IBM Support

QRadar: Data collection for multi-tenant deployments

Question & Answer


As a managed security service provider (MSSP), is there guidance for adding event collection within a tenant's infrastructure?



Considerations for multi-tenant deployments

QRadar® managed host “collectors”, such as Event Collectors (EC), Flow Collectors (FC), or Data Gateways (DG) as well as unmanaged Disconnected Log Collectors (DLC), can be used to extend the reach of a QRadar® deployment. Collectors can be deployed across multiple network infrastructures so that QRadar's data collection occurs in close proximity to the Log Sources. Organizations, such as Managed Security Service Providers (MSSP), deploying QRadar® with multi-tenancy enabled might consider installing collectors within tenant premises to facilitate this proximity. As with any QRadar managed host, however, managed host collectors contain details about the remainder of the QRadar® deployment, including other collectors. Due to the presence of this distributed configuration information, it is important to secure all managed hosts from unauthorized physical and logical access, including collectors.
With a single-tenant deployment, the security access controls provided by QRadar® are generally sufficient to facilitate access control when combined with the tenant's own infrastructure policies. In a multi-tenant deployment managed by an MSSP, the on-premises infrastructure access controls might belong to multiple end-customers or tenants. In these situations, extra care must be taken to secure the distributed configuration information and limit administrator level access. If restricting access to the Collectors is not possible, an MSSP might want to consider the model of one console per customer.
To assist with environments where the MSSP cannot maintain full control over every QRadar® managed host, the IBM® team developed a Disconnected Log Collector (DLC). The DLC does not store or access any of the configuration information from the QRadar® deployment. Which allows the DLC to be managed and deployed by the tenant directly within their premises, or by the MSSP on behalf of the tenant. The DLC provides the same log collection protocols as an EC making it a reasonable substitute for an EC. Currently, the DLC does not provide for flow collection or vulnerability scanning therefore it cannot replace an FC or a DG that collects flows.

Deployment Best Practice

In a single QRadar® deployment with multiple tenants the Operator or MSSP should:
  • Deploy the collectors into premises or infrastructure that is fully under their own control.
  • Employ sufficient access controls that tenant personnel are not able to access disks, disk images, or snapshots.
  • Neither allow access by the tenant's personnel nor provide them with login credentials to the collector.  If restricting access is not possible, an MSSP might want to consider the model of one console per customer.
  • Install DLC on any tenant premises.
  • Provide DLC packages to a tenant to install for themselves.
  • Either allow tenants to manage the DLC instance, share responsibility with the tenant, or manage it entirely on behalf of the tenant.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt9AAA","label":"DLC"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
04 November 2020