A multinational organization wants to use the Cloud Identity Engine (CIE) to aggregate identity data from multiple sources (on premises AD, Azure AD, Okta) while enforcing strict data isolation for different regional business units. Each region’s firewalls, managed via Panorama, must only receive the user and group information relevant to that region. The organization aims to minimize administrative overhead while meeting data sovereignty requirements. Which approach achieves this segmentation of identity data? (Choose one answer)

A. Create one CIE tenant, aggregate all identity data into a single view, and redistribute the full dataset to all firewalls. Rely on per-firewall Security policies to restrict access to out-of-scope user and group information.
B. Establish separate CIE tenants for each business unit, integrating each tenant with the relevant identity sources. Redistribute user and group data from each tenant only to the region’s firewalls, maintaining a strict one-to-one mapping of tenant to business unit.
C. Disable redistribution of identity data entirely. Instead, configure each regional firewall to pull user and group details directly from its local identity providers (IdPs).
D. Deploy a single CIE tenant that collects all identity data, then configure segments within the tenant to filter and redistribute only the relevant user/group sets to each regional firewall group.

Correct Answer: D

Brave-Dump Clients Votes

D 50%

B 50%

Comments

Brave-Dumps Admin 2025-12-22 22:08:06

Selected Answers: D

*D* (Deploy a single CIE tenant... then configure *segments* within the tenant)
* *Explanation:* While you could use multiple tenants, the CIE feature specifically designed to solve the problem of data partitioning and regional isolation within a single organization is *Segments*. This is

Ayesha 2026-01-28 05:09:37

Selected Answers: B

I did a lot work on it.

I checked and it's confirmed B is correct answer
Data Sovereignty and Strict Data Isolation: The Cloud Identity Engine (CIE) allows you to select a specific region for each CIE instance (tenant) where your directory data will be stored . By creating separate CIE tenants for each regional business unit, you can deploy each tenant in the geographical region relevant to that business unit, directly addressing data sovereignty requirements. This ensures that identity data for a specific region is physically stored and processed only within that region, providing strict data isolation at the storage level.

Aggregating Identity Data: Each separate CIE tenant can integrate with the identity providers (IdPs) relevant to its specific region, such as on-premises Active Directory, Azure AD, or Okta . This allows for the aggregation of identity data pertinent to that business unit within its dedicated tenant.

Regional Redistribution to Firewalls: With separate tenants, user and group information can be configured to be redistributed exclusively from a specific regional CIE tenant to the firewalls belonging to that region. Panorama, which manages these regional firewalls, can be configured to retrieve group mapping information from the designated CIE instance . This ensures that each region's firewalls only receive the user and group information relevant to their respective region, without exposure to out-of-scope data from other regions.

Minimizing Administrative Overhead: While creating multiple tenants might seem like additional setup, it centralizes the management of identity data for each region within its dedicated CIE tenant. This is more efficient for managing regional data isolation and sovereignty compared to attempting to filter a single, globally aggregated dataset on every firewall or managing direct connections to local IdPs for each firewall individually. The CIE simplifies the configuration of identity sources into a unified source of user identity, allowing scalability .