Multi-Tenancy and Access Control in Cloud Logging
Multi-Tenancy and Access Control in Cloud Logging
Multi-tenancy in cloud logging allows Managed Service Providers (MSPs) to serve multiple clients using shared infrastructure while maintaining strict data separation. However, ensuring security, automating access control, and meeting compliance requirements like GDPR remain key challenges. Platforms like LogCentral, LogicMonitor, and Rafay offer tailored solutions, each addressing these needs differently.
- LogCentral: Focused on MSPs, it provides built-in multi-tenancy, GDPR compliance, and European hosting. Features include automated log routing, robust RBAC, and tenant-specific customizations.
- LogicMonitor: Ideal for hybrid infrastructures, it integrates logs and metrics but lacks native MSP multi-tenancy, requiring additional configuration.
- Rafay: Designed for Kubernetes-heavy environments, it excels in namespace isolation and security but is less suited for broader logging needs or European compliance.
Quick Comparison
| Platform | Best For | Key Features | Weaknesses |
|---|---|---|---|
| LogCentral | GDPR-focused MSPs | European hosting, built-in multi-tenancy, quick setup | Limited Kubernetes support |
| LogicMonitor | Hybrid infrastructures | Unified monitoring, detailed audit logs | Manual tenant isolation required |
| Rafay | Kubernetes environments | Namespace isolation, Zero Trust security | Complex setup, no explicit EU hosting |
Choose based on your priorities: compliance (LogCentral), diverse systems (LogicMonitor), or Kubernetes focus (Rafay).
Multi-Tenancy Cloud Logging Platforms Comparison: LogCentral vs LogicMonitor vs Rafay
1. LogCentral
Multi-Tenancy Implementation
LogCentral is designed with built-in multi-tenancy, ensuring that client data stays completely separate while allowing Managed Service Providers (MSPs) to oversee multiple client environments from a single interface. Its Smart IP Management system enforces strict tenant boundaries on shared infrastructure. For example, a tenant in Lyon cannot view or access logs from another tenant in Marseille, thanks to automatic data filtering that works within specific namespaces.
Setting up new tenants is a quick process for MSPs. They can establish tenant-specific contexts, assign Role-Based Access Control (RBAC) roles, and integrate syslog sources like Cisco Meraki in just minutes. The platform’s automated resource management also allows tenants to customize log retention periods. For instance, one tenant might keep logs for 90 days, while another opts for a two-year retention period to meet their compliance requirements.
Access Control Mechanisms
LogCentral strengthens tenant isolation with integrated access controls to keep every environment secure. The platform uses a three-tier RBAC system with roles such as Tenant Admin, Department Lead, and End User. For example, an MSP in Paris could grant Tenant Admin rights to a client’s IT manager while restricting junior staff to log-viewing permissions only.
To enhance security, LogCentral automatically creates tenant-specific network rules when syslog sources are connected. This dynamic firewalling blocks unauthorized access without requiring manual configuration. On top of that, advanced authentication options like Multi-Factor Authentication (MFA) and Single Sign-On (SSO) simplify secure access management for MSPs handling multiple clients.
Every user action, search query, and configuration change is recorded through comprehensive audit logging. This ensures full transparency and supports compliance efforts, laying the groundwork for reliable compliance management.
Compliance and Regional Hosting
LogCentral, managed by GDH SAS, is fully GDPR compliant and hosted within Europe. This guarantees that French MSPs can meet both GDPR and local data residency requirements.
European hosting offers additional advantages for French MSPs. Lower latency ensures faster access to live log visualization and real-time alerts, as data doesn’t need to cross transatlantic connections. The platform also adheres to French localization standards, such as DD/MM/YYYY date formats, number formatting with space-separated thousands and commas for decimals (e.g., 1 234,56), and the use of the euro (€) symbol.
LogCentral provides a 7-day free trial without the need for a credit card and offers a 99.9% uptime guarantee. Geo-redundancy further ensures that logs remain accessible even during rare infrastructure issues, giving MSPs peace of mind when it comes to reliability and performance.
2. LogicMonitor
Multi-Tenancy Implementation
LogicMonitor facilitates multi-tenancy by using account-level audit logs to track every login and configuration change [3][4]. These logs include details like timestamps, usernames, IP addresses, and event descriptions. For example, an MSP managing clients in Lyon and Marseille can easily identify which user modified a resource property or disabled an alert for a specific device group. If a session times out and resumes later - even from a different device - a new login event is recorded [3]. MSPs can access this information through the Audit Logs page, scheduled Audit Log reports for historical analysis (beyond 12 months), or via the LogicMonitor REST API. The retention period for this data depends on the "alert history storage" level of the selected package [3][4]. These detailed logs not only support multi-tenancy but also underpin LogicMonitor's access control system.
Access Control Mechanisms
LogicMonitor takes a unique approach to access control, relying on its audit-driven framework rather than traditional tiered RBAC. This setup integrates multi-tenancy with security by verifying that configuration changes and logins come from authorized sources [3]. MSPs can filter logs using operators like AND, OR, and AND NOT to pinpoint specific user actions. Single keyword searches automatically apply wildcards, but users must manually add them for combined terms (e.g., "trigger* AND alert") [4]. Administrators can schedule Audit Log reports in CSV, HTML, or PDF formats for compliance tracking. Additionally, the platform offers a 14-day trial with full functionality to explore these features [3][4].
Compliance and Regional Hosting
LogicMonitor ensures compliance by maintaining detailed records of user activity and configuration changes [4]. According to the platform, "LogicMonitor's audit logs provide insight into recent account activity, such as user logins and configuration changes made to resources in the account" [4]. While LogCentral emphasizes GDPR compliance and European data residency with regional hosting, LogicMonitor focuses on preserving audit data, which is tied to the alert history storage level of the chosen package [4][5].
3. Rafay
Multi-Tenancy Implementation
Rafay operates using an "Orgs" model, where each user, identified by a unique email address, can belong to multiple organisations. Within each organisation, Projects and Namespaces create distinct environments. For example, this setup can support separate infrastructures in cities like Paris and Toulouse. A centralised Operations Console allows for streamlined management across multiple organisations, while administrators can invite external collaborators as Org Admins to enhance flexibility and control [7].
Access Control Mechanisms
Rafay's access control system aligns seamlessly with its organisational structure, offering a robust Role-Based Access Control (RBAC) framework. It supports both predefined roles (like Organisation Admin or Project Admin) and custom roles for more detailed permission settings. The platform categorises users into three types:
- Local Users: Managed within the Controller, typically for super/root-level access.
- IdP Users: Integrated with Single Sign-On (SSO) providers, such as Okta or Azure AD, to accommodate developers and operations teams.
- Machine Users: Designed for programmatic access, often used in APIs or CI/CD pipelines.
Security measures include temporary passwords valid for 72 hours, mandatory re-authentication every 24 hours, and an auto-lockout feature after five failed login attempts within 15 minutes. Rafay also encourages organisations to align password policies with NIST's Digital Identity Guidelines (SP 800-63B) and advises enabling TOTP-based Multi-Factor Authentication (MFA) across the organisation for added security. Additionally, administrators can quickly revoke Kubeconfigs if a user's device is lost or compromised, ensuring rapid response to potential threats [7].
Compliance and Regional Hosting
To support compliance, Rafay employs detailed logging of all UI and API activities. These logs are streamed in real time to a Security Information and Event Management (SIEM) system, aiding adherence to frameworks like GDPR, HIPAA, and PCI-DSS. As noted in Rafay's Product Documentation:
"In multi-tenant environments, centralized logging ensures that activities from all tenants are logged and can be reviewed. This promotes transparency and accountability." [6]
However, unlike competitors such as LogCentral, which highlights European data residency and explicit GDPR compliance, Rafay's documentation does not specify hosting within Europe or provide detailed GDPR certifications. This distinction could be a key consideration for organisations prioritising European data residency and compliance [8].
Multi-tenant Logging with Opentelemetry Collector - Sándor Guba, Axoflow
Strengths and Weaknesses
The table below provides a clear comparison of the strengths and weaknesses of the platforms discussed, focusing on their suitability for MSPs.
| Platform | Strengths | Weaknesses |
|---|---|---|
| LogCentral | Built-in multi-tenancy tailored for MSPs; GDPR-compliant with hosting in Europe; quick setup (hours, not days); RBAC with live log visualization and smart alerts; predictable SaaS pricing with a 7-day trial | Primarily targets syslog management, which may not fully support Kubernetes-specific observability or complex hybrid infrastructures |
| LogicMonitor | Unified monitoring for diverse infrastructures; strong RBAC for managing large user bases and conflicting policies [13]; integrates logs and metrics in hybrid setups | Lacks native MSP multi-tenancy, requiring additional tenant isolation configurations |
| Rafay | Advanced Kubernetes isolation with vClusters; Zero Trust security with Just-in-Time (JIT) access [12]; effective namespace governance using OPA policies | Focused on Kubernetes, limiting broader logging applications; more complex initial setup compared to plug-and-play SaaS options; no explicit guarantees for European hosting |
Beyond these features, several other factors - cost, compliance, and scalability - highlight important differences between the platforms.
Cost Considerations
Cost efficiency varies across the platforms. LogCentral removes the need for infrastructure management, saving operational expenses. Rafay's shared cluster model resulted in a 60–70% cost reduction for LiveRamp Engineering in December 2025 [1]. On the other hand, LogicMonitor's additional tenant isolation setup can drive up costs.
Compliance Readiness
When it comes to compliance, LogCentral stands out with GDPR compliance and European hosting, addressing data residency concerns. Rafay and LogicMonitor, however, require extra measures to achieve full compliance, which could add complexity for MSPs.
MSP Workflow Optimization
LogCentral's native multi-tenancy enhances MSP workflows. A case in point is Whalley Computer Associates, which successfully provisioned over 20,000 customer accounts from trial to production [2]. Bill Suarez, Technical Account Manager at Whalley Computer Associates, shared:
"Using Wasabi Account Control Manager we can quickly provision accounts for users to trial the service, and then transition that to production seamlessly and quickly with all of the necessary support behind the scenes" [2].
This streamlined, self-service approach minimizes operational bottlenecks, offering a clear advantage over the more manual processes required by LogicMonitor and Rafay.
Scalability Challenges
Scalability remains a complex issue for many platforms. Traditional RBAC systems often lead to role proliferation, making them harder to manage [9]. Rafay addresses this by using ResourceQuotas and NetworkPolicies to prevent "noisy neighbor" disruptions [12][1]. Meanwhile, LogCentral's multi-tenancy simplifies scalability by centrally managing updates and security patches [10][11]. This approach reduces the administrative burden and supports smoother scaling for MSPs, highlighting the trade-offs MSPs must evaluate when choosing a platform.
Conclusion
After carefully examining these platforms, it's clear how each caters to the specific needs of MSPs managing multi-tenant cloud logging. All three platforms tackle the balance between tenant isolation and operational efficiency, but their strengths align with different priorities.
LogCentral stands out for MSPs needing GDPR-compliant, multi-tenant logging with straightforward setup. Designed with MSPs in mind, it offers native multi-tenancy, European hosting, and RBAC features, allowing seamless client management from a single dashboard. For MSPs focused on compliance and simplicity, LogCentral's combination of features makes it a top choice. Its 7-day free trial and transparent per-client pricing further simplify onboarding and billing. Add in its 99.9% uptime guarantee, geo-redundancy, and integrations like Cisco Meraki, and it becomes an efficient solution for small- to medium-sized MSPs.
LogicMonitor, on the other hand, is ideal for enterprises managing hybrid infrastructures, offering unified monitoring across logs and metrics. However, the lack of native multi-tenancy for MSPs means additional configuration is needed, which could increase setup time and maintenance demands. Its strength lies in its broad observability, making it a good fit for organisations with diverse environments, provided they can handle the higher implementation effort.
Rafay is tailored for Kubernetes-heavy environments, excelling in advanced namespace isolation and Zero Trust security. Its vCluster approach and OPA policy governance deliver robust protection for containerised workloads. That said, its Kubernetes-centric design and complexity make it less suitable for traditional syslog management or simpler deployment needs.
For MSPs operating in the EU or prioritising GDPR compliance, LogCentral's European data residency and compliance-first design are hard to overlook. Meanwhile, organisations with Kubernetes-heavy infrastructures might lean toward Rafay, and those seeking comprehensive observability across varied systems could find LogicMonitor worth the investment despite its setup challenges. Each platform has its niche, but the choice ultimately depends on the specific needs of the MSP or organisation in question.
FAQs
How does LogCentral maintain GDPR compliance in multi-tenant cloud logging systems?
LogCentral prioritises GDPR compliance in multi-tenant setups by integrating role-based access control (RBAC), encryption, and data minimisation to protect sensitive information. It also enforces strict data retention policies, ensuring logs are kept only for the required duration, all while relying on secure hosting infrastructure located within Europe.
By emphasising data segregation and using advanced security protocols, LogCentral offers a dependable solution for IT teams, managed service providers (MSPs), and businesses of various scales. This ensures adherence to European data protection regulations, even in shared environments.
How does LogCentral's RBAC system stand out from other access control methods?
LogCentral's role-based access control (RBAC) system is tailored specifically for managing logs in multi-tenant setups. With this system, administrators can assign precise, role-specific permissions, ensuring that users only have access to the data and features relevant to their roles. This not only simplifies user management but also cuts down on administrative tasks while strictly adhering to the principle of least privilege.
Unlike broader access control methods like IAM or attribute-based controls, LogCentral's RBAC is purpose-built for environments involving log data. It integrates effortlessly with the platform's multi-tenant architecture, guaranteeing strict data separation and security for different clients or teams. This makes it a perfect fit for MSPs, IT teams, and businesses handling multiple tenants or navigating complex log data workflows.
Why should MSPs in Europe consider LogCentral for data residency and compliance?
For Managed Service Providers (MSPs) in Europe, LogCentral is a standout option because it’s hosted entirely within Europe. This ensures full GDPR compliance and alignment with local data protection laws - an essential factor for organisations handling sensitive client data under Europe’s strict privacy regulations.
LogCentral also simplifies operations with its native multi-tenancy feature, allowing MSPs to securely and efficiently manage multiple clients from a single platform. Key features like 24/7 monitoring, live log visualisation, and role-based access control (RBAC) make it a robust tool for both MSPs and IT teams.
On top of that, LogCentral offers long-term data retention and intelligent alerts, which not only enhance operational efficiency but also maintain strong security and performance standards. It’s a solution designed to meet the unique challenges of MSPs while keeping data protection at the forefront.