All Apps and Add-ons

Should Splunk admin roles be limited to internal indexes?

splunkreal
Motivator

Hello,

Due to General Data Protection Regulation (GDPR/RGPD), should Splunk administrator user / role be limited to access to all indexes?

How do I check if data is therefore correctly indexed using internal indexes (Splunk 7.1.4)?

Thanks in advance.

* If this helps, please upvote or accept solution 🙂 *
0 Karma

inventsekar
Ultra Champion

General Data Protection Regulation (GDPR) and Splunk is a good topic / important topic, on the view of Companies Security and auditing processes.
@FrankVl already given a nice answer.

Some more information for all of us -

here are 2 apps from the splunkbase
https://splunkbase.splunk.com/app/3438/#/details
https://splunkbase.splunk.com/app/3889/#/details

Good Readings -
https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/compliance/gdpr-compliance....
https://www.splunk.com/en_us/form/white-paper-how-machine-data-supports-gdpr-compliance.html
https://www.splunk.com/pdfs/professional-services/2018/splunk-pro-services-offerings-gdpr-implementa...

0 Karma

FrankVl
Ultra Champion

Those are indeed interesting apps and reads, but mostly on how to use Splunk to get a grip on data protection, not so much on how to set up Splunk in a compliant way, right?

0 Karma

inventsekar
Ultra Champion

Yes Yes, just for reading and learning.

0 Karma

FrankVl
Ultra Champion

That's a very generic question. But in general I would say no. At least I have never seen an environment where admin accounts were restricted to just the internal indexes. That would make it pretty much impossible for admins to investigate data quality issues and such.

I also can't imagine GDPR contains any explicit wording that admins should not have access to data. Such regulations never go into that level of detail.

You may want to restrict the number of people with an admin role and some of your Splunk admin operations team may not need extensive access, as they just need to keep an eye on Splunk component's health and such. But generically blocking admins from accessing data doesn't sound right.

If you really do have some requirement to restrict access like that, you could think of creating specific restricted roles for the admins and assigning them to that, but leave the possibility to temporarily assign them to a proper admin role when needed.

inventsekar
Ultra Champion

me too, agree with @FrankVl

Lets say, splunk admins got access only to internal indexes. Then, the users should be given privileges to manage/maintain their indexes (like windows, unix/linux, routers, network, security, etc). most of the times, the users may not be aware of the management tasks. this will create chaos (complete disorder and confusion) only.

so, splunk admins should have access to all indexes.
maybe, choose the admins wisely 😉

ddrillic
Ultra Champion

I agree with @FrankVl.

Btw, GDPR stands for General Data Protection Regulation.

Let's also keep in mind that Splunk is defining for us a sys admin and a data admin roles and the entire administration classes emphasize these two roles. So maybe, if implemented as such, the sys admin, wouldn't have read access to the data.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...