The old adage promises safety in numbers, but the opposite may be true when it comes to online computing. Cloud based multi-tenant platforms for hosting infrastructure and running applications have many advantages, including lower costs, shorter time to deployment, and easier long term management, but are the economies of scale always worth it? As organizations continue to migrate applications and data to online platforms, it is more important then ever to understand the associated risks.
Multi-tenancy refers to any computing environment that is shared between two or more entities (“tenants”). This can come in the form of shared infrastructure, a shared platform, or shared applications and are commonly referred to as IaaS, PaaS, or SaaS, respectively. Multi-tenant environments may include the use of a public cloud, such as AWS or Azure, or a private cloud, and they may exist inside or outside an organization's physical premises.
There are also varying degrees of multi-tenancy. A virtual hypervisor, for example, offers a greater degree of separation than a Java virtual machine, which itself offers more separation than a shared, single instance application.
Understanding the Risks
Compromised systems can be used to gain unauthorized access to other tenant's systems running on the same hosted infrastructure. Although hypervisors and virtualization technologies are designed to create layers of separation between tenants, system can still remain vulnerable. Meltdown and Spectre are examples of malware that exploited weaknesses in underlying hardware to circumvent hypervisor protection.
Malicious actors aren't the only threat. Data loss due to human error is also at greater risk. For example, a mistaken virtual storage configuration can expose sensitive data to other tenants, whereas in a single-tenant environment the same mistake would have been less likely to expose data outside the organization.
Performance and Availability
System performance and availability of systems in one tenant can be adversely affected when intense activity and resource utilization are performed on another tenant's system. This can apply to virtual machines, storage arrays, networks, and firewalls, and is especially true when one tenant on the platform is suffering from a DOS/DDOS attack.
There is also a concern with regards to both routine and emergency maintenance. In a shared environment, maintenance must be coordinated across all tenants and timing may not always be suitable for every organization. This can include:
- Unwanted maintenance windows which are imposed in order to support other tenants
- Inability to perform desired maintenance in order to avoid outage or adverse effects on other tenants
Monitoring and Logging
In a multi-tenant environment, organizations will generally be unable to obtain all the security logs needed for compromise detection, data exposure detection, forensic investigations, and incident response. This is almost always true by definition, as infrastructure logs will contain data belonging to other tenants. In many cases, this may also pose a gap in regulatory compliance.
Many organizations are required to comply with internal data destruction policies or regulations such as GDPR or DFS500, which mandate timely destruction of data. Common data destruction mechanisms, such as physical media destruction or data wiping according to DOD standards, are not usually possible in shared environments. Failure to properly destroy data may also result in data leakage as storage is reassigned to other tenants.
Resistance is Futile
For most organizations, avoiding multi-tenant platforms entirely has become almost impossible. So many leading applications are hosted on cloud-based infrastructure, and leveraging multi-tenancy can lead to significant cost savings (some of which, in theory, can be reallocated to address other areas of risk).
Instead, organizations need to understand and weigh the risks associated with each vendor and platform they choose, and for each bit of data that is hosted on those shared environments. In many instances, platform vendors are able to keep systems and data more secure than their customers are able to on their own, and this needs to be taken into account holistically as well.
Once risks are understood, they can be properly mitigated according to the needs of each individual organization.