I am consulting in a large Quasi-SP environment for state government. Several of the SP's clients (agencies) are requesting visibility in to security events on their own networks, though a central SP security group owns the responsibility for monitoring the access and edge switches in those agencies - often any agency firewall is controlled by the agency, not the central SP.
This central security group could generate and distribute reports to all the agencies connected because they would have admin and roll-up capabilities for all the local controllers (but, it would be very time consuming and still doesn't allow individual agencies to drill down or get custom reporting.)
A solution I think is to give each agency an "SP Sponsored" local controller with view and reporting permissions, to monitor IPS modules in the SP-owned building switches and their own firewall logs.
The SP-owned Global controller could still suck up all the network-wide reporting yet, allow local agencies a large amount of reporting control on their own without allowing them access to monitor and report on other agency devices that they do not own....an agency's local controller would only be configured to report on devices in its network.
Anybody set up a Global Local architecture with this kind of localized reporting idea in mind? Does it work? Is it practical?