Information Security and Access Control in vRealize Log Insight for Consolidated SDDC

Protect the vRealize Log Insight deployment by providing centralized role-based authentication and secure communication with the other components in the SDDC.

Authentication

Enable role-based access control in vRealize Log Insight by using the existing rainpole.local Active Directory domain.

Table 1. Design Decisions on Authorization and Authentication Management in vRealize Log Insight
Decision ID	Design Decision	Design Justification	Design Implication
CSDDC-OPS-LOG-011	Use Active Directory for authentication.	Provides fine-grained role and privilege-based access for administrator and operator roles.	You must provide access to the Active Directory from all Log Insight nodes.
CSDDC-OPS-LOG-012	Configure a service account svc-vrli-vsphere on vCenter Server for application-to-application communication from vRealize Log Insight with vSphere.	Provides the following access control features: vRealize Log Insight accesses vSphere with the minimum set of permissions that are required to collect vCenter Server events, tasks, and alarms and to configure ESXi hosts for syslog forwarding. If there is a compromised account, the accessibility in the destination application remains restricted. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.	You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.
CSDDC-OPS-LOG-013	Use global permissions when you create the svc-vrli-vsphere service account in vCenter Server.	Simplifies and standardizes the deployment of the service account across all vCenter Servers in the same vSphere domain. Provides a consistent authorization layer.	All vCenter Server instances must be in the same vSphere domain.
CSDDC-OPS-LOG-014	Configure a service account svc-vrli-vrops on vRealize Operations Manager for the application-to-application communication from vRealize Log Insight for a two-way launch in context.	Provides the following access control features: vRealize Log Insight and vRealize Operations Manager access each other with the minimum set of required permissions. If there is a compromised account, the accessibility in the destination application remains restricted. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.	You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

Encryption

To provide secure access to the vRealize Log Insight Web user interface, replace the default self-signed certificates with a CA-signed certificate.

Table 2. Design Decision on CA-Signed Certificates for vRealize Log Insight
Decision ID	Design Decision	Design Justification	Design Implication
CSDDC-OPS-LOG-015	Replace the default self-signed certificates with a CA-signed certificate.	Configuring a CA-signed certificate ensures that all communication to the externally facing Web UI is encrypted.	The administrator must have access to a Public Key Infrastructure (PKI) to acquire certificates.