Overview
Red Hat® Insights is a Software-as-a-Service offering that gives users visibility into their operating environments, helping to identify and address operational and vulnerability risks before an issue results in downtime. To provide this service, small pieces of system metadata are sent to the Red Hat Insights service for processing and analysis, during which time measures are taken to help reduce risk.
Data features
Red Hat Insights continuously analyzes platforms and applications to predict risk, recommend actions, and track costs so enterprises can better manage hybrid cloud environments. The utility allows users to remediate issues without a separate Red Hat Satellite subscription.
Insights is designed to work with minimal data
Red Hat Insights collects only the minimum system metadata needed to analyze and identify issues for supported platforms.
You can control what data is sent to Red Hat for analysis
Before data is sent, you have the option to inspect and redact information.
Data is encrypted throughout the processes, with a customizable collection schedule
Red Hat signs its data collection rules and will stop if the signature cannot be verified.
Only one uploaded data set is stored at a time
For each cluster, host or instance, one uploaded data set is stored on the services infrastructure.
Data protection
Infrastructure
To protect your data, Red Hat Insights offers measures to protect data and keep information from persisting.
Red Hat OpenShift Dedicated
Red Hat Insights operates on Red Hat’s own Red Hat OpenShift® Dedicated infrastructure.
Common vulnerability exposure (CVE) and patching
All infrastructure software components are continuously monitored for known CVEs and proactively patched. Patches that can impact end users will be applied as soon as possible but may necessitate end user notification and scheduling a service window in some cases.
Penetration testing
Penetration testing is conducted by both internal and external parties.
Restricted data access
Access to systems that handle customer data is controlled via multi-factor authentication and strict authorization controls. Access is granted on a need to know basis and limited for required SaaS infrastructure operations.
User access
For user access management, Red Hat Insights uses Red Hat’s single sign-on (SSO) service and also provides role-based access control (RBAC) functions to help manage user access to Red Hat Insights capabilities and information in a more granular way.
Red Hat SSO authentication
Red Hat Insights is integrated into Red Hat’s existing SSO service for user management and is available in the Red Hat Hybrid Cloud Console. This integration allows users to use their existing login credentials to access other Red Hat assets, like the Red Hat Customer Portal.
Role-based access control (RBAC)
The Red Hat Hybrid Cloud Console offers RBAC functionality, which enables administrators to grant or restrict user logins on their account access to Red Hat Insights and its individual services.
Data retention
In order to remain registered, an Insights client host must check in daily.
Latest upload for Insights client
When a client sends a new upload, the system automatically removes the previous upload, resulting in only one upload being kept at a time.
Automatic stale system removal
For hosts using the Insights client, if a system stops checking in with the Red Hat Insights service for 24 hours, it is identified as a "stale host". If a stale host doesn’t report to Red Hat Insights for 30 consecutive days, the host is automatically unregistered from the Red Hat Insights service.
Regulations
As a Red Hat product, Red Hat Insights is internally assessed against Red Hat’s data regulation policies.
General Data Protection Regulation (GDPR) and Personally Identifiable Information (PII)
The Red Hat Insights client collection does not target PII.
Data controls and redaction
The Red Hat Insights client offers several controls to inspect the data it collects, obfuscate IP address or hostnames, redact files, patterns, and keywords, and locally audit payloads.
Data collection and controls
Red Hat Insights client architecture
Red Hat Enterprise Linux® hosts and Red Hat Ansible® Automation Platform hosts running on Red Hat Enterprise Linux use the Insights client for configuration and data collection.
The Insights client has a critical role in extracting metadata from a host for analysis. Several controls are available to manage the collection and transmission of host data so you can tailor the metadata that is extracted and transmitted for analysis.
Open source client node
The Insights client was developed with open source principles in mind. Insights client code is available for review and contribution.
Minimal system metadata collected
The Insights client collects the minimum necessary metadata and will pre-process it to target specific lines or facts within files where possible. This ensures the overall payload remains small, collecting what is necessary for analysis and avoiding key areas where sensitive data may be stored.
Leverage existing firewall rules
If a host is already subscribed to Red Hat Subscription Manager or to a connected Red Hat Satellite, the Insights client by default will leverage those existing and established connections for its communication with Red Hat. This means that no additional firewall rules or ports need to be added.
Encrypted communication
All communication with Red Hat occurs over encrypted channels, leveraging transport layer security and mutual certificate authentication. All data is encrypted in transit and at rest.
Resource restrictions
Resource constraints are implemented to limit the client’s use of the host’s central processing unit and memory resources, and all collection items have automatic timeouts if they are taking longer than expected.
Red Hat Insights client controls
The Red Hat Insights client has several optional controls available for use to enable overall customization on how the client runs, as well as what information the client sends from the host to Red Hat for analysis.
IP and hostname obfuscation
Some organizations may consider IP addresses and hostnames to be sensitive information they prefer not to transmit to Red Hat. Red Hat Insights has optional controls that allow you to exclude the IP address or hostname from the data file transmitted to Red Hat and to obfuscate the values within the user interface. Additional options let a custom display name be entered for the identification of obfuscated hosts.
Minimal host impact
The Insights client is designed to activate at its scheduled time, perform the metadata collection, and then shut down. By default, check-ins occur once per day and check-in time slots are staggered across each system to minimize network strain. A scheduled collection time slot can be overridden via a custom schedule function to change the time of day or frequency of the check-in from the default values on a per-system basis.
Proxy support
Insights client has built-in support for HTTP proxies or an existing connected Red Hat Satellite may be leveraged as a proxy to streamline setup and registration.
Granular controls for data redaction
Red Hat Insights provides several optional controls that can redact data on-premise prior to being sent for analysis. Any file, pattern, or keyword can be specified within the Insights client’s deny list function, which will omit the specified items from the final collection prior to submission.
Local collection inspection and redaction verification
The Insights client has built-in options available to generate a payload archive locally, without sending the archive to Red Hat. This option may be used to inspect the contents of the collection and can be used to verify any redaction or obfuscation settings that a user specifies.
Optional host unregistration
The registration of a host to Red Hat Insights may be unregistered manually at any point. Running the unregistration command will disable the Insights client from checking in and remove the host and its results from Red Hat Insights.