Managing a Security Operations Center (SOC) is a constant exercise in paradox management. On the one hand, to meet the requirements of compliance audits (SOC 2, NIS 2), the system must exhaustively record the slightest action taken by analysts during remediation. On the other hand, to comply with strict privacy regulations (GDPR), the application must never collect or store personal or sensitive data in the clear.
One of the most critical points of friction occurs when resetting a user password following an Entra ID compromise. How can we provide indisputable proof to an auditor that the password has been changed, while ensuring that the new password does not appear in any logs? This is the role of the policy ofData Masking(data hiding).
The Danger of Excessive Logging
When a developer designs an auditing function, the easy way out is to capture all of the parameters sent to the API and serialize them in the log file.
If the analyst triggers the actionresetUserPassword, Microsoft's Graph API receives a payload containing the user ID and the character string of the new temporary password. If the system logs the raw request in the textual audit logs, the new password is written in clear text in the system files.
This phenomenon, calledVerbose Loggingor excessive logging, constitutes a major security vulnerability:
- The internal exhibition:Any network engineer, database administrator or auditor with access to the log console can read the employee's password and steal their identity.
- GDPR violation:Writing plaintext authentication secrets to log files (which often have long retention times) is a serious violation of data confidentiality principles.
The Akuity SOC approach: Selective masking at source
To resolve this architectural conflict, the Akuity SOC platform applies the fundamental principles ofData Maskingand the separation of privileges directly within its Server Actions.
1. The ephemeral generation on the frontal side
When the reset action is validated by the analyst (session raised to AAL2 level via MFA), the command is sent to the Akuity backend. The system generates a highly robust temporary password (meeting Microsoft complexity criteria).
This password is transmitted directly to the user interface and is displayed within asecure persistent modalEquipped with a quick copy button. This password is not stored anywhere in the database. It is only visible briefly on the analyst's screen so that he can transmit it to the employee via a secure channel.
2. Cleaning audit payloads (logAudit)
When the event is written in standardized JSON format to standard output, the functionlogAudit(defined inaudit.ts) applies a strict masking filter.
The generated log takes the following form: