Securing Multi-Tenancy and Cloud Computing
Securing Multi-Tenancy and Cloud Computing
Securing Multi-Tenancy and Cloud Computing
Securing Multi-Tenancy
and Cloud Computing
Security That Ensures Tenants Do Not Pose a
Risk to One Another In Terms of Data Loss, Misuse,
or Privacy Violation
Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What Is a Tenant? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Defining Multi-Tenancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Securing the Multi-Tenant Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Hypervisor-Based Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Database-Based Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Segmentation Is Needed at All Layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The Role of VM Introspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Automation as an Enabler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Executive Summary
In cloud-based architectures, multi-tenancy means that customers, organizations, and consumers are sharing
infrastructure and databases in order to gain price and performance advantages. At its simplest, the “cloud” is an
Internet-based environment of computing resources comprised of servers, software, and applications that can be
accessed by any individual or business with Internet connectivity. In the case of these “service” offerings, customers (or
“tenants”) get a piece of the cloud that contains the resources they need to run their business.
Cloud computing is the basis for infrastructure as a service (IaaS) and software as a service (SaaS). These services
offer a pay-as-you-go lease style investment with little or no up front costs versus buying all of the hardware and
software outright. Other benefits include the ability to scale easily and tier more services and functionality on an “as
needed” basis (e.g., Salesforce.com and its various add-on modules and user-based pricing options). The benefits,
in fact, are so compelling that cloud computing is predicted by some to be the replacement for traditional means of
obtaining these services and business capabilities by 2014. The big concern is how to ensure that proper security and
isolation protects consumers or tenants of these services from the risks they pose to one another.
Introduction
What Is a Tenant?
The notion of a tenant in the context of cloud computing is not as simple as it might first appear. Take Amazon Web
Services (AWS), for example. AWS is a cloud service provider with offerings that span application hosting, backup and
storage, e-commerce, and media hosting, to name just a few. Companies like Autodesk, Urban Spoon, and Second
Life are tenants of AWS, in that they use AWS storage and compute resources to power their customer offerings. Each
firm also has customers who store data like personal preferences, credit cards, and information as tenant users of
these businesses. In the case of Second Life, for example, if the tenants set up online businesses and services of their
own, they, too, will have tenants and so on. In the final analysis, a cloud service tenant is sharing a resource with a
community. And similar to a building tenant, the tenant’s space must be separated and isolated from other occupants
to achieve a certain degree of security and privacy.
Defining Multi-Tenancy
The idea of multi-tenancy, or many tenants sharing resources, is fundamental to cloud computing. Service providers
are able to build network infrastructures and data architectures that are computationally very efficient, highly scalable,
and easily incremented to serve the many customers that share them. Multi-tenancy spans the layers at which services
are provided. In IaaS, tenants share infrastructure resources like hardware, compute servers, and data storage devices.
With SaaS, tenants are sourcing the same application (e.g., Salesforce.com), which means that data of multiple
tenants is likely stored in the same database and may even share the same tables. When it comes to security, the risks
with multi-tenancy must be addressed at all layers. The next few sections examine how this can be accomplished for
shared hardware and application infrastructure.
APIs like VMware VMsafe have enabled an ecosystem of security solutions that embed inside the hypervisor for the
purpose of introducing proper segregation, isolation, and protection of tenant resources—thereby enabling secure
multi-tenancy. The security solution runs as a service inside the hypervisor and intercepts traffic or packets. In fact,
those products supporting VM Introspection, a concept discussed later in this paper, will also have a great deal of
information about the VM’s state, including installed applications and services. Depending on the vendor of the
security software, the solution may provide virtual network visibility to traffic, VM inventories, and VM compliance
assessment, as well as application-based access control and malware suppression.
Database-Based Segmentation
Unlike IaaS where multiple tenants share resources, SaaS tenants share a database. Users of Salesforce.com or
SmugMug, for instance, pay to use an application that manages their customers and photos respectively. While the
value is in the application interfaces that make it easy to manage complex tasks and large data sets, the data itself
is stored in a database as rows in tables that the tenants of Salesforce.com and SmugMug databases share. The
customer ID is what distinguishes one row from the next. In this area, security concerns run high that misconfigured
application code or an error in an access control list may put tenant information at risk of theft and misuse.
For controlling access to database data, there are quite a few tools and technologies available. What is usually
implemented is a system for authentication and authorization of the access request so that only certain rows or fields
are modifiable based on security policies that ensure that access is warranted. Encryption of data in the database
is also common to protect it at rest, so that if it is ever compromised or stolen it would be difficult to decipher the
underlying data.
Automation as an Enabler
While security for multi-tenant environments might be the overarching concern for adoption, security automation will
be the real catalyst for broad use of cloud-based services. Most will agree that the technologies to secure IaaS and
SaaS architectures are broadly available and proven. The real challenge is that the tenants aren’t always clear on
which type of architecture they are using and what, if any, is their role and responsibility for protecting their information.
Cloud service providers may implement the technologies, but may not fully control how they are managed and
configured, as in the case where tenants themselves have sub-tenants. The key to securing multi-tenancy is for anyone
who is a tenant (e.g., a business or consumer of IaaS and SaaS on some level) to ask the cloud provider about existing
protections and responsibilities for defining and maintaining policies that ensure isolation from other cloud tenants.
Also key is to ask how much of the process is automated. Cloud computing environments, especially those based
on virtualization, are extremely dynamic. Change is constant, and this makes the likelihood of resource and security
misconfiguration high. With available technologies that automate VM protection (at least for IaaS), there is no reason
to incur the higher risk, especially given the breadth of current and projected cloud service and provider options.
Conclusion
In cloud-based architectures, multi-tenancy means that customers, organizations, and consumers are sharing
infrastructure and databases in order to take advantage of price and performance advantages that come with
economies of scale. Tenants may share hardware on which their virtual machines or servers run, or they may share
database tables where the data of customer A is on one row and that of customer B is on another. Many cloud service
customers are comprised of both types of tenants. In either case, security measures are “a must” to ensure that tenants
do not pose a risk to one another in terms of data loss, misuse, or privacy violation. Multi-tenancy protections must be
offered by cloud service providers for all layers of their offerings (i.e., IaaS and SaaS). Cloud service providers owe it
to their customers to have the latest and best approaches as available options. Tenants must ask and be clear about
the ways in which they share responsibility for their security and the security of their tenants. Lack of security expertise
needn’t be a barrier to cloud service adoption, but security automation is key to making experts of would-be novices
when it comes to securing a piece of the cloud.
Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions,
Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland please contact your Juniper Networks
1194 North Mathilda Avenue 26/F, Cityplaza One Airside Business Park representative at 1-866-298-6428 or
Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland authorized reseller.
Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600
or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737
Fax: 408.745.2100 Fax: 852.2574.7803 Fax: 35.31.8903.601
www.juniper.net
Copyright 2012 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos,
NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. All other trademarks, service marks, registered marks, or registered service marks are the property of
their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.