The panel of the Virtualization Security Podcast on 5/27/2010 was joined by an attorney specializing in the Internet space. David Snead spoke at InfoSec and made it clear that there was more to secure multi-tenancy (SMT) than one would imagine. The first question was “how would you define tenant?” which I believe is core to the discussion of SMT as without definitions we have no method of communicating. Before we get to David’s response, we should realize that nearly every one has their own definition of Tenant for a multi-tenant solution.If you talk to Cisco with respect to CVN, it is defined as entities requiring differing levels of QoS. If you talk to a storage vendor (NetApp or EMC) you really get an encrypt “data at rest” answer that is a small part of the entire Secure Multi-Tenancy discussion. You will also get answers related to storage availability. Cisco’s answer is actually all about Availability and guaranteeing that a tenant receives the assigned QoS throughput.
David Snead, an attorney, defined Tenant as “whatever definition is used within the contract”. If there is no definition within your contract then assumptions are made, so I tend to fall back to the definition of Tenant to be “the legal entity responsible for the data.” So you need to read your contracts carefully.
Regardless of how you define Tenant within a contract or using my own definition, there are governmental dictates that come into play for Personally identifiable information (PII) which could impose a split personality within a given tenant.In Europe for example, a Tenant is required to handle PII in a very specific ‘secure’ way, while the government may not care much about the rest of the data. When you state you are PCI or HIPPA compliant, you also sign on to treat PII data differently or at least in accordance with the respective regulatory compliance. This does not actually mean the data is secure, just that you follow some regulatory compliance.
Outside of regulatory compliance Tenant gets obfuscated further to include data classification within the tenant causing even further bifurcation of the term ‘tenant’.
Given this, when we state Secure Multi-Tenancy, what are we really discussing in the cloud? In essence, that answer is defined by contracts and the Tenant is the contract signee. If the Tenant also has to be regulatory compliant or handle data classification, that is left to the Tenant to implement in some Tenant controlled mechanism with help from the provider. This is where CloudAudit comes into play as a way of providing a universal way to determine the compliance of a provider for handling such data.
A serious discussion about SMT, I believe starts with some definitions that define ‘Tenant’ within the cloud and what that definition should be within the contract. Chuck Hollis of EMC started A Serious Discussion of SMT which in the comments equates Tenant to renting from a landlord after some other discussion. I think if there ever was a court case where the tenant was not defined within a contract, this may be what the judge and jury think. On StorageRap is another definition of Tenant as the application owner, within the Tenant, this makes sense but not from a cloud providers perspective, as the Application owner Could be the Cloud Provider such as SalesForce.com. I must repeat, in the cloud the data is the only thing that matters: for SaaS, this is the data stored within the Cloud Application, for PaaS that could be the application written by the Tenant and the associated data, and for IaaS this will be the virtual machines, virtual networks, and other bits below the application. Our definition of Tenant must handle all these cases.
I believe that once we can define Tenant appropriately that the provider needs to provide some level of security far above what any one tenant may desire, but can at some point in time acquire as necessary: A tenant dialed security setting. So after we define Tenant satisfactorily we should start to look at what the provider must provide and what is really left to the Tenant to implement in other words: roles and responsibilities.
As pointed out within Secure Mutli-Tenant Virtualization – How to get there? some more work is required to reach this state, specifically in the realm of Integrity and Confidentiality. This becomes even more difficult if we think of being able to rapidly move data from cloud provider to cloud provider as discussed within VMware Spring + Google: Dramatic PaaS Progress and New SMT Concerns. Even EMC’s VPLEX add a new wrinkle to SMT as we now may need to worry about treaty’s between countries, Safe Harbor, and other governmental Acts, Referendums, and Laws.
The definition of the Tenant absolutely must start with the data ownership. We must realize that different forms of data PII, Application, Virtual Machine, Classification, Confidential, etc. figure into this definition. Such a definition must help the SMT discussion which has the goal of protecting the data and providing a way to keep those without rights (provider, outside, etc.) to the data from manipulating, changing, recording, or otherwise impacting the availability of the Tenant’s data.
Let us define tenant, then we can move onto responsibilities.