Getting Data In

Is Splunk SAS70 compliant?

Splunk Employee
Splunk Employee

I would think that since Splunk can be configured to forward live events via SSL, that would qualify/meet SAS70 compliancy, but wanted to be sure and ask anyway.

0 Karma


dwaddle's got it right.

Asking if Splunk is compliant for any of these compliancy standards is asking the wrong question. Splunk is a tool to ensure you are compliant. Now having that said, there are key components that Splunk has that ensure it does not break compliancy.

  • Granular Access Controls
  • Monitoring itself for changes (SoS)
  • Hashing privacy or personally identifiable information (i.e. Credit Card Numbers and SS#)
  • Changing the default password for Admin

All of above items, provide a stable base for ensuring compliancy. I am not a SAS 70 or PCI compliancy officer, but when asking or being asked (which was even the case for me originally) there is not Golden Seal of Approval. It would be nice to be able to qualm the fears people have when purchasing or implementing Splunk in a certified network. Unfortunately, it's not practical. It's about how you use Splunk and the way you set it up that ensures it maintains compliancy.

Hope that helps.



SAS 70 does not have "checkbox-style" compliance. In fact, auditors who do SAS 70 do not refer to you as being "compliant" or "non-compliant" at all. They will state that SAS 70 "renders an opinion as to the effectiveness of your business controls." These controls are usually specific to the business being discussed and the management structure of it.

Quoting from

SAS 70 is not a pre-determined set of standards that a service organization must meet to "pass".

Whether or not you can pass a SAS 70 style audit depends on the definition of your business controls and how well your operations actually adhere to them.

An example control would be a statement like "All new user accounts must be approved by the employee's manager." Your auditor would test this by looking at all user accounts created during the past 6 months (for example), and verifying that you have documentation that shows that each account was approved by the employee's manager.

Splunk can play an important role in making it possible for your organization's operations to adhere to the business controls defined. A good example of this would be a control stating "Firewall logs are reviewed daily for anomalous activity" -- this is right in Splunk's wheelhouse. But, you'd still need the documentation to support your assertion that someone was actually looking at all of the logs Splunk was indexing.

In my experience, SAS 70 auditors are often much more like financial / accounting auditors than I/T security experts. They like to have things that they can count and make sure that all of the numbers add up. This shouldn't be too much of a surprise given the people developing the SAS 70 standards is the American Institute of Certified Public Accountants.