Edward Haletky (blog) once asked me what I thought secure multi-tenancy was in relation to Cloud Computing. I am willing to admit that at first I gave an answer reminiscent of a Ronald Reagan quote.
Due to the painful memory of this event the actual definition of what security multi-tenancy is has always had my attention. I work with a lot of vendors and despite what their marketing and sales people declare their understanding of this topic is wide ranging in maturity and reality. Just as there is Cloud washing there is a lot of secure multi-tenancy washing going on.
This week I actually had to sit down and document in a paper what secure multi-tenancy is. How would we know when it had been achieved?
Of course one usually starts such an activity with Wikipedia and Google, just like my children do for their school work.
Given how much you hear this phrase these days its a surprise that there is no clear and concise definition out there. One of the earlier ones is from the Cisco Validated Design that they produced with Netapp. It states
... the capability to provide secure isolation while still delivering the management and flexibility benefits of shared resources. Both private and public cloud providers must enable all customer data, communication, and application environments to be securely separated, protected, and isolated from other tenants. The separation must be so complete and secure that the tenants have no visibility of each other.That is reasonable but personally I did not feel it catered as a measure of success. So I sad down and tried to summarise what I have learnt and have been implementing over the last few years.
Secure multi-tenancy ensures that for a shared service:
- No tenant can determine the existence or identity of any other tenant.
- No tenant can access the data in motion (network) of any other tenant.
- No tenant can access the data at rest (storage) of any other tenant.
- No tenant can perform an operation that might deny service to another tenant.
- Each tenant may have a configuration which should not be limited by any other tenant's existence or configuration. For example in naming or addressing.
- Where a resource (compute, storage or network) is decommissioned from a tenant the resources shall be cleared of all data and configuration information.