I know it sounds kind of silly, but if I want to install Splunk with the PCI app into an already PCI compliant infrastructure is the infrastructure still PCI compliant (i.e. is Splunk PCI-compliant). Has anyone asked this question before. This was actually one of the first questions a Client asked me. I didn't have an answer, and now need to get one.
What, if any, affect does Splunk have to a PCI compliant infrastructure? Especially when you want to use Splunk to maintain that PCI compliancy.
Splunk is used by hundreds of companies to help meet their PCI obligations. Putting Splunk into your PCI environment can allow you to easily monitor the different systems, devices, and applications within your cardholder data environment. As with any technology, however, you will need to put appropriate controls in place to control the data flow and access to the data. If you don't appropriately deploy Splunk you could find yourself in violation of PCI.
Example 1: You are interested in using Splunk to collect and report on log data coming from cardholder systems, applications, and network infrastructure. The data flows into Splunk either in real-time or in batch. Splunk provides out of the box (or build your own) reports to provide visibility into the data. No problem. You can safely use Splunk in the PCI cardholder environment.
Example 2: You want to use Splunk as a conduit for cardholder data between systems. This is not an ideal use case since this would further require you to encrypt the data and put additional controls in place to protect the cardholder data. You can do it and be PCI compliant, but the deployment must be carefully controlled using Splunk role-based-access, data signing, and possibly other controls / compensating controls to ensure compliance. Customers generally don't use Splunk for this use case.
Example 3: You are using Splunk to monitor the environment (similar to the first example). A custom application developer accidentally outputs PAN data into the log stream. The data finds it's way into Splunk. If you are using the Splunk App for PCI Compliance we have built-in monitors to detect this and notify you. You would fix your custom app and can purge the data from Splunk as needed to remain PCI compliant.
There is certainly nuance depending on your use case and environment. I'd be happy to discuss with you further if you'd like. I can be contacted at email@example.com. Feel free to reach out.