Multi tennant - restricting access to NW data
I have a question about the multi tenant capability of NetWitness and looking for resources on how to configure.
in the case of a deployment of NW for lets say different MSSP customers would it be easier to have a log decoder/concentrator per customer to separate data sovereignty then configure analyst role to only have access to that data source.
Would using separate admin ui servers for those separate customer analysts be an option.
I would think that there are many ways that we could probably skin this cat, so to speak.
First - 100% agree that I would separate out (either by VM or hardware) decoder/concentrators by customer.
Where you have flexibility is how the analysts would view the data. I don't believe that a separate admin sever makes sense - you would have a ton of space being used that could be condensed through the use of the broker service. If you think about the architecture of the RSA NetWitness platform, decoders collect, concentrators index meta from the decoder and the broker service is indexing the collected data from the concentrators. The point being is that you could centralize the broker service, indexing from multiple concentrators and run a single Admin server for management of the entire solution. At that point, you can then setup RBAC in NetWitness to permit/deny analyst access to data.
There are still lots of options and avenues to investigate here and would be happy to have an architecture discussion based on what you are looking for, if it makes sense.
RSA Enterprise SE - New England
Thanks for your insights, it definitely starts the brain thinking.
Currently our infrastructure contains all of the core components of NetWitness separated into geographic regions for network latency purposes with a central admin server that has the broker and reporting services on it.
Our goal would be to add another geographic region into the infrastructure but due to compliance reasons like GDPR we’d have to isolate the data that we ingest from this third location and only have the analysts from this third location be only allowed to see that data. And that would include the dashboards, reports, ESA rules/alerts, incidents, etc.
You mention the use of the broker service, would that be the broker service that already exists on the admin server or are you suggesting to deploy a separate broker for use by the other tenant?
This message contains OPEN information that is not sensitive and can be freely accessed by people both inside and outside of the Thales Group.
This email was classified by KERWIN Jeremy on Friday, 15 November 2019 9:14:45 AM