Cloud-10 Multi Tenancy and Physical Security
R7: Multi Tenancy and Physical Security
Multi-tenancy in cloud means sharing of resources and services among multiple consumers and clients (tenants). It means physical resources (such as computing, networking, storage) and services are shared, also the administrative functionality and support may also be shared. One of the big driver for providers is to reduce cost by sharing and reusing resources among tenants.
In a multi-tenant environment a lot more security dependence on the logical segregation (at multiple layers) rather than the physical separation of resources. Some of the cloud providers due to mult-tenancy may not allow audit and assessment by a particular tenant within their shared infrastructure.
- Inadequate Logical Security Controls: Physical resources (CPU, networking, storage/databases, application stack) are shared between multiple tenants. That means dependence on logical segregation and other controls to ensure that one tenant deliberately or inadvertently can not interfere with the security ( confidentiality, integrity, availability) of the other tenants.
- Malicious or Ignorant Tenants: If the provider has weaker logical controls between tenants, a malicious or an ignorant tenant may reduce the security posture of other tenants.
- Shared Services can become single point of failure: If the provider has not architected well the common services, they can easily become single point of failure due to misuse or abuse by a tenant.
- Uncoordinated Change Controls and Mis configurations: When multiple tenants are sharing the underlying infrastructure all changes needs to be well coordinated and tested .
- Co-mingled Tenant Data : To reduce cost providers may be storing the data from multiple tenants in same database table-spaces and backup tapes. Data destruction can become a challenge in multi-tenancy especially if data is stored in the shared media (databases, backups, archives).
- XaaS Specific Risks
- SaaS: Multiple clients (tenants) may be sharing the same application stack ( database, app/web servers, networking). That means the data from multiple tenants may get stored in the same database, may get backed up and archived together, may be moving on common networking devices (unencrypted), and managed by common application processes. This puts a heavy emphasis on logical security built within the application to separate one tenant's users from others.
- PaaS: Platform stack is shared among the tenants. Vulnerability in the platform stack can allow bleeding between tenants. Shared data backups and archives.
- IaaS: Cross Virtual machine attacks. Cross network traffic listening. Co-residents with lower security posture, where they are less concerned about keeping their hosts hardened and patched . Especially when these hosts gets compromised and owned by the attackers.
- Tenants can always negotiate or demand from the cloud provider to have their own separate physical infrastructure, databases, storage, networking gears,.. . Isolation does play a great role in the security field. However, it does increase the cost for tenants/clients.
- For encrypting the data and keeping it separate from other tenants , strong encryption complemented by tenant-owned key management is required. In a virtualized environment, this means that encryption can be done granularly on a per-VM basis, with key management owned by the tenant and not the service provider .
- Tenants should have control on administrative access to all their resources running. One of the way is to have audit-ability of admin access enabled at all the layers of stack (OS, networking, applications , databases) that can be auditable by the tenants. Provider may still be doing the administration but under strong auditable environment.
- Virtual Private Cloud (VPC): It is a private cloud existing within a shared or public cloud. A VPC is a way to partition a public cloud (multi-tenancy) into quarantined virtual infrastructure  and link it back to the tenants internal resources by encrypted network links.
- Alternate assessment options or contractual exceptions if the auditing is required as per the consumer's security posture but provider does not allow it .