database backups
Backward Certificates & PKI Security Overview for Auditors Forward