Splunk Security and Administration in the Cloud

Splunk Security and Administration in the Cloud

Landa J.

September 16, 2019
Splunk Security and Administration in the Cloud

Multiple options exist to move Splunk to the cloud. This paper highlights security standards and administrative access capabilities and limitations of several options for Splunk in the cloud. The Infrastructure as a Service (IaaS) models of Amazon Web Services (AWS) GovCloud, Google Cloud Platform (GCP) and Microsoft Azure Government as well as the Software as a Service (SaaS) managed Splunk Cloud service offering in the AWS GovCloud are discussed.

Summary

The chart below describes the authorized Federal Risk and Authorization Management Program (FedRAMP) and Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG) Impact Levels (IL) for several Cloud Service Provider (CSP) platforms available to support Splunk in the cloud.

Cloud Service ProviderService TypeFedRAMP Impact LevelDoD CC SRG Impact LevelSupported Splunk VersionStorage of Personally Identifiable Information (PII)(minimum IL4)Storage of Personal Health Information (PHI) (minimum IL4)
AWS GovCloudIaaS, PaaSHigh2, 4, 5AllYesYes
Google CloudIaaS, PaaSHigh2, 4 (beta)AllYes (in limited beta regions)Yes (in limited beta regions)
Microsoft Azure GovernmentIaaS, PaaSHigh2, 4, 5AllYesYes
Splunk Cloud (in AWS GovCloud)SaaSModerate2Depends on FedRAMP accreditation- currently v7.2.9No (DoD CC SRG 3.2.4)No (DoD CC SRG 3.2.4)

AWS GovCloud and Microsoft Azure Government are approved at FedRAMP High and up to DoD CC SRG IL5. Already FedRAMP High and DoD CC SRG IL2 approved, GCP is in the approval process for IL4. Splunk Cloud is approved at FedRamp Moderate and DoD CC SRG IL2. IL2 is not approved for Controlled Unclassified Information (CUI), which includes PII and PHI, per the Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3, 6 March 2017, Section 3.2.2. The minimum impact level for PII and PHI is IL4.

A difference between the IaaS options and the SaaS offering of Splunk Cloud is that in IaaS, the customer is responsible for all Splunk licensing, maintenance and administration while in Splunk Cloud the customer is responsible for the user accounts, policies and procedures involved with using the application. In IaaS, customer Splunk administrators have full access, and also full responsibility, for Splunk. In Splunk Cloud, the customer isn’t responsible for updating or maintaining the Splunk application in the cloud and customer Splunk administrators don’t have rights to the command line interface (CLI) or the underlying file system, but some Splunk components must still be maintained on-premise, depending on configuration.

Cloud Service ProviderCustomer Splunk Admin AccessCustomer Responsible for Splunk MaintenanceMulti-tenantCustomer Can Install/Update Locally Developed AppsCosts to Move Data out of Cloud
AWS GovCloudYesYesCan deploy multi-instance, hierarchical Splunk modeYesYes
Google CloudYesYesCan deploy multi-instance, hierarchical Splunk modeYesYes
Microsoft Azure GovernmentYesYesCan deploy multi-instance, hierarchical Splunk modeYesYes
Splunk Cloud (in AWS GovCloud)No command line or file system accessOnly for components remaining on-premiseNo (RBAC for pseudo multi-tenancy)Yes, if app passes validation checks in AppInspectYes

Technical Analysis

Federal Risk and Authorization Management Program (FedRAMP) is a government program that provides a standard method for assessing security, authorization and continuous monitoring of cloud products/services. FedRAMP is based on NIST SP 800-53 Rev 4 security controls and includes additional controls specifically related to cloud computing.

FedRAMP defines Impact Levels as Low, Moderate and High based on the Confidentiality, Integrity and Availability of the system.

Introduction

Multiple options exist to move Splunk to the cloud. This paper highlights security standards and administrative access capabilities and limitations of several options for Splunk in the cloud. The Infrastructure as a Service (IaaS) models of Amazon Web Services (AWS) GovCloud, Google Cloud Platform (GCP) and Microsoft Azure Government as well as the Software as a Service (SaaS) managed Splunk Cloud service offering in the AWS GovCloud are discussed.

Low: Information for public release; data loss has little agency impact

Moderate: Data not available to the public, including Personally Identifiable Information (PII); data loss would have serious agency impact

High: Sensitive federal information, such as healthcare, emergency services and law enforcement data; data loss would have critical agency impact

The Department of Defense (DoD) publishes a Cloud Computing Security Requirements Guide (DoD CC SRG). FedRAMP Moderate equates to the minimum baseline for all DoD CC SRG Provisional Authorizations (PA). A summary of the DoD CC SRG Impact Levels are listed below.

IL2: Information for public release

IL4: Controlled Unclassified Information (CUI), including Privacy Information (including PII), PHI, For Official Use Only (FOUO) and others

IL5: CUI and National Security Systems (NSS), Mission Critical Information

IL6: SECRET classified information and below

The chart below summarizes impact levels and requirements.

Impact LevelInformation SensitivitySecurity ControlsLocationOff-Premises ConnectivitySeparationPersonnel Requirements
2Public or Non-critical mission informationFedRAMP v2 ModerateUS/ US outlying areas or DoD on-premisesInternetVirtual / Logical PUBLIC COMMUNITYNational Agency Check and Inquires (NACI)
4CUI or Non-CUI, Non-critical Mission Information, Non-national security systemsLevel 2 + CUI-Specific tailored setUS/ US outlying areas or DoD on-premisesNIPRNet via CAPVirtual / Logical, Limited “Public” Community, Strong Virtual Separation Between Tenant Systems & InformationUS Persons, ADP-1 single scope background investigation (SSBI)
5Higher sensitivity CUI, Mission critical information, National security systemsLevel 4 + NSS & CUI-specific tailored setUS/ US outlying areas or DoD on-premisesNIPRNet via CAPVirtual / Logical, FEDERAL GOV. COMMUNITY, Dedicated multi-tenant infrastructure, Physically seperate from non-federal systems, Strong virtual seperation between tenant systems & informationADP-2 national agency check with law and credit (NACLC), Non-disclosure agreement (NDA)
6Classified SECRET, National security systemsLevel 5 + Classified OverlayUS/ US outlying areas or DoD on-premises CLEARED/ CLASSIFIED facilitiesSIPRNET DIRECT with DoD SIPRNet enclave connection approvalVirtual / Logical, FEDERAL GOV. COMMUNITY, Dedicated multi-tenant infrastructure, Physically seperate from non-federal systems, Strong virtual seperation between tenant systems & informationUS citizens w/ favorably adjudicated SSBI & SECRET clearance, NDA

IL2 allows foreign nationals to support the cloud products and services of a CSP. The use of foreign nationals is prohibited at IL4 and above.

IaaS differs from offering Software as a Service (SaaS). Using a CSP’s IaaS offering and bringing your own license (BYOL) means the customer bears all responsibility for configuration, administration and maintenance of applications loaded by the customer in the cloud while the cloud provider maintains the infrastructure. The customer is responsible for selecting virtual server types, installing, patching and upgrading application software, backups, user accounts, licensing and all other system maintenance and administration. In SaaS, the customer uses the application provided by the Cloud Service Provider (CSP), and the CSP manages everything else.

Amazon Web Services (AWS) GovCloud

Capabilities

AWS GovCloud is authorized at FedRAMP High and is DoD SRG authorized at IL 2, 4 and 5. AWS provides a physically and logically isolated cloud environment specific to government customers called AWS GovCloud. Service models include Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) in a government community cloud.

Limitations

In AWS, FedRAMP authorization is restricted to the AWS GovCloud region. It is not available in commercial AWS regions.

The customer is responsible for managing and administering the entire Splunk deployment, including upgrades, horizontal and vertical scaling, backups, disaster recovery, application security, licensing, etc.

There is a cost associated with moving data out of AWS GovCloud, such as when copying data to the customer site.

Google Cloud Platform (GCP)

Capabilities

GCP is authorized at a High Impact Level and is DoD CC SRG authorized at IL2 with IL4 in beta. Service models include Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) deployed in a public cloud.

Limitations

Unlike AWS GovCloud and Microsoft Azure Government, GCP doesn’t offer a separate cloud environment for government customers. GCP is not yet approved at DoD CC SRG IL4.

The customer is responsible for managing and administering the entire Splunk deployment, including upgrades, horizontal and vertical scaling, backups, disaster recovery, application security, licensing, etc.

There is a cost associated with moving data out of Google Cloud, such as when copying data to the customer site.

Microsoft Azure Government

Capabilities

Microsoft Azure Government is authorized at a High Impact Level and DoD CC SRG Levels 2, 4 and 5. Service models include Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) deployed in a government community cloud.

Limitations

The customer is responsible for managing and administering the entire Splunk deployment, including upgrades, horizontal and vertical scaling, backups, disaster recovery, application security, licensing, etc.

There is a cost associated with moving data out of Microsoft Azure, such as when copying data to the customer site.

Splunk Cloud

Capabilities

Splunk Cloud is a Software as a Service (SaaS) offering from Splunk that is available in the AWS GovCloud (US). It provides Splunk Enterprise as a cloud service. Splunk Cloud is authorized at a FedRAMP Moderate Impact Level and DoD CC SRG IL2. The service model is Software as a Service (SaaS) deployed in the AWS GovCloud.

Limitations

DOD CC SRG IL2 is for public or non-critical mission information. It is not authorized for CUI.

FedRAMP approval is tied to the specific software version. Currently, Splunk Cloud is only authorized for Splunk Enterprise version 7.2.9. No upgrades from that version are possible until a new FedRAMP approval is received.

Some on-premises Splunk components will require maintenance and administration, including the Universal Forwarders, Heavy Forwarders (if apps such as sa-ldapsearch, DBConnect, NetApp, or VMware are required, or for parsing data prior to ingest) and existing Deployment Servers. A hybrid search head will also be needed on-premise if there is a requirement to search both a Splunk Cloud and on-prem environments.

There is a cost associated with moving data out of Splunk Cloud, such as when copying data to the customer site.

Conclusion

Options to move Splunk to the cloud include the IaaS models of AWS GovCloud, GCP and Microsoft Azure as well as the SaaS model of Splunk Cloud. AWS GovCloud and Microsoft Azure have the highest authorized FedRAMP and Dod CC SRG Impact Levels (FedRAMP High and DoD CC SRG 2, 4, 5). Google Cloud is authorized FedRAMP High and DoD CC SRG IL 2, while Splunk Cloud is authorized at FedRAMP Moderate with DoD CC SRG IL2. IaaS models allow the greatest amount of flexibility in customer Splunk administration by allowing full customer administrator rights. The SaaS (Splunk Cloud) model allows the least amount of flexibility in customer Splunk administration by allowing the least amount of customer administration rights.

Sources:

Amazon

AWS GovCloud (US) - Amazon Web Services

AWS GovCloud (US) Compared to Standard AWS Regions - AWS GovCloud (US)

Splunk Enterprise on the AWS Cloud

Department of Defense

DEPARTMENT OF DEFENSE CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE Version 1, Release3

DHS

DHS Sensitive Systems Handbook 4300A v12.0

FedRAMP

Amazon AWS GovCloud

Google Cloud Platform

Microsoft - Azure Government (Includes Dynamics 365)

Splunk - Splunk Cloud

Google

Impact Level 4 - Compliance

Gupta

Sandeep, New HIPAA and PCI-DSS Compliance Attestations for Splunk Cloud

Microsoft

US Department of Defense (DoD) Provisional Authorization - Microsoft Compliance

Rice

Ron. Cloud Computing Security Requirements Guide

Splunk

Public Sector | Industries | Solutions

Splunk Cloud Security Addendum

Splunk Cloud Service Details

SPLUNK® AND AMAZON WEB SERVICES (AWS)

Wilmer

John W. III, Treatment of Personally Identifiable Information within Information Impact Level 2 Commercial Cloud Services for the Department of Defense

Yuen

Colin and Stevan Vidich, Microsoft Azure Compliance Offerings