Security
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

Securing Splunk Cloud

TechSec
Engager

I've found that for Splunk Enterprise, there is the Securing Splunk Enterprise document, outlining recommended security configurations.

Does a similar document exist for Splunk Cloud to ensure customers are taking the necessary actions for security?

 

 

Labels (1)
0 Karma
1 Solution

livehybrid
Contributor

Hi,

In terms of general OS hardening and communication between Splunk servers - this will be covered and dealt with by the Splunk team. This page has a section on security which might be appropriate: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Service/SplunkCloudservice

A few of the things to note -

* You are in control of your own Role-Based-Access-Control (RBAC) policies and procedures, such as ensuring an appropriate password policy is set, users have the right groups etc. 
* You cannot use the same MFA options available on-prem (such as Duo) - Instead you should consider using SAML auth and connecting to a system that allows MFA (such as Azure ActiveDirectory).* You're also responsible for the elements that sit outside the SplunkCloud environment, such as heavy forwarders - these will need securing in the usual way. Splunk do provide a client certificate for connecting to the SplunkCloud index tier for sending your data securely.
* Only SplunkCloud approved apps can be used. Most apps (typical those not containing any (python) code) will pass automated vetting without any issues, however some may require manual vetting by the CloudOps/Support team who will check it for security compliance etc. This is to protect you from uploading anything that could cause harm to your environment, but also to allow Splunk to provide the level of service promised.

I hope this helps!

 

 

View solution in original post

livehybrid
Contributor

Hi,

In terms of general OS hardening and communication between Splunk servers - this will be covered and dealt with by the Splunk team. This page has a section on security which might be appropriate: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Service/SplunkCloudservice

A few of the things to note -

* You are in control of your own Role-Based-Access-Control (RBAC) policies and procedures, such as ensuring an appropriate password policy is set, users have the right groups etc. 
* You cannot use the same MFA options available on-prem (such as Duo) - Instead you should consider using SAML auth and connecting to a system that allows MFA (such as Azure ActiveDirectory).* You're also responsible for the elements that sit outside the SplunkCloud environment, such as heavy forwarders - these will need securing in the usual way. Splunk do provide a client certificate for connecting to the SplunkCloud index tier for sending your data securely.
* Only SplunkCloud approved apps can be used. Most apps (typical those not containing any (python) code) will pass automated vetting without any issues, however some may require manual vetting by the CloudOps/Support team who will check it for security compliance etc. This is to protect you from uploading anything that could cause harm to your environment, but also to allow Splunk to provide the level of service promised.

I hope this helps!

 

 

View solution in original post

TechSec
Engager

Thanks for the assistance @livehybrid

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!