PCI and HIPAA compliant administrative logs

Syncplify.me Server! version: 4.0.0+

Another requirement found in the latest versions of both PCI-DSS and HIPAA regulations is the necessity to keep an “untamperable” log of all configuration operations performed by any administrator.

Digitally signing every single log line is not enough, as the disloyal employee could simply delete some log lines entirely. Therefore each line should have a numeric incremental ID (to make it easier to spot “holes”) and each line’s digital signature should “roll over” and be calculated including the previous line’s digital signature in the signed data. This way an administrator cannot delete one (or several) log lines without being spotted.

Furthermore, to make log analysis even easier, each log line is not actually just a “line of plain text”, rather it’s a JSON object that can be easily queried. Here below you can see a typical “log line” showing a call to a configuration REST API and the relative response and signature:

 

RSA, DSA and ECDSA host keys

Syncplify.me Server! version: 4.0.0+

Our users are aware that old Syncplify.me Server! versions (from 1.0 to 3.x) used to support only a single host key, and it had to be an RSA key.

As of version 4.0, though, Syncplify.me Server! supports RSA, DSA, and ECDSA host keys, and it support multiple (unlimited) host keys per virtual server.

The addition of DSA keys was mostly driven by the fact that some of our customers possess legacy DSA host/server keys that they are required to use, in order for certain client applications to work properly. The addition of ECDSA host keys instead is a truly remarkable new feature, and to understand why just check out the comparison table here below: Continue reading