Security

Securing Splunk Cloud

TechSec
Engager

I've found that for Splunk Enterprise, there is the Securing Splunk Enterprise document, outlining recommended security configurations.

Does a similar document exist for Splunk Cloud to ensure customers are taking the necessary actions for security?

 

 

Labels (1)
0 Karma
1 Solution

livehybrid
Builder

Hi,

In terms of general OS hardening and communication between Splunk servers - this will be covered and dealt with by the Splunk team. This page has a section on security which might be appropriate: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Service/SplunkCloudservice

A few of the things to note -

* You are in control of your own Role-Based-Access-Control (RBAC) policies and procedures, such as ensuring an appropriate password policy is set, users have the right groups etc. 
* You cannot use the same MFA options available on-prem (such as Duo) - Instead you should consider using SAML auth and connecting to a system that allows MFA (such as Azure ActiveDirectory).* You're also responsible for the elements that sit outside the SplunkCloud environment, such as heavy forwarders - these will need securing in the usual way. Splunk do provide a client certificate for connecting to the SplunkCloud index tier for sending your data securely.
* Only SplunkCloud approved apps can be used. Most apps (typical those not containing any (python) code) will pass automated vetting without any issues, however some may require manual vetting by the CloudOps/Support team who will check it for security compliance etc. This is to protect you from uploading anything that could cause harm to your environment, but also to allow Splunk to provide the level of service promised.

I hope this helps!

 

 

View solution in original post

livehybrid
Builder

Hi,

In terms of general OS hardening and communication between Splunk servers - this will be covered and dealt with by the Splunk team. This page has a section on security which might be appropriate: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Service/SplunkCloudservice

A few of the things to note -

* You are in control of your own Role-Based-Access-Control (RBAC) policies and procedures, such as ensuring an appropriate password policy is set, users have the right groups etc. 
* You cannot use the same MFA options available on-prem (such as Duo) - Instead you should consider using SAML auth and connecting to a system that allows MFA (such as Azure ActiveDirectory).* You're also responsible for the elements that sit outside the SplunkCloud environment, such as heavy forwarders - these will need securing in the usual way. Splunk do provide a client certificate for connecting to the SplunkCloud index tier for sending your data securely.
* Only SplunkCloud approved apps can be used. Most apps (typical those not containing any (python) code) will pass automated vetting without any issues, however some may require manual vetting by the CloudOps/Support team who will check it for security compliance etc. This is to protect you from uploading anything that could cause harm to your environment, but also to allow Splunk to provide the level of service promised.

I hope this helps!

 

 

TechSec
Engager

Thanks for the assistance @livehybrid

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...