Knowledge Management

How to achieve full tenant isolation?

lukaslentner
Explorer

I would like to achieve full tenant isolation in Splunk. What is possible already is to split the indexed data and restrict access of a tenant to his index. However, I struggle to restrict access to reports, dashboards and other user created content (I think, those are called knowledge objects) to the given tenant.

For example:
Say, a user creates a dashboard. Then he can choose to share it within the entire app or to keep it private. If he shares it within the app, then all tenants' users will see the dashboard, even though it will show no data since the index is not accessible by other tenants.

I know that there is a possibility to have every tenant use its own app. Then, what is shared within the app is only accessible by the users of this app. But then, it would be necessary to create several instances of an app; say, if all tenants are to use the search app, there will be search_tenant1, search_tenant2, etc. Whenever a new tenant is added, it would be necessary to make another copy of the app folder and modify its configuration.

This sounds a bit cumbersome, I wonder if there is an easier way to achieve full tenant isolation?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@lukaslentner - What you are trying to achieve is not directly in line with how Splunk Cloud is designed. It would be a good idea to have a talk with both your regular Splunk sales representative and the OEM sales people, because there are different kinds of licensing depending on your relationship to your tenant organizations, and I'm not clear enough on the detail of the licenses, nor of your business model, to give you good advice.

I can tell you that it's hard enough to get the roles right when they are all internal to a single organization, and there is an inherent issue with the way that trust works in splunk. If a search head can get to an indexer, the search head can ask that indexer anything it wants. That means that a determined adversary (or curious participant) can probably get around any minor security you might try to put in place. Any data passed via the URL, for example, can be modified by the user.

lukaslentner
Explorer

@DalJeanis Thanks for your reply! To be honest, I am just starting to make myself familiar with the way how Splunk works and it might well be that I underestimate the challenges that are awaiting us. So far I mostly rely on the information researched by an intern before diving deeper into this topic, since the project which Splunk would be used for is not top priority so far.

Let me try to clarify what we try to achieve and which ideas we had so far:

We would like to offer data visualizations to several client companies (tenants) running one instance of Splunk Cloud (managed service) such that each tenant has only access to his own index and knowledge objects. Basically, each tenant should not be aware of the existence of other tenants in the Splunk service.

So far we had the idea of using a proxy server which handles authentication and maps users from our internal user database to users within Splunk - this way none of the users would have access to the actual Splunk credentials and could only access the Splunk UI through the proxy. On the long run we might try to also give some limited access to the REST API again rooting all requests through a proxy.

This of course can only work if the Splunk authorization tools only allow a user to access the index which is specified in the role definition of the role which is assigned to him and has no possibility to access any other indices whatsoever. Is this assumption wrong?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You pretty much have the technical answer there. If you remove all access to the default "search" app, and set each tenant up with their own default app, then the cross-visibility problem is avoided. Also, you hopefully are already assigning roles that are specific to each tenant,

lukaslentner
Explorer

I see, so this is the only way... However, while I could make it work in a local Splunk Enterprise trial install, it looks like I would have no access to the app folders in a Splunk Cloud service, so it would be necessary to contact the support each time a new tenant is added. Is there no better way to make things work?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...