Elastic Security Deployment for an MSSP

afarley · November 12, 2021, 3:39pm

Hello all,

I am a security engineer for an MSSP and am currently having issues understanding how to best deploy Elastic Security for our multi-tenant environment. I've heard talk of isolating indexes by client and using spaces and roles to separate the data, though functionally I don't really understand how to do this. I've also heard that we should create a deployment for each client and use cross-cluster search for data segmentation, which doesn't seem to be very cost effective. In practice, I'm having a hard time understanding how to use Elastic Security effectively for an MSSP. While the capabilities for a single-tenant environment seem very strong, I'm just not sure how well it will meet our needs. Are there any standard practices I'm missing or any training materials available for reference on these topics?

Thanks in advance for any insight!

Felix_Roessel · November 14, 2021, 9:57am

Welcome to the community.
The answer to your question is long and depends a lot on your requirements.
Hence I would recommend reaching out to your local Elastic Contact e.g. using the Contact Button on elastic.co .
Talking to our Solutions Architects will help you clarify your Situation.

n2x4 · November 15, 2021, 1:16pm

FWIW - I've been unable to solve the multi-tenant issues as well.

I talked to a solutions architect as @Felix_Roessel mentioned - the answer I got was "it depends on how you want to use Elastic" and didn't really help.

Separate clusters are definitely the easiest way to go - you can calculate your client costs easier and your data segmentation is easier. As you mentioned, it's not the most cost effective. I asked for some multitenancy setup guidance in a single cluster to address some of the pain points and never got an answer beyond "you can do it, it just takes planning".

Felix_Roessel · November 15, 2021, 3:59pm

For a multi Cluster setup we have ECE and ECK that makes Management of the clusters easy. It is also Costa efficient for smaller customers as you dont need to license complete nodes like in gold and Platinum.

To get it done in one cluster you need to do the segmentation using document level security based on customer name. But e.g. ML Jobs are visible to everyone at the moment.

n2x4 · November 15, 2021, 4:45pm

Thanks this is helpful! I'll start testing document level security.

What about tracking costs? Any ideas on how to track metrics for what each customer might be costing me so that I can efficiently pass those costs on?

Felix_Roessel · November 15, 2021, 6:09pm

Well in one cluster the only option you have to check the amount of data thats used per customer.

afarley · November 15, 2021, 6:29pm

Thank you for this response. I've had conversations with a solutions architect and received pretty much the same response as @n2x4 . I don't have the firmest grasp on document level security, but that's definitely worth looking into. ECK may be the correct solution for us.

system · December 13, 2021, 6:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic Security Multi tenant for on premises setup Community Ecosystem	3	63	September 24, 2024
Elastic Endpoint Security on 150 Windows PCs Elastic Security	7	659	March 23, 2021
Deployement resources for our specific use case Elastic Security elastic-stack-monitoring , elastic-stack-security	1	263	May 12, 2022
Multi-tenancy SIEM Elastic Security datastreams	5	591	April 23, 2024
Sizing and configuration for multi-tenant application Elasticsearch	6	810	March 28, 2019

Elastic Security Deployment for an MSSP

Related topics