Sergey Nivens - Fotolia


Multi-tenant cloud security requires enterprise awareness

Moving to a multi-tenant cloud environment can be daunting, but many of the usual risks are legacy issues. Expert Rob Shapland discusses what to know before moving.

Changing cloud providers can be a painful process, and it can be easy to get locked in to one provider. However,...

one of the security risks organizations tend to be concerned with when moving environments is transitioning from a single-tenant environment where an organization has its own distinct hardware or database to multi-tenant environments. This transition is usually done to allow cost savings since single-tenancy attracts a significant premium. The impact of multi-tenancy differs based on whether we are considering infrastructure as a service or software as a service. IaaS will have data from multiple companies on the same hardware, sharing resources such as computing, networking and storage. SaaS customers all share the same application, which can mean that all the data will be stored in shared databases and sometimes even the same tables.

Many of the multi-tenant cloud security risks organizations perceive with this environment are legacy concerns from when the cloud was in a less mature state. Nowadays, the risks of data being accessed from another customer on the same shared hardware are down to the cloud provider to manage and resolve in most instances. Cloud security has evolved, so the risk associated with multi-tenancy has been reduced, especially with the major cloud providers such as Amazon and Microsoft. However, it is important for organizations to understand how a cloud provider should be securely handling multi-tenant environments, so they can ask all the important questions when they are considering a new provider. This is especially relevant with smaller cloud providers, which are more common with SaaS.

Multi-tenant cloud security concerns 

Because all data is stored on the same hardware, the logical controls on the data must not allow any opportunity to view another customer's data. This is a basic requirement, and was one of the first hurdles to overcome with multi-tenant environments. There must also be robust controls in place to ensure that excessive traffic from one tenant does not impact the performance of the other customers' systems.

For IaaS, cloud providers must ensure separation of customers' virtual machines at the hypervisor level. Organizations should request information from the new cloud provider regarding how this separation is achieved.

For SaaS, database segmentation is key; organizations should check to make sure their providers have implemented it. Data encryption at rest is also important with SaaS providers, to make it difficult for hackers to access plaintext data if the database itself is stolen.

For both IaaS and SaaS, it is also important to ask the provider where its security responsibility ends and where the organization's begins.

How to handle the risks of multi-tenant cloud

Although much of the multi-tenant cloud security risks have been reduced, there have been theoretical attacks targeting the multi-tenant infrastructure, so it doesn't hurt to harden instances with this in mind.

There are some extra precautions that organizations can take when moving to multi-tenant IaaS, which are also basic security best practices. Configuring a new environment is the opportunity to start from scratch in terms of the setup of the machines, and the first piece of advice is to only install the software and packages that are required for the machine to function as intended. Remove anything that is not needed to reduce the possible avenues of attack. Also, ensure that this software is kept up to date, as well as the underlying OS and kernel where relevant. Ensure that the root or admin password is changed to a secure passphrase that only the necessary employees know.

Many of the perceived multi-tenant cloud security risks are leftover from the earlier days of the cloud, but in most cases it can be considered to be reasonably safe with the larger providers. It is worth noting the questions an organization should ask if it is switching to a new provider to ensure that it has done proper due diligence, and it is also sensible to implement reasonable controls to protect the enterprise's infrastructure.

Next Steps

Learn what security issues to prepare for with IPv4 and IPv6 in a multi-tenant cloud

Find out how to select the right multi-tenant cloud vendor for your organization

Discover how application scalability is different in event-driven and IaaS computing

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security