All Posts in “What is Cloud?”

Multi-tenancy means what exactly?

This blog may just turn into a vocabulary lesson for IT people. Today’s word is multi-tenancy.

courtesy of Rob Nolen

Multi-tenancy is part of cloud design that enables shared resources and infrastructure. Those of you, who know me, know that I work for EMC covering the U.S. Federal Gov as a vSpecialist. So I will default to the NIST standard first the term Resource Pooling is used in the NIST Cloud Definition Guidance:

Resource pooling – The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth

Then in the Guidance for Security and Privacy in Public Cloud computing we find this:

Shared Multi-tenant Environment. Public cloud services offered by providers have a serious underlying complication—client organizations typically share components and resources with other consumers that are unknown to them. Rather than using physical separation of resources as a control, cloud computing places greater dependence on logical separation at multiple layers of the application stack [Owa10]. While not unique to cloud computing, logical separation is a non-trivial problem that is exacerbated by the scale of cloud computing (e.g., [Bos11]). An attacker could pose as a consumer to exploit vulnerabilities from within the cloud environment, overcome the separation mechanisms, and gain unauthorized access. Access to organizational data and resources could also inadvertently be exposed to other consumers or be blocked from legitimate consumers through a configuration or software error [Opp03]. Threats to network and computing infrastructures continue to increase each year and become more sophisticated. Having to share an infrastructure with unknown outside parties can be a major drawback for some applications and require a high level of assurance pertaining to the strength of the security mechanisms used for logical separation.

NIST doesn’t completely define multi-tenant models, does it? Nope part of that is due to the fact that the standard is watered down by the industry to ensure they can continue to support customers. No knock on NIST here because it has to be a tough job to create a standard for an entire industry. The way NIST builds the standard is partially through industry input; they look at what is available, what is coming and set definitions and guidelines based off of their insights. Sometimes this leads to solid guidance and clear direction, other times it leads to a loosely coupled series of semi-defined concepts. This is certainly one of those times.

So where do we then turn for guidance? How about the NSA? The NSA defines multi-tenancy thusly:

Multi-Tenancy – Multi-tenancy is the sharing of a common cloud resource that allows the cloud provider to efficiently utilize resources for multiple tenants and can be applied to all three cloud services (IaaS, PaaS, SaaS). Sharing resources, however, could result in residual data or operations being visible or discoverable by another user due to vulnerabilities or insecure configurations. There are varying degrees and definitions of Multi-tenancy among cloud providers and many providers have the option of not sharing resources at an additional cost.

Hahaha ok sorry clearly we need to go outside of the government if we want clear and concise on this topic, terms that the government is not known for. Since I have been beating on Gartner lately let’s see what Forrester has to say about this.

Our definition: Multitenancy defines IT architectures that let multiple customers (tenants) share the same applications and/or compute resources with security, reliability, and consistent performance.

Our research yielded three major findings about multitenant architectures. These are:

  1. Multitenant architectures must strike a balance between sharing and security. To deliver cost savings and scalability, a multitenant architecture must be able to manage dynamic resource consumption by its tenants without violating their security. These two goals ultimately conflict with one another, since shared resources and individual security rarely go hand in hand.

  2. Two common multitenant architecture models have arisen. Dedicated resource models stake boundaries within shared infrastructure, defining the resources a tenant can access, allowing for tangible and secure walls but lower flexibility. Metadata map models chart protected pathways to shared resources, allowing for increased flexibility, but they ultimately may feel less secure.

  3. Despite resource sharing, multitenancy will often improve security. Most current enterprise security models are perimeter-based, making you vulnerable to inside attacks. Multitenant services secure all assets at all times, since those within the main perimeter are all different clients. Leveraging a mix of dedicated resources and metadata map architectures, these services can deliver stronger security.

You know what I can live with this, because at the end of the day it does actually depend.

We will never get everyone to agree to the definition of something life multi-tenant until we reach the utilization stage of solution maturity. Cloud is maturing but it’s not there yet. In the mean time we just need to know that everyone is trying to position their solutions as multi-tenant. If you are reading this odds are you are in a position to advise or make IT decisions so you need to know that words and language have power (I know I have said it before). Understanding that things some products are built for hybrid cloud management like vRealize Automation are only meant for multi-tenant for a single organization (as of today). That public cloud management solutions that logically separate shared resource multi-tenant solutions not without risk. Multi-tenant dedicated resource backends are expensive but they lack the issues found in logical separation from hardware and networking but tend to find front-end issues with portals or the ever present user created security gap.

Education and understanding help to lead you to intelligent and open-eyed decisions, which means you can mitigate, accept, or minimize the risks you take. Multi-tenancy will be defined by the customer so let’s make sure we all define their understanding of the word clearly to assist them in making the best choice possible.

Intro to Cloud 101

I along with so many IT professionals hate the term “Cloud” because it tends to be used for everything under the sun anymore. I wanted to take this post to go into what cloud actually is  and what types of cloud are out there. This is Cloud 101 first day syllabus stuff, and will be a part of a series on cloud technologies that I have been working on researching and testing. So let’s get into it and if anyone has any questions please let me know.

What is “Cloud”?

 I will leave the first use of the actual word up to MIT’s Antonio Regalado who blogged about it here. But what is “cloud” in the context of a technology? Is it the concept of hosting your data in a public data center? Or is it the idea of having applications and data available from anywhere at anytime via mobile or traditional clients? 

There are differences of opinion here because of the differences in types of cloud. Public, Private, Hybrid are the current topology defined categories. But with in Public cloud for example there is Single Site, Co-located, Shared Resource, and Dedicated Resource topology possibilities. The quick answer is Cloud is a combination of resources that provide resilient access to applications and data. 

Public Cloud: Hosted computing resources in a data center that your organization doesn’t own or operate. Support options will be available for touch support or full managed for the servers and vm’s in the environment. 

Single Site, Multi-Site, Co-Located: When researching Public Cloud providers or Hosted Solution Providers, make sure you determine if your cloud will be hosted at a single site or multiple sites or if it will be in a co-located data center. Single Site provides you with a just that a single data center that hosts your cloud, this may be all your organization needs, if the data center is capable of 5 9’s (99.999% uptime). But the reality is you will have redundant redundancy with multi-site providers. Some cloud providers are co-located or co-lo’s this means that they rent space in a larger hosting companies data center to get their multi-site redundancy. A co-lo tends to be a bigger data center with better pipes (bandwidth for incoming and outgoing connections) vs a single site instance that a smaller cloud provider may own. Then the question of SLA’s (Service Level Agreements) needs to be discussed, what guarantees are you getting from the Cloud provider that your data will be available and secure? A good cloud provider will offer credits back for any downtime outside of that expressed in the SLA’s as maintenance. 

Pros: 
  • Public Cloud gets the IT budget burden of hardware and virtual platform licenses out of your organizations budget
  • Can reduce the cost of Application delivery and overall OPEX

Cons: 
  • Security this isn’t really a negative it is just like any other IT initiative if you properly plan your security and implement smart policies you can achieve a secure cloud environment
  • CAPEX initial migration can seem like a large investment ROI needs to be examined and OPEX should be included in that analysis
  • Change Management is needed more than in a private environment to ensure that your organization didn’t impact the SLA’s and to ensure that your provider is living up to their end of the agreement
  • IT Department push back this is the biggest issue the fix is to help the IT team understand the goal and direction of the organization and how cloud plays into that

Private Cloud: Your organization utilizes its internal IT resources to provide access to applications and data. Typically this is a multi-site approach with secondary data centers or branch offices being used for redundancy. 

Pros:
  • CAPEX investments have already been made in most situations with fewer dollars a cloud vision can be realized
  • Ownership the organization owns the hardware and software that is implemented in the cloud, this means that it can be depreciated and written off over time as well
  • The other piece of ownership is that the organization has direct control over the assets and personnel who work in your environment this is the old adage of an enemy with-in can wreak more damage than an enemy at the gate. Knowing the staff in your IT environment is a valuable security measure. 

Cons:

  •  CAPEX & OPEX the organization is still paying for the IT personnel and resources as well as power and cooling for the data center
  • Cost of application licenses that are sometimes included in public cloud offerings.


Hybrid Cloud: Is exactly what it sounds like, your organization maintains both a public and private cloud presence and there are applications in both locations. This allows for secure data to be maintained in the private cloud and public data to be provided in the public cloud. Data and Applications can easily maneuver between the two environments. 
Pros:
  • Best of both worlds, managed environments with lower CAPEX
  • Maneuverability and redundancy for critical environment applications
  • Lower OPEXCAPEX for fail-over site than dual on-premises or dual public cloud solutions 

Cons: 

  •  Cost essentially this boils down to having your cake and eating it too. Your organization has the costs of both on premises and a public cloud hosting site.