White Paper

Splunk Security and Administration in the Cloud: Capabilities and Limitations

iSenpai

September 16, 2019

Introduction

Multiple options exist to move Splunk to the cloud. This paper highlights security standards and administrative access capabilities and limitations of several options for Splunk in the cloud. The Infrastructure as a Service (IaaS) models of Amazon Web Services (AWS) GovCloud, Google Cloud Platform (GCP) and Microsoft Azure Government as well as the Software as a Service (SaaS) managed Splunk Cloud service offering in the AWS GovCloud are discussed.

Summary

The chart below describes the authorized Federal Risk and Authorization Management Program (FedRAMP) and Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG) Impact Levels (IL) for several Cloud Service Provider (CSP) platforms available to support Splunk in the cloud.

Cloud Service Provider	Service Type	FedRAMP Impact Level	DoD CC SRG Impact Level	Supported Splunk Version	Storage of Personally Identifiable Information (PII) (minimum IL4)	Storage of Personal Health Information (PHI) (minimum IL4)
AWS GovCloud	IaaS PaaS	High	2, 4, 5	All	Yes	Yes
Google Cloud	IaaS PaaS	High	2, 4 (beta)	All	Yes (in limited beta regions)	Yes (in limited beta regions)
Microsoft Azure Government	IaaS PaaS	High	2, 4, 5	All	Yes	Yes
Splunk Cloud (in AWS GovCloud)	SaaS	Moderate	2	Depends on FedRAMP accreditation; currently v7.2.9	No (DoD CC SRG 3.2.4)	No (DoD CC SRG 3.2.4)

AWS GovCloud and Microsoft Azure Government are approved at FedRAMP High and up to DoD CC SRG IL5. Already FedRAMP High and DoD CC SRG IL2 approved, GCP is in the approval process for IL4. Splunk Cloud is approved at FedRamp Moderate and DoD CC SRG IL2. IL2 is not approved for Controlled Unclassified Information (CUI), which includes PII and PHI, per the Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3, 6 March 2017, Section 3.2.2. The minimum impact level for PII and PHI is IL4.

A difference between the IaaS options and the SaaS offering of Splunk Cloud is that in IaaS, the customer is responsible for all Splunk licensing, maintenance and administration while in Splunk Cloud the customer is responsible for the user accounts, policies and procedures involved with using the application. In IaaS, customer Splunk administrators have full access, and also full responsibility, for Splunk. In Splunk Cloud, the customer isn’t responsible for updating or maintaining the Splunk application in the cloud and customer Splunk administrators don’t have rights to the command line interface (CLI) or the underlying file system, but some Splunk components must still be maintained on-premise, depending on configuration.

Cloud Service Provider	Customer Splunk Admin Access	Customer Responsible for Splunk Maintenance	Multi-tenant	Customer Can Install/Update Locally Developed Apps	Costs to Move Data out of Cloud
AWS GovCloud	Yes	Yes	Can deploy multi-instance, hierarchical Splunk model	Yes	Yes
Google Cloud	Yes	Yes	Can deploy multi-instance, hierarchical Splunk model	Yes	Yes
Microsoft Azure Government	Yes	Yes	Can deploy multi-instance, hierarchical Splunk model	Yes	Yes
Splunk Cloud (in AWS GovCloud)	No command line or file system access	Only for components remaining on-premise	No (RBAC for pseudo multi-tenancy)	Yes, if app passes validation checks in AppInspect	Yes

Technical Analysis

Federal Risk and Authorization Management Program (FedRAMP) is a government program that provides a standard method for assessing security, authorization and continuous monitoring of cloud products/services. FedRAMP is based on NIST SP 800-53 Rev 4 security controls and includes additional controls specifically related to cloud computing.

FedRAMP defines Impact Levels as Low, Moderate and High based on the Confidentiality, Integrity and Availability of the system.

Low: Information for public release; data loss has little agency impact

Moderate: Data not available to the public, including Personally Identifiable Information (PII); data loss would have serious agency impact

High: Sensitive federal information, such as healthcare, emergency services and law enforcement data; data loss would have critical agency impact

The Department of Defense (DoD) publishes a Cloud Computing Security Requirements Guide (DoD CC SRG). FedRAMP Moderate equates to the minimum baseline for all DoD CC SRG Provisional Authorizations (PA). A summary of the DoD CC SRG Impact Levels are listed below.

IL2: Information for public release

IL4: Controlled Unclassified Information (CUI), including Privacy Information (including PII), PHI, For Official Use Only (FOUO) and others

IL5: CUI and National Security Systems (NSS), Mission Critical Information

IL6: SECRET classified information and below

The chart below summarizes impact levels and requirements.

IL2 allows foreign nationals to support the cloud products and services of a CSP. The use of foreign nationals is prohibited at IL4 and above.

IaaS differs from offering Software as a Service (SaaS). Using a CSP’s IaaS offering and bringing your own license (BYOL) means the customer bears all responsibility for configuration, administration and maintenance of applications loaded by the customer in the cloud while the cloud provider maintains the infrastructure. The customer is responsible for selecting virtual server types, installing, patching and upgrading application software, backups, user accounts, licensing and all other system maintenance and administration. In SaaS, the customer uses the application provided by the Cloud Service Provider (CSP), and the CSP manages everything else.

Amazon Web Services (AWS) GovCloud

Capabilities

AWS GovCloud is authorized at FedRAMP High and is DoD SRG authorized at IL 2, 4 and 5. AWS provides a physically and logically isolated cloud environment specific to government customers called AWS GovCloud. Service models include Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) in a government community cloud.

Limitations

In AWS, FedRAMP authorization is restricted to the AWS GovCloud region. It is not available in commercial AWS regions.

The customer is responsible for managing and administering the entire Splunk deployment, including upgrades, horizontal and vertical scaling, backups, disaster recovery, application security, licensing, etc.

There is a cost associated with moving data out of AWS GovCloud, such as when copying data to the customer site.

Google Cloud Platform (GCP)

Capabilities

GCP is authorized at a High Impact Level and is DoD CC SRG authorized at IL2 with IL4 in beta. Service models include Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) deployed in a public cloud.

Limitations

Unlike AWS GovCloud and Microsoft Azure Government, GCP doesn’t offer a separate cloud environment for government customers. GCP is not yet approved at DoD CC SRG IL4.

There is a cost associated with moving data out of Google Cloud, such as when copying data to the customer site.

Microsoft Azure Government

Capabilities

Microsoft Azure Government is authorized at a High Impact Level and DoD CC SRG Levels 2, 4 and 5. Service models include Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) deployed in a government community cloud.

Limitations

There is a cost associated with moving data out of Microsoft Azure, such as when copying data to the customer site.

Splunk Cloud

Capabilities

Splunk Cloud is a Software as a Service (SaaS) offering from Splunk that is available in the AWS GovCloud (US). It provides Splunk Enterprise as a cloud service.

Splunk Cloud is authorized at a FedRAMP Moderate Impact Level and DoD CC SRG IL2. The service model is Software as a Service (SaaS) deployed in the AWS GovCloud.

Limitations

DOD CC SRG IL2 is for public or non-critical mission information. It is not authorized for CUI.

FedRAMP approval is tied to the specific software version. Currently, Splunk Cloud is only authorized for Splunk Enterprise version 7.2.9. No upgrades from that version are possible until a new FedRAMP approval is received.

Some on-premises Splunk components will require maintenance and administration, including the Universal Forwarders, Heavy Forwarders (if apps such as sa-ldapsearch, DBConnect, NetApp, or VMware are required, or for parsing data prior to ingest) and existing Deployment Servers. A hybrid search head will also be needed on-premise if there is a requirement to search both a Splunk Cloud and on-prem environments.

There is a cost associated with moving data out of Splunk Cloud, such as when copying data to the customer site.

Conclusion

Options to move Splunk to the cloud include the IaaS models of AWS GovCloud, GCP and Microsoft Azure as well as the SaaS model of Splunk Cloud. AWS GovCloud and Microsoft Azure have the highest authorized FedRAMP and Dod CC SRG Impact Levels (FedRAMP High and DoD CC SRG 2, 4, 5). Google Cloud is authorized FedRAMP High and DoD CC SRG IL 2, while Splunk Cloud is authorized at FedRAMP Moderate with DoD CC SRG IL2. IaaS models allow the greatest amount of flexibility in customer Splunk administration by allowing full customer administrator rights. The SaaS (Splunk Cloud) model allows the least amount of flexibility in customer Splunk administration by allowing the least amount of customer administration rights.