Elastic Security Deployment for an MSSP

Hello all,

I am a security engineer for an MSSP and am currently having issues understanding how to best deploy Elastic Security for our multi-tenant environment. I've heard talk of isolating indexes by client and using spaces and roles to separate the data, though functionally I don't really understand how to do this. I've also heard that we should create a deployment for each client and use cross-cluster search for data segmentation, which doesn't seem to be very cost effective. In practice, I'm having a hard time understanding how to use Elastic Security effectively for an MSSP. While the capabilities for a single-tenant environment seem very strong, I'm just not sure how well it will meet our needs. Are there any standard practices I'm missing or any training materials available for reference on these topics?

Thanks in advance for any insight!

Welcome to the community.
The answer to your question is long and depends a lot on your requirements.
Hence I would recommend reaching out to your local Elastic Contact e.g. using the Contact Button on elastic.co .
Talking to our Solutions Architects will help you clarify your Situation.

FWIW - I've been unable to solve the multi-tenant issues as well.

I talked to a solutions architect as @Felix_Roessel mentioned - the answer I got was "it depends on how you want to use Elastic" and didn't really help.

Separate clusters are definitely the easiest way to go - you can calculate your client costs easier and your data segmentation is easier. As you mentioned, it's not the most cost effective. I asked for some multitenancy setup guidance in a single cluster to address some of the pain points and never got an answer beyond "you can do it, it just takes planning".

For a multi Cluster setup we have ECE and ECK that makes Management of the clusters easy. It is also Costa efficient for smaller customers as you dont need to license complete nodes like in gold and Platinum.

To get it done in one cluster you need to do the segmentation using document level security based on customer name. But e.g. ML Jobs are visible to everyone at the moment.

Thanks this is helpful! I'll start testing document level security.

What about tracking costs? Any ideas on how to track metrics for what each customer might be costing me so that I can efficiently pass those costs on?

Well in one cluster the only option you have to check the amount of data thats used per customer.

Thank you for this response. I've had conversations with a solutions architect and received pretty much the same response as @n2x4 . I don't have the firmest grasp on document level security, but that's definitely worth looking into. ECK may be the correct solution for us.