Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Multi-tenancy Doesn’t Have to be bad for Security

by Neil MacDonald  |  January 14, 2011  |  2 Comments

One of the reasons that security tops the list of inhibitors for the adoption of public cloud computing is the concern around the use of multi-tenant infrastructure and applications.

However, I believe the concerns are often overblown. Everything is multi-tenant at some level. For example, we all share the same planet and the same air. Even within a physical data center, we share the same heating, cooling, and power infrastructure. Even with this small amount of shared infrastructure, there are security risks. For example, someone could walk up and unplug the network firewall (ideally which would be designed to fail closed).

Say we virtualize the data center making CPU, memory, storage and networking a part of our shared infrastructure. Does this weaken security? Sure, someone could “unplug” a security VM, but as long as a) the hypervisor properly delivers the separation it was designed to do and b) we are maintaining separation of duties for policy formation and c) as long as the security control fails open/closed as policy dictates, this VM example is not conceptually different than someone pulling the plug on a physical firewall. Security doesn’t have to be weakened just because it is virtualized. The key foundational element here is the trust/assurance that the hypervisor does what it is designed to do.

Now consider multi-tenancy at the application level. Is this inherently less secure? As long as the multi-tenancy mechanism of the application does what it says it does in terms of effecting separation of the different tenants, it really isn’t all that different from the virtual machine scenario.

There’s risk in everything, so we must look at this through a cost/benefit/risk framework. I will agree that it is much, much harder to prove high assurance separation the more software that is involved. We have common criteria certification to help us to have assurance (trust) that operating systems and hypervisors do what they are designed to do. What we really need is similar high assurance testing for multi-tenant applications.

2 Comments »

Category: Cloud Cloud Security Next-generation Security Infrastructure Virtualization Virtualization Security     Tags: , ,

2 responses so far ↓

  • 1 Asish Kumar   January 19, 2011 at 11:20 pm

    Multi-Tenancy is an Architecture and Design style. It depends on the Technical Leader how he architect and design solution. We should seaperate Technology and Implementation. All virtualization security is part of implementation. Any security issues related to data,Application , Infrastructure shoudl be the failure of Implementation team not the Technology . In other words in the Virualization and Virtual Component model based solution, Security would be the most prime factors for implementors. Architect should be having strong skill in security as well.

    I am talking to IT Head/CIO on Virtualization/Cloud Technology. They raise concern on Security. It is a challenge for Technology Evangelist to convince CIO/IT Leader.

  • 2 Neil MacDonald   January 20, 2011 at 10:51 am

    Asish,

    You say “Any security issues related to data,Application , Infrastructure shoudl be the failure of Implementation team not the Technology”

    Two things to consider here:
    1) Many times the developers and technical architects don’t have the training or tools to properly incorporate security into the design and development of multi-tenant applications. Many times I see that the mindset to properly secure an application (thinking like an attacker and try to break things) doesn’t come naturally to tradtional developers which are focused on making things work.

    2) Even then, some of the foundational platform elements we depend on to deliver separation (the OS, the hypervisor, the application platform) itself has vulnerabilities which could result in potentially a breakdown in separation.

    Neil