Deploying OpenTelemetry in legacy and industrial environments requires a fundamentally different security approach than cloud-native systems. Key challenges include inability to modify source systems, flat or weakly segmented networks, long patching cycles, and non-standard sensitive data like production process configs. The recommended strategy treats the OTel Collector as a controlled security boundary rather than a simple data router. Practical guidance covers two Collector deployment models (external bridge vs. embedded), data minimization, scrubbing with transform/redaction processors, constraining ingestion endpoints, and classifying telemetry by source trust level. The core mindset shift: security is about selecting the safest path to useful visibility, not achieving ideal observability.
Table of contents
Why legacy environments are differentSecurity challenges unique to legacy systemsDesigning a secure telemetry pipeline under constraintsA pragmatic decision model for securing telemetryHandling sensitive operational dataReducing attack surfaceSecurity as a trade-offConclusionFurther reading and resourcesSort: