All Apps and Add-ons
Highlighted

Should Splunk admin roles be limited to internal indexes?

Builder

Hello,

Due to General Data Protection Regulation (GDPR/RGPD), should Splunk administrator user / role be limited to access to all indexes?

How do I check if data is therefore correctly indexed using internal indexes (Splunk 7.1.4)?

Thanks in advance.

0 Karma
Highlighted

Re: Should Splunk admin roles be limited to internal indexes?

Ultra Champion

That's a very generic question. But in general I would say no. At least I have never seen an environment where admin accounts were restricted to just the internal indexes. That would make it pretty much impossible for admins to investigate data quality issues and such.

I also can't imagine GDPR contains any explicit wording that admins should not have access to data. Such regulations never go into that level of detail.

You may want to restrict the number of people with an admin role and some of your Splunk admin operations team may not need extensive access, as they just need to keep an eye on Splunk component's health and such. But generically blocking admins from accessing data doesn't sound right.

If you really do have some requirement to restrict access like that, you could think of creating specific restricted roles for the admins and assigning them to that, but leave the possibility to temporarily assign them to a proper admin role when needed.

Highlighted

Re: Should Splunk admin roles be limited to internal indexes?

Ultra Champion

I agree with @FrankVl.

Btw, GDPR stands for General Data Protection Regulation.

Let's also keep in mind that Splunk is defining for us a sys admin and a data admin roles and the entire administration classes emphasize these two roles. So maybe, if implemented as such, the sys admin, wouldn't have read access to the data.

Highlighted

Re: Should Splunk admin roles be limited to internal indexes?

Champion

me too, agree with @FrankVl

Lets say, splunk admins got access only to internal indexes. Then, the users should be given privileges to manage/maintain their indexes (like windows, unix/linux, routers, network, security, etc). most of the times, the users may not be aware of the management tasks. this will create chaos (complete disorder and confusion) only.

so, splunk admins should have access to all indexes.
maybe, choose the admins wisely 😉

Highlighted

Re: Should Splunk admin roles be limited to internal indexes?

Champion

General Data Protection Regulation (GDPR) and Splunk is a good topic / important topic, on the view of Companies Security and auditing processes.
@FrankVl already given a nice answer.

Some more information for all of us -

here are 2 apps from the splunkbase
https://splunkbase.splunk.com/app/3438/#/details
https://splunkbase.splunk.com/app/3889/#/details

Good Readings -
https://www.splunk.com/en_us/solutions/solution-areas/security-and-fraud/compliance/gdpr-compliance....
https://www.splunk.com/en_us/form/white-paper-how-machine-data-supports-gdpr-compliance.html
https://www.splunk.com/pdfs/professional-services/2018/splunk-pro-services-offerings-gdpr-implementa...

0 Karma
Highlighted

Re: Should Splunk admin roles be limited to internal indexes?

Ultra Champion

Those are indeed interesting apps and reads, but mostly on how to use Splunk to get a grip on data protection, not so much on how to set up Splunk in a compliant way, right?

0 Karma
Highlighted

Re: Should Splunk admin roles be limited to internal indexes?

Champion

Yes Yes, just for reading and learning.

0 Karma