Understanding the risks of multi tenancy

The very thing that makes you rich makes me poor. It’s a great song when sung by Ry Cooder, and with a bit of a stretch, it could apply to cloud computing.

The very thing that makes cloud efficient makes it insecure. OK, potentially insecure, but that doesn’t scan so well.

Offering user companies, or tenants, access to shared databases, applications or operating systems, can optimise the use of these resources and minimise unnecessary capacity. But herein lies the problem. Offering multiple tenants access to the same database or application raises the possibility of them seeing, and using, each other’s data, either through accident or malice.

These concerns over co-location have muddied the message from cloud benefits and led some of the larger applications vendors entering this space to make major miss-steps. SAP for example avoid had to redesign its ByDesign software-as-a-service offering for multi tenancy, because it could not make it pay commercially otherwise.

It initially avoided multi tenancy in deference to its customers perceived security requirements. The potential risks of multi tenancy are also behind the drive to private clouds.

So, clouds computing it is buyer beware, while also understanding that the inherent security risks are relative. In-house IT is also has its security flaws, relying, as it largely does, on perimeter security. Once a hacker is in, there is little to protect data, beside intrusion detection, which can only stop a breach that has already taken place.

There are reasons to believe cloud computing may be more secure than traditional approaches to IT. For a start, cloud vendors are focused on the problem. Their entire business is depends on maintaining a good reputation as a safe place to put corporate data.

An IT security lapse at an automotive firm could be disruptive, but for a cloud vendor it’s game over. Secondly, customers are forcing openness on security: cloud vendors expect to be asked about security policy and architecture, so they put time and effort into thinking these things through. Lastly, because cloud vendors operate a tightly controlled IT environment, lapse in patches and security updates are less likely to occur.

This is not to say that the problem is solved. It never will be. Be sure you have the security model that is right for the service you require, and ensure that you have evidence that the resulting processes have been audited. Make multi tenancy work for you, or use a private cloud if you can’t.

Copyright © 2012 IDG Communications, Inc.

8 highly useful Slack bots for teams