Security

data segregation methods

awurster
Contributor

hello -

i've been reading the various guides and some other Q&As regarding segration or role-based access to different data.

i'm working with a distributed environment, where there are separate forwarders in each "region" which feeds into centralised indexer / search tiers. data needs to be segregated based on its home "region", or where the data originates from in other words.

so i'll somehow need to identify the data based on where it came from originally, either based on originating host, forwarder, or something like that.

right now - i've got a demo that i think appears to be working, where i force data sourced in a particular region into different indexes, based on inputs.conf. i then use RBAC (with AD group mappings) to control access based on index. i also need to modify the dashboards / saved searches within our app because this impacts summarization of the indexed data. i can also perhaps imagine a use for "tags" or something similar as the default search terms...

any ideas? any recommendations and/or words of wisdom?

the use case is Cisco IronPort WSA access logs... feeding into a Splunk for WSA app deployment.

cheers,

andrew

0 Karma

swagner1965
Path Finder

Our solution is to create indexes for each customer whose data needs to be segregated from the rest. Customer apps are slaved to indexes and customer roles are slaved to their respective apps. The apps can be locked down so that they only see the indexes that are needed and mitigates any one customer traversing the data of other customers or us for that matter.alt text

0 Karma

wellsajs
Explorer

if you tag your data via the forwarders which I assume are in your various regions, then this tag could then be used to segment your data into the different indexes and then use RBAC via the AD groups to finely control access to the data.

0 Karma

miteshvohra
Contributor

Having separate indexes for each region will help you restrict user-access to their respective indexes only.

Haven't implemented it so far, however, these roles/restrictions should work even at App level too.

Will be interesting to know the solution.

Br, Mitesh.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...