In-Depth
Securing Multi-Tenancy and Cloud Computing
How to ensure security is part of the cloud adoption strategy.
by Johnnie Konstantas
Cloud computing is the basis for Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS). At its simplest, the "cloud" is an Internet-based environment of computing resources comprised of servers, software, and applications that can be accessed by any individual or business with Internet connectivity. In the case of these "service" offerings, customers (or "tenants") get a piece of the "cloud" that contains the resources they need to run their business. The advantage is a pay-as-you-go "lease" with little to no upfront costs; the tenant does not have to buy of the hardware and software outright. Other benefits include the ability to scale easily and tier more services and functionality on an as-needed basis; think of Salesforce.com and its various add-on modules and user-based pricing options.
The benefits, in fact, are so compelling that cloud computing is predicted by Insight Market Research Solutions (http://www.1888pressrelease.com/insight-market-research-solutions-predicts-double-digit-grow-pr-205597.html) to be the replacement for traditional means of obtaining these services and business capabilities by 2014. A key concern is how to ensure that proper security and isolation protects consumers of these services -- the tenants -- from the risks they pose to one another.
In this article we'll examine what a tenant is, define multi-tenancy, and provide how to secure multi-tenant environments.
Tenancy and Multi-tenancy
The notion of a tenant in the context of cloud computing is not as simple as it might first appear. Consider, for example, Amazon Web Services (AWS), a cloud services provider with offerings that span application hosting, back-up and storage, e-Commerce, and media hosting to name a few. Companies such as Autodesk, Urban Spoon, and Second Life are "tenants" of AWS; they use AWS storage and compute resources to power their customer offerings. Each firm also has its own customers who store data such as personal preferences, credit card data, and information as tenant users of these businesses. In the case of Second Life, for example, if the tenants set up online businesses and services of their own, they, too, will have tenants, and so on.
In the final analysis, a cloud services tenant is sharing a resource with a community. Similar to a building tenant, the tenant's space must be separated and isolated from other occupants to achieve a certain degree of security and privacy.
The idea of multi-tenancy, or many tenants sharing resources, is fundamental to cloud computing. Service providers are able to build network infrastructures and data architectures that are extremely computationally efficient, highly scalable. and easily incremented to serve the many customers that share it. Multi-tenancy spans the layers at which services are provided.
In IaaS, tenants share infrastructure resources such as hardware, compute servers, and data storage devices. With SaaS, tenants are sourcing the same application (e.g., Salesforce.com), which means that data of multiple tenants is likely stored in the same database and may even share the same tables.
When it comes to security, the risks with multi-tenancy must be addressed at all layers. The next few sections examine how this can be accomplished for shared hardware and application infrastructure.
Securing Multi-Tenant Environments
Hypervisor-based Segmentation
Virtualization is often the platform that underpins IaaS offerings. Software such as VMware's vSphere, Citrix's XenServer, and Microsoft's Hyper-V provide the means of turning a single piece of hardware into a physical host for many virtual machines (VMs). These virtual machines are the databases, file servers, application servers, and Web servers that comprise the typical physical network and enable the traffic that makes commerce and communication over the Internet possible. They are also the servers offered to customers of IaaS for storing their data or running their Web-based business.
At its core, the virtualization platform includes a specialized and optimized OS called the hypervisor which in part serves to map traffic from the virtual machines to the underlying VM host hardware so that the traffic can make its way through the data center and out to the Internet (and vice versa). The majority of security concerns in the virtualized infrastructure relate to the co-residency of machines owned by different customers. This places machines in a privileged position relative to one another. This can elevate the risk for many types of breaches such as unauthorized connection monitoring, unmonitored application login attempts, malware propagation, and various "man-in-the-middle" attacks.
VM segmentation and isolation is also an absolute requirement for VMs containing regulation- and compliance-intense data such as employee details, customer information, and so forth. Most regulatory mandates (e.g., PCI, HIPAA, SOX, and GLBA) require that access be limited to a business's need to know and that control policies be set in place to enforce blocking of unwarranted access. Because the hypervisor intercepts all traffic between virtual machines and virtual machine hosts, it is the natural place to introduce segmentation for the resources of IaaS tenants where VMs might be housed within the same VM host or VM host cluster.
APIs such as VMware's VMsafe have enabled an ecosystem of security solutions that embed inside the hypervisor to introduce proper segregation, isolate, and protect of tenant resources, thereby enabling secure multi-tenancy. The security solution runs as a service inside the hypervisor and intercepts traffic or packets. In fact, products supporting VM Introspection (discussed later in this article) will also have information about the VM's state, including installed applications and services. Depending on the vendor of the security software, the solution may provide virtual network visibility to traffic, VM inventories, and VM compliance assessment as well as application-based access control and malware suppression.
Database-based Segmentation
Unlike IaaS -- where multiple tenants share resources -- SaaS tenants share a database. Users of Salesforce.com or SmugMug, for example, pay to use an application that manages their customers and photos respectively. Although the value is in the application interfaces that make it easy to manage complex tasks and large data sets, the data itself is stored in a database as rows in tables which the tenants of Salesforce and SmugMug databases share. The customer ID is what distinguishes one row from the next. In this case, security concerns run high that mis-configured application code or an error in an access control list may put tenant information at risk of theft or misuse.
For controlling access to database data, several tools and technologies are available. What is usually implemented is a system for authentication and authorization of the access request so that only certain rows or fields are modifiable based on security policies that ensure the access is warranted. Encryption of data in the database is also common to protect it at rest so that if it is ever compromised or stolen it would be difficult to decipher the underlying data.
Segmentation Needed At All Layers
The types of multi-tenancy security used largely depend on the cloud-based service and how it has been implemented. Most cloud services providers provision security at all layers because they will have all types of multi-tenancy in their environments. IaaS users need to understand whether their VMs are being housed in the same host alongside those of other customers and what, if any, provisions the cloud services provider has made to isolate them. In the case where the onus is on the tenant to configure the segmentation, tenants must consider expert advice in defining and maintaining access control policies that enable warranted access but limit risk.
For both IaaS and SaaS tenants, the questions to ask are:
- How is my data protected at rest from prying eyes?
- How is access authenticated, authorized, and differentiated so that only the right people are looking at and managing my data?
Some questions also should be asked about the cloud service providers' policies for dealing with breaches if they occur (i.e., what are the service level agreements, mitigation plans, etc.).
The Role of VM-Introspection
Relative to the Internet and network security technologies, virtualization platforms and cloud computing architectures are new and still evolving. Be aware of innovations that may augment security for multi-tenant environments but may not be broadly known or understood. Often the standards and reference architectures we rely on for proper implementation lag technological advancement.
The concept of VM Introspection has existed for some time in academic circles and is explained largely as a hypervisor-based service that examines the internal state of a running virtual machine. Recently, technologies have been commercialized that leverage VM Introspection to provide high levels of segmentation and isolation for guest VMs or cloud service tenants. VM Introspection provides rich detail about the applications and services that are installed on the virtual machine as well as its configuration. It is possible, then, for security policies to be constructed based on VM Introspection parameters.
An example of such a policy might be: do not allow a new virtual machine to join a VM group or cluster unless it has a specific OS configuration and hot fix installed. VM Introspection takes security for multi-tenancy to a new level -- configuration errors are automatically prevented. This becomes especially important in environments where the onus for configuring security and VM isolation falls on tenants, who may or may not have experience in this area.
Automation as an Enabler
Although security for multi-tenant environments might be the overarching concern for adoption, security automation will be the true catalyst for broad use of cloud-based services. The technologies to secure IaaS and SaaS architectures are broadly available and proven. The real challenge is that the tenants don't always understand which type of architecture they are using and what, if any, is their role and responsibility for protecting their information. Cloud services providers may implement the technologies but may not fully control how they are managed and configured, as in the case where tenants themselves have sub-tenants.
The key to securing multi-tenancy is for anyone who understands himself to be a tenant (i.e., a business or consumer of IaaS and SaaS on some level) and to ask their cloud provider about existing protections and responsibilities for defining and maintaining policies that ensure isolation from other cloud tenants.
Also key is to ask how much of the process is automated. Cloud computing environments, especially those based on virtualization are extremely dynamic. Change is frequent and constant, which makes the likelihood of resource and security mis-configuration high. With available technologies that automate (at least for IaaS) VM protection, there is no reason to incur the higher risk, especially given the breadth of current and projected cloud services and provider options.
Summary
In cloud-based architectures, multi-tenancy means that customers, organizations, and consumers are sharing infrastructure and databases to take advantage of price and performance advantages that come with economies of scale. Tenants may share hardware on which their virtual machines or servers run, or they may share database tables where the data of customer A is on one row and customer B is on another. Many cloud services customers are comprised of both types of tenants.
In either case, security measures are a must to ensure that tenants do not pose a risk to one another in terms of data loss, misuse, or privacy violation. Multi-tenancy protections must be offered by cloud services providers for all layers of their offerings (i.e., IaaS and SaaS). Cloud services providers owe it to their customers to have the latest and best approaches as available options.
Tenants must ask and be clear on the ways in which they share responsibility for their security and the security of their tenants. Lack of security expertise needn't be a barrier to cloud service adoption but security automation is key to making experts of would-be novices when it comes to securing a piece of the cloud.
Johnnie Konstantas leads marketing at Altor Networks. During her 16 years in telecommunications and security, she has held leadership positions spanning engineering, product management, and marketing. Most recently, Johnnie led the marketing efforts of Varonis Systems where she focused on building the team, automation infrastructure, and brand for establishing and sustaining category leadership. Johnnie holds a B.S. in electrical engineering from the University of Maryland. You can contact the author at johnnie@altornetworks.com