Cars, Highways, and Ninjas = Secure Clouds?

Where to draw the line? The term secure multi-tenancy has become the bane of my existence recently. I was having a conversation with a friend at VMworld and realized that the issue is one of where we draw the line of demarcation.

When it is said that VMware vRealize Automation (vRA) provides secure multi-tenancy it really means that there is a logical separation that demarks one teams policy from another, but that isn’t the same as say VMware vCloud Director (vCD) which draws a logical separation around all resources including network, storage and compute. The analogy of cars and highways became the communication platform of choice. So let’s get into it.

A car as a tenant has all of the components needed to drive it wherever the driver or tenant owner wishes to go. There is an assumption of security in that car, and when properly secured with the doors locked and windows up this car is a secure tenant environment. The highway that the car wishes to drive on is then viewed as the infrastructure and as long as one car drives down it’s own highway all things are okie dokie. In this scenario the road has no lanes of separation and the driver can drive at their own pleasure. This is then a private cloud with the tenant owner owning the road that they drive down as well as the car.

Let’s start with multiple tenants first. If there are more than one car on the same highway and both are equally secured than great no problem. As long as both stick to the same rules and don’t run into each other. This is where defining lanes is imperative not just from a policy standard but also a logical separation. But what happens if one of the drivers wants to open the sunroof? Should they not be allowed to do that, even if they understand the risks that are associated with it? In my last blog post I talked about risk management. This is a matter of assessing the risk based on knowing the other cars are secure, but what if one of the other cars has a ninja? Now when the ninja decides he wants to jump from car to car and slips into a sun roof now he can ruin the highway for everyone by crashing his car into everyone else. This is where things get crazy, if we think that policy alone will ensure that cars won’t go driving around smashing into each other than we are most likely correct, but how do we keep out the ninjas? Partly we do this through logical separation ensuring no hopping across storage, compute or networking components. Again this is a matter of risk assessment, acceptance and mitigation.

It’s important to note that this isn’t the most secure method. You still need to accept that ninja’s can jump into sunroofs you just need to watch for them and have precautions in place. If you are risk adverse you could air gap each tenant to their own set of infrastructure but this is essentially loosing every aspect of what drives clouds to be more cost effective than traditional data centers.

There are micro-segmentation techniques for internal tenant organizations, and macro level segmentation for dividing up physical to logical resources for multi-tenant environments. There are Intrusion Detection Solutions (IDS) and Intrusion Protection Solutions (IPS), there are firewalls and host bases security services but at the end of the day it comes back to risk management.

No is the answer vRA does not provide Secure Multi-Tenant capability as per my definition. But it does allow for policy based separation. So if you trust all of the other cars on the road to not crash into you and follow the rules than maybe you can accept the risk of driving vRA with other tenants. vCD is logical separation, if you are cool with the other cars on the road knowing the rules and having their own lanes to stay in and their being some guard rails than maybe vCD is your cup of tea. Yet if you can’t deal with the craziness of this and want separate highways for every driver than air gapped physical separation may be your bag.

Whatever solution you choose do the risk assessment understand what you are getting yourself into, and how to mitigate the risks that are there. You will have to accept a certain amount of risk business justifications are typically the best way to CYA on those decisions. That equation is very simple:

Risk = Threat x Vulnerability x Cost 

Risk assessments are both quantitative and qualitative so determining what risks are available for mitigation, acceptance, and avoidance get measured quantified and qualified so they can be measured and rated.

I am not going to get into this process because I don’t feel like writing a CISSP study guide. You all want to know more ask questions, read the many sites out there. Who knows maybe we will start to see security become a major part of cloud designs moving forward and we will all have armored cars on every highway we drive on.