Multi-Tenancy

Purpose and Requirements

Multi-Tenancy lets you create multiple distinct management environments using a single Deep Security Manager and database server installation. It fully isolates the settings, Policies, and Events for each Tenant and makes use of a number of additional infrastructure scaling options.

Multi-Tenancy was designed to provide segmentation for business units within an organization and facilitate testing in staging environments prior to full production deployments. It also allows the provision of Deep Security to customers within a service model.

Role-Based Access Control instead of Multi-Tenancy may still be preferable for Managed Security Service Providers (MSSPs) because of the central control and reporting it offers.

The requirements for Deep Security Multi-Tenancy are:

Deep Security Manager 9.0 or higher
Oracle Database or Microsoft SQL Server
The necessary database account privileges for database create/delete operations. (See Multi-Tenancy (Advanced))
Multi-Tenant Activation Code

Optional but recommended:

Multi-node Manager (more than one Deep Security Manager node pointed to the same database for scalability)
SMTP server

Architecture

Multi-Tenancy in Deep Security Manager operates similarly to a hypervisor. Multiple Tenants exist within the same Deep Security Manager installation but their data is highly isolated. All Manager Nodes process GUI, Heartbeat or Job requests for any Tenant. For the background processing, each Tenant is assigned a Manager Node that takes care of job queuing, maintenance and other background tasks. The assigned Manager node is automatically rebalanced when manager nodes are added or taken offline. The majority of each Tenant's data is stored in a separated database. This database may co-exist on the same database server as other Tenants, or it can be isolated onto its own database server. In all cases, some data only exists in the primary database (the one Deep Security Manager was installed with). When multiple database servers are available, Tenants are created on the database with the least amount of load.

	Single Tenant	Multi-Tenant
Managed computers	100,000	1,000,000 or more
Deep Security Manager Nodes	1-5	1-50
Databases	1	1-10,000
Database Servers	1 (With or without replication)	1-100

Once you enable Multi-Tenancy, you (as the "Primary Tenant") retain all of the capabilities of a regular installation of Deep Security Manager. However, the Tenants you subsequently create can have their access to Deep Security functionality restricted to varying degrees, based on how you configure the system for them.

The segmentation of each Tenant's data into a database provides additional benefits:

Data destruction: Deleting a Tenant removes all traces of that Tenant's data (Supported in the product)
Backup: Each Tenant's data can be subject to different backup policies. This may be useful for something like tenancy being used for staging and production where the staging environment requires less stringent backups. (Backups are the responsibility of the administrator setting up Deep Security Manager.)
Balancing: The potential for future re-balancing to maintain an even load on all database servers

Enabling Multi-Tenancy

To enable Multi-Tenancy:

In the Deep Security Manager, go to Administration > System Settings > Advanced and click Enable Multi-Tenancy in the Multi-Tenant Options area to display the Multi-Tenant Configuration wizard.
Enter the Activation Code provided by your sales representative and click Next.
Choose the license mode you wish to implement:
- Inherit Licensing from Primary Tenant: Gives all Tenants the same licenses that you (the Primary Tenant) have. This option is recommended if you are using Multi-Tenancy testing in a staging environment, or if you intend to set up Tenancies for separate departments within the same business.
- Per Tenant Licensing: This mode is recommended when Deep Security is being offered as a service. Configured this way, you provide a license at the moment that you create a Tenant account (using the API) or the Tenants themselves enter a license when they sign in for the first time.
Click Next to finish enabling Multi-Tenancy in your Deep Security Manager.
The Administration > System Settings > Tenant page will be displayed. Configure the option settings for multi-tenants. For details about the settings, go to the Administration > System Settings > Tenant page and refer to the online help for that page.

Managing Tenants

Once Multi-Tenant mode is enabled, Tenants can be managed from the Tenants page that now appears in the Administration section.

Creating Tenants

To create a new Tenant:

Go to the Administration > Tenants page and click New to display the New Tenant wizard.
Enter a Tenant Account Name. The account name can be any name except "Primary" which is reserved for the Primary Tenant.
Enter an Email Address. The email address is required in order to have a contact point per Tenant. It is also used for two of the three different user account generation methods in the next step.
Select the Locale. The Locale determines the language of the Deep Security Manager user interface for that Tenant.
Select a Time Zone. All Tenant-related Events will be shown to the Tenant Users in the time zone of the Tenant account.
If your Deep Security installation is using more than one database, you will have the option to let Deep Security automatically select a database server on which to store the new Tenant account ("Automatic -- No Preference") or you can specify a particular server.
Database servers that are no longer accepting new Tenants will not be included in the drop-down list. The options will not appear if you only have a single database.
When you have made your selection, click Next to continue.
Enter a Username for the first User of the new Tenant account.
Select one of the three password options:
- No Email: The Tenancy's first User's username and password are defined here and no emails are sent.
- Email Confirmation Link: You set the Tenancy's first User's password. However the account is not active until the User clicks a confirmation link he will receive by email.
- Email Generated Password: This allows you to generate a Tenant without specifying the password. This is most applicable when manually creating accounts for users where you do not need access.
All three options are available via the REST API. The confirmation option provides a suitable method for developing public registration. A CAPTCHA is recommended to ensure that the Tenant creator is a human not an automated "bot". The email confirmation ensures that the email provided belongs to the user before they can access the account.
Click Next to finish with the wizard and create the Tenant. It may take from 30 seconds to four minutes to create the new Tenant database and populate it with data and sample Policies.

Examples of messages sent to Tenants

Email Confirmation Link: Account Confirmation Request

Welcome to Deep Security! To begin using your account, click the following confirmation URL. You can then access the console using your chosen password. Account Name: AnyCo Username: admin Click the following URL to activate your account: https://managername:4119/SignIn.screen?confirmation=1A16EC7A-D84F-D451-05F6-706095B6F646&tenantAccount=AnyCo&username=admin

Email Generated Password

First email : Account and Username Notification

Welcome to Deep Security! A new account has been created for you. Your password will be generated and provided in a separate email. Account Name: AnyCo Username: admin You can access the Deep Security management console using the following URL: https://managername:4119/SignIn.screen?tenantAccount=AnyCo&username=admin

Second email: Password Notification

This is the automatically generated password for your Deep Security account. Your Account Name, Username, and a link to access the Deep Security management console will follow in a separate email. Password: z3IgRUQ0jaFi

Managing Tenants

The Tenants page (Administration > Tenants) displays the list of all Tenants. A Tenant can be in any of the following States:

Created: In the progress of being created but not yet active
Confirmation Required: Created but the activation link in the confirmation email sent to the Tenant User has not yet be clicked. (You can manually override this state.)
Active: Fully online and managed
Suspended: No longer accepting sign ins.
Pending Deletion: Tenants can be deleted, however the process is not immediate. The Tenant will be in the pending deletion state for approximately 7 days before the database is removed.
Database Upgrade Failed: For Tenants that failed the upgrade path. The Database Upgrade button can be used to resolve this situation

Tenant Properties

Double-click on a Tenant to view the Tenant's Properties window.

General

The Locale, Time zone and State of the Tenant can be altered. Be aware that changing the time zone and locale does not affect existing Tenant Users. It will only affect new Users in that Tenancy and Events and other parts of the UI that are not User-specific.

The Database Name indicates the name of the database used by this Tenancy. The server the database is running on can be accessed via the hyperlink.

Modules

The Modules tab provides options for protection module visibility. By default all unlicensed modules are hidden. You can change this by deselecting Always Hide Unlicensed Modules. Alternatively, selected modules can be shown on a per-Tenant basis.

If you select Inherit License from Primary Tenant, all features that you (the Primary Tenant) are licensed for will be visible to all Tenants. The selected visibility can be used to tune which modules are visible for which Tenants.

If you are using the "Per Tenant" licensing, only the licensed modules for each Tenant will be visible by default.

If you are evaluating Deep Security in a test environment and want to see what a full Multi-Tenancy installation looks like, you can enable Multi-Tenancy Demo Mode. When in Demo Mode, the Manager populates its database with simulated Tenants, computers, Events, Alerts, and other data. Initially, seven days worth of data is generated but new data is generated on an ongoing basis to keep the Manager's Dashboard, Reports and Events pages populated with data.

Demo Mode is not intended to be used in a production environment!

Statistics

The Statistics tab shows information for the current Tenant including database size, jobs processed, logins, security events and system events. The spark line show the last 24 hours at a glance.

Agent Activation

The Agent Activation tab displays a command that can be run from the Agent install directory of this Tenant's computers which will activate the agent on the computer so that the Tenant can assign Policies and perform other configuration procedures from the Deep Security Manager.

Primary Contact

The Tenant Account User's View of Deep Security

The Tenant "User experience"

When Multi-tenancy is enabled, the sign-in page has an additional Account Name text field:

Tenants are required to enter their account name in addition to their username and password. The account name allows Tenants to have overlapping usernames. (For example, if multiple Tenants synchronize with the same Active Directory server).

When you (as the Primary Tenant) log in, leave the Account name blank or use "Primary".

When Tenants log in, they have a very similar environment to a fresh install of Deep Security Manager. Some features in the UI are not available to Tenant Users. The following areas are hidden for Tenants:

Manager Nodes Widget
Multi-Tenant Widgets
Administration > System Information
Administration > Licenses (If Inherit option selected)
Administration > Manager Nodes
Administration > Tenants
Administration > System Settings:
- Tenant Tab
- Security Tab > Sign In Message
- Updates Tab > Setting for Allowing Tenants to use Relays from the Primary Tenant
- Advanced Tab > Load Balancers
- Advanced Tab > Pluggable Section
Some of the help content not applicable to Tenants
Some reports not applicable to Tenants
Other features based on the Multi-Tenant Options (discussed later)
Some Alert Types will also be hidden from Tenants:
- Heartbeat Server Failed
- Low Disk Space
- Manager Offline
- Manager Time Out Of Sync
- Newer Version of Deep Security Manager available
- Number of Computers Exceeds Database Limit
- And when inherited licensing is enabled any of the license-related alerts

It is also important to note that Tenants cannot see any of the Multi-Tenant features of the primary Tenant or any data from any other Tenant. In addition, certain APIs are restricted since they are only usable with Primary Tenant rights (such as creating other Tenants).

For more information on what is and is not available to Tenant Users, see Administration > System Settings > Tenants.

All Tenants have the ability to use Role-Based Access Control with multiple user accounts to further sub-divide access. Additionally, they can use Active Directory integration for users to delegate the authentication to the domain. The Tenant Account Name is still required for any Tenant authentications.

Agent-Initiated Activation

Agent-initiated activation is enabled by default for all Tenants.

Unlike Agent-initiated activation for the Primary Tenant, a password and Tenant ID are required to invoke the activation for Tenant Users.

Tenants can see the arguments required for agent-initiated activation by clicking Administration > Updates > Software > Local, selecting the Agent software and then clicking the Generate Deployment Scripts button. For example, the script for Agent-Initiated Activation on a Windows machine might look like this:

dsa_control -a dsm://manageraddress:4120/ "tenantID:7156CF5A-D130-29F4-5FE1-8AFD12E0EC02" "tenantPassword:98785384-3966-B729-1418-3E2A7197D0D5"

Tenant Diagnostics

Tenants are not able to access manager diagnostic packages due to the sensitivity of the data contained within the packages. Tenants can still generate agent diagnostics by opening the Computer Editor and choosing Agent Diagnostics on the Actions tab of the Overview page.

Usage Monitoring

Deep Security Manager records data about Tenant usage. This information is displayed in the Tenant Protection Activity widget on the Dashboard, the Tenant Properties window's Statistics tab, and the Chargeback report. This information can also be accessed through the Status Monitoring REST API, which can be enabled or disabled by going to Administration > System Settings > Advanced > Status Monitoring API.

This chargeback (or viewback) information can be customized to determine what attributes are included in the record. This configuration is designed to accommodate various charging models that may be required in service provider environments. For enterprises, this may be useful to determine the usage by each business unit.

Multi-Tenant Dashboard/Reporting

When Multi-Tenancy is enabled, Primary Tenant Users have access to additional Dashboard widgets for monitoring Tenant activity:

Some examples of Tenant-related widgets:

The same information is available on the Administration > Tenants page (some in optional columns) and on the Statistics tab of a Tenant's Properties window.

This information provides the ability to monitor the usage of the overall system and look for indicators of abnormal activity. For example, if a single Tenant experiences a spike in Security Event Activity, they may be under attack.

More information is available in the Chargeback report (in the Events & Reports section). This report details protection hours, the current database sizes, and the number of computers (activated and non-activated) for each Tenant.