Observability

Immutable Audit Trail

Immutable audit trail: an unalterable, attributable, retained record of actions and decisions.

Plane

Observability

Flow steps

Frameworks

NIST 800-53

Technology

Why use it

Ensure audit records cannot be modified or erased, so they can serve as evidence.

Why it matters to security

Without an immutable audit, an attacker erases their tracks and compliance can prove nothing.

Implementations WORM storageappend-only logscryptographic chainingimmutable export (object lock)

A trail you can erase proves nothing.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline

Integrity protection of audit logs.
NIST 800-53 AU-9

Records cannot be altered.
Action attribution (non-repudiation).
NIST 800-53 AU-10

Each action is tied to an undeniable identity.
Compliant record retention.
NIST 800-53 AU-11

Evidence is kept for as long as required.

Enterprise

Enterprise standard

Write-once storage (WORM / append-only).
NIST 800-53 AU-9(2)

You can only append, never modify or delete.
Separation of log-administration rights.
NIST 800-53 AU-9 · AC-5

Whoever acts does not manage the logs of their actions.
Log backup outside the monitored system.
NIST 800-53 AU-9(2)

A system compromise does not take its evidence with it.

Advanced

High-assurance / regulated

Cryptographic chaining of records.
NIST 800-53 AU-10

Any alteration breaks the chain and becomes detectable.
Verifiable integrity proof for external audit.
NIST 800-53 AU-9

A third party can verify nothing was changed.
Trusted timestamping.
NIST 800-53 AU-8

The order and time of events are provable.

Architecture notes

Separate who acts from who keeps the logs.details ▸

Otherwise the attacker who takes over erases their tracks.

Export logs to immutable storage under an authority distinct from the audited systems.

References

NIST SP 800-53 Rev5

AU-8 (Time Stamps), AU-9 / AU-9(2) (Protection of Audit Information / backup), AU-10 (Non-repudiation), AU-11 (Retention), AC-5.

Abbreviations

PDP

Policy Decision Point

PEP

Policy Enforcement Point

PIP

Policy Information Point

PAP

Policy Administration Point

IdP

Identity Provider

TSS

Token Service

NHI

Non-Human Identity

RBAC

Role-Based Access Control

ABAC

Attribute-Based Access Control

MFA

Multi-Factor Authentication

HITL

Human-in-the-loop

JIT

Just-In-Time

CAE

Continuous Access Evaluation

CAEP

Continuous Access Evaluation Profile

DPoP

Demonstrating Proof-of-Possession

mTLS

mutual TLS

PII

Personally Identifiable Information

KMS

Key Management Service

CI/CD

Continuous Integration / Continuous Delivery

SIEM

Security Information and Event Management

SOAR

Security Orchestration, Automation and Response

SCIM

System for Cross-domain Identity Management

XACML

eXtensible Access Control Markup Language

OPA

Open Policy Agent

OWASP

Open Worldwide Application Security Project

NIST

National Institute of Standards and Technology

ATLAS

Adversarial Threat Landscape for Artificial-Intelligence Systems

LLM

Large Language Model

WAF

Web Application Firewall

CDN

Content Delivery Network

DDoS

Distributed Denial of Service

DLP

Data Loss Prevention

JWT

JSON Web Token

API

Application Programming Interface

CRS

Core Rule Set (OWASP)

RAG

Retrieval-Augmented Generation

MCP

Model Context Protocol

PBAC

Permission-Based Access Control

HSM

Hardware Security Module

UEBA

User and Entity Behavior Analytics

SBOM

Software Bill of Materials

SLSA

Supply-chain Levels for Software Artifacts

WORM

Write Once, Read Many

SPIFFE

Secure Production Identity Framework For Everyone