Splunk uses a range of technologies to prevent unauthorized access or compromise of Splunk’s network, servers or applications, which include such things as logical and physical controls to segment data, systems and networks. Splunk monitors demarcation points used to restrict access such as firewalls and security group enforcement points. Remote users must authenticate with two-factor authentication prior to accessing Splunk networks containing customer content.
Splunk Employee Access Control
Splunk grants system privileges and permissions to users on a “least privilege” principle. Customer stacks are logically separated from each other. Splunk leverages the benefits of virtualization at the server, storage and network layers to ensure that there is strict separation for each customer instance. Logical access policies and procedures delineate Splunk's required activities and responsibilities for credential management, user access provisioning, privileged access, monitoring and intrusion detection.
Role-based access and audit controls allow our customers to manage the actions Splunk users can take and what data, tools and dashboards they can access.
- Learn more about configuring role-based user access and audit controls.
- You can build your own roles to map to your organization’s data access policies for different classes of users. You can also map Lightweight Directory Access Protocol (LDAP) or Security Assertion Markup Language (SAML) groups to different roles.
Splunk Employee and User Authentication
Authorized users supporting the delivery of Splunk services must identify and authenticate to the network, applications and platforms using their user ID and password. Splunk’s enterprise password management system requires minimum password parameters. SSH key authentication and enterprise password management applications are used to manage access to the production environment and two-factor authentication (2FA) is required for remote access and privileged account access for customer content production systems.
Splunk supports single sign-on (SSO) integrations (SAML v2) with compliant identity providers such as Okta, PingFederate, Azure AD, ADFS, CA SiteMinder, OneLogin, Centrify, SecureAuth, IdentityNow, Oracle OpenSSO, Google SAML2 provider and Optimal Id. Splunk also integrates with other authentication systems, including LDAP, Active Directory and e-Directory.
Secure Data Access and Processing
Splunk Cloud provides secure data processing through access controls, logging and monitoring, auditability, threat and vulnerability management, encryption, incident management and third-party audit. For more detail on the administrative, technical and physical safeguards Splunk deploys to protect customer content, see the Splunk Cloud Platform Security Addendum (CSA).
Asset Management and Disposal
Splunk maintains an inventory of cloud infrastructure assets that it regularly updates and reconciles. Documented, standard build procedures are used for installation and maintenance of production servers. Upon expiration or termination of contract, Splunk retains customer content for 30 days, after which documented data disposal policies are used for the secure disposal of content as set forth in the relevant customer agreement.
Splunk follows documented change management procedures for application, infrastructure and product-related changes. Changes undergo review and testing, including security and code reviews, regression testing and user acceptance testing before approval for implementation. Splunk deploys changes during maintenance windows, which are set forth in the relevant Support Program.
Vendor Risk Management
Splunk uses third-party service providers and solutions suppliers (“Vendors”) to provide the Cloud service. Vendors undergo a detailed security due diligence assessment prior to onboarding. Identified security risks are managed through Splunk’s risk management program. Splunk enters into written agreements with its Vendors that impose on them applicable security, confidentiality and privacy obligations necessary to maintain Splunk’s security posture. Splunk monitors its Vendors using a risk-based approach to provide a level of security appropriate to the services they provide.
Splunk personnel with access to customer content are subject to background checks in accordance with the relevant legal requirements. The background checks are commensurate to an individual's job duties. The activity of Splunk personnel engaged in support or professional services with access to customer data, systems or facilities, is logged and monitored.
Disaster Recovery Plan
Splunk has a documented Disaster Recovery Plan to manage significant disruptions to Splunk Cloud operations and infrastructure, which is reviewed and approved by management annually. Disaster recovery testing is also performed annually. Results and any corrective actions are documented and remediated as required. Robust data backup, replication and recovery systems are deployed to support resilience and protection of customer content.
Threat and Vulnerability Management
Splunk has a Threat and Vulnerability Management program to continuously monitor for vulnerabilities that are acknowledged by vendors, reported by researchers or discovered internally through vulnerability scans, Red Team activities or personnel identification. Threats are ranked based on severity level and assigned to the appropriate team(s) for remediation as needed.
For systems containing customer content, an external vendor conducts security penetration tests on the corporate and cloud environments at least annually to detect network and application security vulnerabilities. Critical findings from these tests are evaluated, documented and assigned to the appropriate teams for remediation. In addition, Splunk conducts internal penetration tests periodically and remediates findings as appropriate.
Splunk Cloud employs host-based intrusion detection, which logs attempted access and provides automatic alerts to trigger incident management procedures in appropriate cases. Splunk collects its own log, event and sensor-based data to continuously monitor, detect and investigate suspicious activity as permitted by law.
Splunk Incident Response Framework (SIRF)
The Splunk Incident Response Framework (SIRF) establishes the actions and procedures that help Splunk prepare for and respond to security incidents, including how to initiate responsive action, remediate consequences; and document lessons learned for improvement of internal processes. Splunk tests its SIRF using a combination of planned reviews, live simulations and periodic training.