One of the reasons that security tops the list of inhibitors for the adoption of public cloud computing is the concern around the use of multi-tenant infrastructure and applications.
However, I believe the concerns are often overblown. Everything is multi-tenant at some level. For example, we all share the same planet and the same air. Even within a physical data center, we share the same heating, cooling, and power infrastructure. Even with this small amount of shared infrastructure, there are security risks. For example, someone could walk up and unplug the network firewall (ideally which would be designed to fail closed).
Say we virtualize the data center making CPU, memory, storage and networking a part of our shared infrastructure. Does this weaken security? Sure, someone could “unplug” a security VM, but as long as a) the hypervisor properly delivers the separation it was designed to do and b) we are maintaining separation of duties for policy formation and c) as long as the security control fails open/closed as policy dictates, this VM example is not conceptually different than someone pulling the plug on a physical firewall. Security doesn’t have to be weakened just because it is virtualized. The key foundational element here is the trust/assurance that the hypervisor does what it is designed to do.
Now consider multi-tenancy at the application level. Is this inherently less secure? As long as the multi-tenancy mechanism of the application does what it says it does in terms of effecting separation of the different tenants, it really isn’t all that different from the virtual machine scenario.
There’s risk in everything, so we must look at this through a cost/benefit/risk framework. I will agree that it is much, much harder to prove high assurance separation the more software that is involved. We have common criteria certification to help us to have assurance (trust) that operating systems and hypervisors do what they are designed to do. What we really need is similar high assurance testing for multi-tenant applications.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.