Global Readiness: Role-Based Access Control Enforcement Strategy in Symantec CloudSOC

While trying to comply with regulatory requirements, Data Residency and Privacy controls are of immense concern. Enterprises, especially those with a large global presence, are required by Data Localization to adhere to regulatory policies. At Symantec, as a division of Broadcom, we have the solutions to meet those Data Residency and Privacy controls.

Data Residency

Data residency requires that user data from the European Union (EU), stays within EU data centers. Symantec CloudSOC addresses this problem by offering the product in completely isolated Cloud environments. Symantec CloudSOC runs in a multi-tenant architecture inside a region and allows customers to choose to have between 1 and N tenant(s) provisioned in any of these cloud environments and target specific user data to reside in a specific tenant.

While this approach satisfies legal and regulatory needs and is a strategy that some customers use, several tenants per customer could become cumbersome to manage. Minimizing tenants is a key element in efficiently gauging overall Cloud Security posture per region.

Privacy

To address the concern of having too many tenants, a customer could choose to configure Symantec CloudSOC in a way such that EU users data is directed to one tenant in the EU Cloud, and setup another tenant such that the rest of their-world’s data is directed to another tenant in the US cloud, thereby minimizing the number of tenants to manage.

However, that simply may not necessarily address the data privacy concerns in a tenant of a cloud. Local Admins are limited to administering only a subset of the data in their jurisdiction. For example, an admin in the UK should have visibility into activity for users in the UK and likewise for an admin in Germany. However, Global Admins have full visibility from an overall tenant perspective and are not limited to a subset of the data.

So, how can Local Admins see only what they’re entitled to, while providing full visibility to Global Admins? In other words, for certain businesses where Privacy is a concern, provide data-segregation within a tenant.

Logical Tenant Partitioning from a Geographical Perspective through RBAC

Logical partitioning of a single tenant is an approach that Symantec CloudSOC customers have adopted to restrict data visibility within a tenant for their Local Admins. Global Admins create Access Profiles to restrict data visibility per the jurisdiction of the respective Admin. For example, limiting data visibility for a Local Admin in the UK to activity of users in the UK only. This allows the Local Admin to perform all actions but is confined to a certain subset of users.

This presents another challenge - how does the System Admin let Symantec CloudSOC know which region a user or a subset of users belong to? The solution: Active Directory Groups to the rescue. Customers leverage Group memberships that they’ve set up in their Active Directory based on the user’s geographical presence and sync this with CloudSOC. Symantec SpanVA is an on-prem virtual appliance that connects to the local Active Directory and periodically syncs the User and Group membership details with Symantec CloudSOC.

This Active Directory Group can be used to set up an Access Profile to limit data visibility to users within a group and can be tied to a Local Admin thereby enforcing Role-based Access Control (RBAC). In this example, our UK Admin has restricted visibility into data for users in the UK Active Directory Group

A practice adopted by a few global customers is shown in the geographic illustration where user data originating from the EU region is directed to the EU-Cloud in one tenant, and the rest of the world is divided amongst two tenants in the US-Cloud. This way Global Admins can get a comprehensive view of the posture within each of the 3 tenants and Local Admins in the EU-regions are subject to the logical partitioning of data controlled via RBAC. Additionally, CloudSOC SysAdmins control what aspects of the product can be accessed as part of this process.

In summary, Symantec CloudSOC addresses these regulatory requirements by allowing customers to set up and configure their tenants in preferred regions and enforce RBAC to comply with pertinent policies in place.