Splunk Security and Administration in the Cloud
Splunk Security and Administration in the Cloud
Multiple options exist to move Splunk to the cloud. This paper highlights security standards and administrative access capabilities and limitations of several options for Splunk in the cloud. The Infrastructure as a Service (IaaS) models of Amazon Web Services (AWS) GovCloud, Google Cloud Platform (GCP) and Microsoft Azure Government as well as the Software as a Service (SaaS) managed Splunk Cloud service offering in the AWS GovCloud are discussed.
Summary
The chart below describes the authorized Federal Risk and Authorization Management Program (FedRAMP) and Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG) Impact Levels (IL) for several Cloud Service Provider (CSP) platforms available to support Splunk in the cloud.
| Cloud Service Provider | Service Type | FedRAMP Impact Level | DoD CC SRG Impact Level | Supported Splunk Version | Storage of Personally Identifiable Information (PII)(minimum IL4) | Storage of Personal Health Information (PHI) (minimum IL4) |
|---|---|---|---|---|---|---|
| AWS GovCloud | IaaS, PaaS | High | 2, 4, 5 | All | Yes | Yes |
| Google Cloud | IaaS, PaaS | High | 2, 4 (beta) | All | Yes (in limited beta regions) | Yes (in limited beta regions) |
| Microsoft Azure Government | IaaS, PaaS | High | 2, 4, 5 | All | Yes | Yes |
| Splunk Cloud (in AWS GovCloud) | SaaS | Moderate | 2 | Depends on FedRAMP accreditation- currently v7.2.9 | No (DoD CC SRG 3.2.4) | No (DoD CC SRG 3.2.4) |
AWS GovCloud and Microsoft Azure Government are approved at FedRAMP High and up to DoD CC SRG IL5. Already FedRAMP High and DoD CC SRG IL2 approved, GCP is in the approval process for IL4. Splunk Cloud is approved at FedRamp Moderate and DoD CC SRG IL2. IL2 is not approved for Controlled Unclassified Information (CUI), which includes PII and PHI, per the Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3, 6 March 2017, Section 3.2.2. The minimum impact level for PII and PHI is IL4.
A difference between the IaaS options and the SaaS offering of Splunk Cloud is that in IaaS, the customer is responsible for all Splunk licensing, maintenance and administration while in Splunk Cloud the customer is responsible for the user accounts, policies and procedures involved with using the application. In IaaS, customer Splunk administrators have full access, and also full responsibility, for Splunk. In Splunk Cloud, the customer isn’t responsible for updating or maintaining the Splunk application in the cloud and customer Splunk administrators don’t have rights to the command line interface (CLI) or the underlying file system, but some Splunk components must still be maintained on-premise, depending on configuration.
| Cloud Service Provider | Customer Splunk Admin Access | Customer Responsible for Splunk Maintenance | Multi-tenant | Customer Can Install/Update Locally Developed Apps | Costs to Move Data out of Cloud |
|---|---|---|---|---|---|
| AWS GovCloud | Yes | Yes | Can deploy multi-instance, hierarchical Splunk mode | Yes | Yes |
| Google Cloud | Yes | Yes | Can deploy multi-instance, hierarchical Splunk mode | Yes | Yes |
| Microsoft Azure Government | Yes | Yes | Can deploy multi-instance, hierarchical Splunk mode | Yes | Yes |
| Splunk Cloud (in AWS GovCloud) | No command line or file system access | Only for components remaining on-premise | No (RBAC for pseudo multi-tenancy) | Yes, if app passes validation checks in AppInspect | Yes |
Technical Analysis
Federal Risk and Authorization Management Program (FedRAMP) is a government program that provides a standard method for assessing security, authorization and continuous monitoring of cloud products/services. FedRAMP is based on NIST SP 800-53 Rev 4 security controls and includes additional controls specifically related to cloud computing.
FedRAMP defines Impact Levels as Low, Moderate and High based on the Confidentiality, Integrity and Availability of the system.
Introduction
Multiple options exist to move Splunk to the cloud. This paper highlights security standards and administrative access capabilities and limitations of several options for Splunk in the cloud. The Infrastructure as a Service (IaaS) models of Amazon Web Services (AWS) GovCloud, Google Cloud Platform (GCP) and Microsoft Azure Government as well as the Software as a Service (SaaS) managed Splunk Cloud service offering in the AWS GovCloud are discussed.
Low: Information for public release; data loss has little agency impact
Moderate: Data not available to the public, including Personally Identifiable Information (PII); data loss would have serious agency impact
High: Sensitive federal information, such as healthcare, emergency services and law enforcement data; data loss would have critical agency impact
The Department of Defense (DoD) publishes a Cloud Computing Security Requirements Guide (DoD CC SRG). FedRAMP Moderate equates to the minimum baseline for all DoD CC SRG Provisional Authorizations (PA). A summary of the DoD CC SRG Impact Levels are listed below.
IL2: Information for public release
IL4: Controlled Unclassified Information (CUI), including Privacy Information (including PII), PHI, For Official Use Only (FOUO) and others
IL5: CUI and National Security Systems (NSS), Mission Critical Information
IL6: SECRET classified information and below
The chart below summarizes impact levels and requirements.
| Impact Level | Information Sensitivity | Security Controls | Location | Off-Premises Connectivity | Separation | Personnel Requirements |
|---|---|---|---|---|---|---|
| 2 | Public or Non-critical mission information | FedRAMP v2 Moderate | US/ US outlying areas or DoD on-premises | Internet | Virtual / Logical PUBLIC COMMUNITY | National Agency Check and Inquires (NACI) |
| 4 | CUI or Non-CUI, Non-critical Mission Information, Non-national security systems | Level 2 + CUI-Specific tailored set | US/ US outlying areas or DoD on-premises | NIPRNet via CAP | Virtual / Logical, Limited “Public” Community, Strong Virtual Separation Between Tenant Systems & Information | US Persons, ADP-1 single scope background investigation (SSBI) |
| 5 | Higher sensitivity CUI, Mission critical information, National security systems | Level 4 + NSS & CUI-specific tailored set | US/ US outlying areas or DoD on-premises | NIPRNet via CAP | Virtual / Logical, FEDERAL GOV. COMMUNITY, Dedicated multi-tenant infrastructure, Physically seperate from non-federal systems, Strong virtual seperation between tenant systems & information | ADP-2 national agency check with law and credit (NACLC), Non-disclosure agreement (NDA) |
| 6 | Classified SECRET, National security systems | Level 5 + Classified Overlay | US/ US outlying areas or DoD on-premises CLEARED/ CLASSIFIED facilities | SIPRNET DIRECT with DoD SIPRNet enclave connection approval | Virtual / Logical, FEDERAL GOV. COMMUNITY, Dedicated multi-tenant infrastructure, Physically seperate from non-federal systems, Strong virtual seperation between tenant systems & information | US citizens w/ favorably adjudicated SSBI & SECRET clearance, NDA |
IL2 allows foreign nationals to support the cloud products and services of a CSP. The use of foreign nationals is prohibited at IL4 and above.
IaaS differs from offering Software as a Service (SaaS). Using a CSP’s IaaS offering and bringing your own license (BYOL) means the customer bears all responsibility for configuration, administration and maintenance of applications loaded by the customer in the cloud while the cloud provider maintains the infrastructure. The customer is responsible for selecting virtual server types, installing, patching and upgrading application software, backups, user accounts, licensing and all other system maintenance and administration. In SaaS, the customer uses the application provided by the Cloud Service Provider (CSP), and the CSP manages everything else.
Amazon Web Services (AWS) GovCloud
Capabilities
AWS GovCloud is authorized at FedRAMP High and is DoD SRG authorized at IL 2, 4 and 5. AWS provides a physically and logically isolated cloud environment specific to government customers called AWS GovCloud. Service models include Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) in a government community cloud.
Limitations
In AWS, FedRAMP authorization is restricted to the AWS GovCloud region. It is not available in commercial AWS regions.
The customer is responsible for managing and administering the entire Splunk deployment, including upgrades, horizontal and vertical scaling, backups, disaster recovery, application security, licensing, etc.
There is a cost associated with moving data out of AWS GovCloud, such as when copying data to the customer site.
Google Cloud Platform (GCP)
Capabilities
GCP is authorized at a High Impact Level and is DoD CC SRG authorized at IL2 with IL4 in beta. Service models include Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) deployed in a public cloud.
Limitations
Unlike AWS GovCloud and Microsoft Azure Government, GCP doesn’t offer a separate cloud environment for government customers. GCP is not yet approved at DoD CC SRG IL4.
The customer is responsible for managing and administering the entire Splunk deployment, including upgrades, horizontal and vertical scaling, backups, disaster recovery, application security, licensing, etc.
There is a cost associated with moving data out of Google Cloud, such as when copying data to the customer site.
Microsoft Azure Government
Capabilities
Microsoft Azure Government is authorized at a High Impact Level and DoD CC SRG Levels 2, 4 and 5. Service models include Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) deployed in a government community cloud.
Limitations
The customer is responsible for managing and administering the entire Splunk deployment, including upgrades, horizontal and vertical scaling, backups, disaster recovery, application security, licensing, etc.
There is a cost associated with moving data out of Microsoft Azure, such as when copying data to the customer site.
Splunk Cloud
Capabilities
Splunk Cloud is a Software as a Service (SaaS) offering from Splunk that is available in the AWS GovCloud (US). It provides Splunk Enterprise as a cloud service. Splunk Cloud is authorized at a FedRAMP Moderate Impact Level and DoD CC SRG IL2. The service model is Software as a Service (SaaS) deployed in the AWS GovCloud.
Limitations
DOD CC SRG IL2 is for public or non-critical mission information. It is not authorized for CUI.
FedRAMP approval is tied to the specific software version. Currently, Splunk Cloud is only authorized for Splunk Enterprise version 7.2.9. No upgrades from that version are possible until a new FedRAMP approval is received.
Some on-premises Splunk components will require maintenance and administration, including the Universal Forwarders, Heavy Forwarders (if apps such as sa-ldapsearch, DBConnect, NetApp, or VMware are required, or for parsing data prior to ingest) and existing Deployment Servers. A hybrid search head will also be needed on-premise if there is a requirement to search both a Splunk Cloud and on-prem environments.
There is a cost associated with moving data out of Splunk Cloud, such as when copying data to the customer site.
Conclusion
Options to move Splunk to the cloud include the IaaS models of AWS GovCloud, GCP and Microsoft Azure as well as the SaaS model of Splunk Cloud. AWS GovCloud and Microsoft Azure have the highest authorized FedRAMP and Dod CC SRG Impact Levels (FedRAMP High and DoD CC SRG 2, 4, 5). Google Cloud is authorized FedRAMP High and DoD CC SRG IL 2, while Splunk Cloud is authorized at FedRAMP Moderate with DoD CC SRG IL2. IaaS models allow the greatest amount of flexibility in customer Splunk administration by allowing full customer administrator rights. The SaaS (Splunk Cloud) model allows the least amount of flexibility in customer Splunk administration by allowing the least amount of customer administration rights.
Sources:
Amazon
AWS GovCloud (US) - Amazon Web Services
AWS GovCloud (US) Compared to Standard AWS Regions - AWS GovCloud (US)
Splunk Enterprise on the AWS Cloud
Department of Defense
DEPARTMENT OF DEFENSE CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE Version 1, Release3
DHS
DHS Sensitive Systems Handbook 4300A v12.0
FedRAMP
Microsoft - Azure Government (Includes Dynamics 365)
Gupta
Sandeep, New HIPAA and PCI-DSS Compliance Attestations for Splunk Cloud
Microsoft
US Department of Defense (DoD) Provisional Authorization - Microsoft Compliance
Rice
Ron. Cloud Computing Security Requirements Guide
Splunk
Public Sector | Industries | Solutions
Splunk Cloud Security Addendum
SPLUNK® AND AMAZON WEB SERVICES (AWS)
Wilmer
Yuen
Colin and Stevan Vidich, Microsoft Azure Compliance Offerings
Latest Posts
