Security

Securing Splunk Cloud

TechSec
Engager

I've found that for Splunk Enterprise, there is the Securing Splunk Enterprise document, outlining recommended security configurations.

Does a similar document exist for Splunk Cloud to ensure customers are taking the necessary actions for security?

 

 

0 Karma
1 Solution

livehybrid
Super Champion

Hi,

In terms of general OS hardening and communication between Splunk servers - this will be covered and dealt with by the Splunk team. This page has a section on security which might be appropriate: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Service/SplunkCloudservice

A few of the things to note -

* You are in control of your own Role-Based-Access-Control (RBAC) policies and procedures, such as ensuring an appropriate password policy is set, users have the right groups etc. 
* You cannot use the same MFA options available on-prem (such as Duo) - Instead you should consider using SAML auth and connecting to a system that allows MFA (such as Azure ActiveDirectory).* You're also responsible for the elements that sit outside the SplunkCloud environment, such as heavy forwarders - these will need securing in the usual way. Splunk do provide a client certificate for connecting to the SplunkCloud index tier for sending your data securely.
* Only SplunkCloud approved apps can be used. Most apps (typical those not containing any (python) code) will pass automated vetting without any issues, however some may require manual vetting by the CloudOps/Support team who will check it for security compliance etc. This is to protect you from uploading anything that could cause harm to your environment, but also to allow Splunk to provide the level of service promised.

I hope this helps!

 

 

View solution in original post

livehybrid
Super Champion

Hi,

In terms of general OS hardening and communication between Splunk servers - this will be covered and dealt with by the Splunk team. This page has a section on security which might be appropriate: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2004/Service/SplunkCloudservice

A few of the things to note -

* You are in control of your own Role-Based-Access-Control (RBAC) policies and procedures, such as ensuring an appropriate password policy is set, users have the right groups etc. 
* You cannot use the same MFA options available on-prem (such as Duo) - Instead you should consider using SAML auth and connecting to a system that allows MFA (such as Azure ActiveDirectory).* You're also responsible for the elements that sit outside the SplunkCloud environment, such as heavy forwarders - these will need securing in the usual way. Splunk do provide a client certificate for connecting to the SplunkCloud index tier for sending your data securely.
* Only SplunkCloud approved apps can be used. Most apps (typical those not containing any (python) code) will pass automated vetting without any issues, however some may require manual vetting by the CloudOps/Support team who will check it for security compliance etc. This is to protect you from uploading anything that could cause harm to your environment, but also to allow Splunk to provide the level of service promised.

I hope this helps!

 

 

TechSec
Engager

Thanks for the assistance @livehybrid

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...