I have a question about the multi tenant capability of NetWitness and looking for resources on how to configure.
in the case of a deployment of NW for lets say different MSSP customers would it be easier to have a log decoder/concentrator per customer to separate data sovereignty then configure analyst role to only have access to that data source.
Would using separate admin ui servers for those separate customer analysts be an option.
Hi Jeremy-
I would think that there are many ways that we could probably skin this cat, so to speak.
First - 100% agree that I would separate out (either by VM or hardware) decoder/concentrators by customer.
Where you have flexibility is how the analysts would view the data. I don't believe that a separate admin sever makes sense - you would have a ton of space being used that could be condensed through the use of the broker service. If you think about the architecture of the RSA NetWitness platform, decoders collect, concentrators index meta from the decoder and the broker service is indexing the collected data from the concentrators. The point being is that you could centralize the broker service, indexing from multiple concentrators and run a single Admin server for management of the entire solution. At that point, you can then setup RBAC in NetWitness to permit/deny analyst access to data.
There are still lots of options and avenues to investigate here and would be happy to have an architecture discussion based on what you are looking for, if it makes sense.
Thanks,
Shane Quintard
RSA Enterprise SE - New England