How to implement a Zero Trust approach in Splunk

What is a Zero Trust Approach?

A Zero Trust approach to security is a methodology that removes the legacy approach of “implicit” trust. Instead of relying on the adoption of a ‘trust but verify’ model which leveraged the traditional perimeters of inside and outside the network/business, the Zero Trust approach applies a uniform security approach regardless of location – ‘never trust, always verify’.

Implementing a Zero Trust approach to your Splunk deployment may be the right approach for you to ensure that your servers and valuable data are kept secure and protected. A Zero Trust implementation of Splunk can be achieved through various configuration changes. These can help encrypt your data, Splunk-to-Splunk communications, and verify your platform is only talking to the expected servers.

Configuring a Zero Trust Approach

Splunk Enterprise comes with a set of default certificates and keys to encrypt all traffic using Transport Layer Security (TLS) technology. However, since these are provided to all Splunk customers, the private keys should not be considered secure. We would recommend anyone deploying Splunk replaces these default certificates with your own. This can be realised by placing the generated certificates and keys onto the server running Splunk Enterprise and implementing a custom configuration to point to these files.

This can be done for Splunk Management communications on the default port 8089 and more importantly for forwarder-to-indexer (or Splunk-to Spunk) communications to secure your valuable data.

You can implement a Zero Trust architecture by configuring forwarders to verify the hostname of the indexer they are sending to. This can be achieved using settings such as `sslVerifyServerName` and `sslCommonNameToCheck` within the output’s configuration file. This ensures that forwarders will only send data once it has verified that the server it is sending to is the one it is expecting. This causes forwarders to never fully trust the machine they are sending data to and ensures a Zero Trust approach.

Other than server communications, a Zero Trust approach can help secure what data users are able to view and what configuration changes they can make within Splunk Enterprise or Splunk Cloud. This can be achieved through the creation of custom roles and implementing a robust Role-Based Access Control (RBAC) strategy. Using custom roles, you can restrict the indexes that specific users can view and limit certain data sources to specific teams or individuals within your organisation. By not trusting every user with all your data, you can prevent incidents such as data exfiltration or broken configuration being implemented by untrained users.

Is this approach right for you?

If security is a primary concern and you feel that a Zero Trust approach is right for your organisation and Splunk deployment, then we can work with you to design and implement a broad-ranging strategy to ensure security is at its highest level. Our consultants can provide expert knowledge on key areas such as installing certificates to encrypt your data, securing web access, or helping to design and implement a robust set of roles and access levels for your users.

Call us on +44(0)845 226 3351 or send us an email: enquiries@aptosolutions.co.uk