Glenn Haley, Director of Product Management, Cloudian
Introduction
The concept of delivering cloud services by sharing virtualized hardware infrastructure and application servers has existed for years. Within these hosted services, multi-tenancy functionality has been a critical factor in separating software services for tenant customers while keeping costs at a level acceptable for software providers. However, at the same time, the sharing of resources to service many tenant customers can result in the co-location of data by many potentially competing organizations using the service within the same storage solution. This situation introduces some risks and data protection concerns that must be addressed to ensure a secure and acceptable solution.
Multi-tenancy and its importance in shared Cloud Services
A multi-tenant cloud storage architecture consists of a single and centralized infrastructure system purpose-built to provide service-oriented storage for multiple customers or “tenants.” All customer data is stored in hosted yet shared servers, storage, and databases. The separation of various customer data is mandatory to ensure any data stored is not accessible or viewable by another tenant user.
For Service Providers in an “as-a-service” evolving world, this means managing multiple and potentially competing client organizations and the company’s data from within a single yet shared storage solution. A service provider can share the hardware resources across all customer tenant instances and then spread the infrastructure cost across all of the serviced customers, instead of having to secure each one of the individual instances and significantly reducing the total cost of ownership of managing the solution.
The use of virtualization and remote access to storage is expanding and creating new service models for service provider organizations based on the use of multi-tenancy. By leveraging a multi-tenant architecture and using new cloud storage technologies such as S3 object storage and various service solutions, service providers can increase their client base, while reducing costs, which in turn results in even greater profits. For their tenant customers, this delivers best-in-class object storage services fully integrated and offered through their preferred cloud management platform.
Multi-tenant managed services and cloud storage offerings by service providers continue to evolve and grow based on the increased use of cloud services by IT organizations. Further, S3 and object storage solutions have helped revolutionize the Service Provider industry, allowing traditional service providers to become a cloud service provider. The market size for global managed services is currently $223 billion and projected to reach $329.1 billion by 20251. According to IDC, the market for cloud storage services, which is a subset of managed services, is forecasted to reach $60 billion in 20232.
With the available technology and enormous market opportunity, the task becomes finding the right solutions that offer the right multi-tenancy features for service providers to ensure the required amount of security compliance and data management, monitoring, and billing functionality based on usage levels. Enter Cloudian Hyperstore as the industry’s most compatible S3 object storage solution and designed from its inception to service multi-tenant use cases and ideally suited for “as-a-service” use cases among Service Providers. For example, a service provider can deploy an object storage solution, such as Cloudian HyperStore, using a single namespace and distributed database and then extend its access for use by multiple subscriber customers. In such a multi-tenant scenario, each tenant’s data is isolated and invisible to other tenants.
Cloudian Object Storage provides a versatile, scalable storage pool for any S3-compatible application. For cloud providers, this enables a portfolio of high-value service offerings, including Storage-as-a-Service (STaaS), Backup-as-a-Service (BaaS), Archive-as-a-Service (AaaS), Compliance-as-a-Service, Disaster Recovery-as-a-Service (DRaaS), and Big Data-as-a-Service (BDaaS). Cloudian storage and multi-tenancy functionality offer service providers the ability to reduce storage costs, deliver more timely S3 compatible and ‘revenue-ready’ services, improve risk management, and significantly lessen the load on its other internal resources.
Challenges with Multi-tenant Storage
Despite the numerous benefits, the use of multi-tenancy also poses many challenges that often prevent the adoption of cloud storage as a service offering, including security and privacy, reliability and quality of service, scalability and management, and governance and compliance.
Security and Privacy
Security and data privacy associated with multi-tenant access are the primary reasons consumers are not willing to adopt cloud storage or use cloud provider’s services. Consumer concerns are a result of the perceived loss of control due to the multi-tenant nature of the cloud storage. Multi-tenancy can create security concerns around how to isolate data storage and access to the stored assets. Further, authentication, authorization before access are crucial aspects of incident response, auditing, and investigation activities. Any multi-tenant storage endpoints and data require segregation and separation from other customers and tenant stored data to address these challenges. Ensuring complete separation and inaccessibility can be problematic in a multi-tenant environment, where multiple customers store data and objects on the same co-hosted yet same physical or virtual hardware. The architecture must be tenant-aware at all levels in the stack with adequate authentication and access control security also implemented.
Every time there’s a new client, the provider adds a new bucket endpoint and which is only accessible by that client. The Cloudian HyperStore solution provides the ability to configure separate endpoint buckets, where each is controlled using a unique access key and secret key credentials. That storage service instance and bucket endpoint run independently of others, and each bucket can be configured to run different storage protection schemes and security policies.
The Cloudian HyperStore system can also be integrated or synchronized with an identity-management system such as Active Directory or the Lightweight Directory Access Protocol (LDAP) service. Software-based access controls and user/group permissions isolate customers from one another to deliver a multitenant cloud storage environment. For a more granular level of security, the Cloudian HyperStore provides selective support for the Amazon Identity and Access Management (IAM) API. The HyperStore IAM Service supports extensions to the IAM API that allow for role-based access control (RBAC) for read-only HyperStore administrative functions. This support enables each HyperStore account user or “tenant user” to create IAM groups and IAM users.
Reliability and Quality Controls
Interference among tenants is another risk that gets introduced by multi-tenancy. The overuse or overloading of resources on a shared or hosted system by one tenant user can impact the performance or user experience of other tenant users. A single customer running a substantial workload or stress test against a production endpoint within a multi-tenant environment may unknowingly or unintentionally result in an imbalanced use of resources that impact other customers serviced on the same platform – known as a “noisy neighbor” situation. Therefore, reliability and consistency are required for other customers to meet the service level agreement (SLA).
To address interference issues and meet SLA requirements, the use of enhanced monitoring, reporting, and load balancing technologies can help to detect and compensate for increased demand. But, the best approach is to use Quality of Service (QoS) features like quotas, reservations, and implementing rate-limiting controls on requests on a per-tenant basis is the best way to avoid any single tenant from impacting and overloading other tenants.
Scalability, Management, and Maintenance
Traditional scaling techniques, such as dynamically spinning up new virtual hosts to meet demand, has limitations and increases cost. Single-tenant environments where each customer gets their own allocated hardware significantly increase the costs to the serviced customer base. Multi-tenant cloud architectures can be scaled easily to handle peaks in demand across the client base. That’s because the storage instances are not single independent systems but rather a cluster of bucket endpoints configured on servers as nodes behaving as one distributed and scale-out object storage architecture.
Cloudian HyperStore is designed to infinitely scale to handle big data workloads across multiple nodes without any single point of failure. In this scale-out and peer-peer architecture, data is distributed across the nodes in the cluster, and every server (node) can handle any client request with a share-nothing architecture regardless of where the object data is located in the cluster.
Service providers should offer Consumers a mechanism to interoperate their data and applications among multiple cloud Ecosystems through a secure and unified web management interface. Having a customer-facing web portal or management console provides administrators to manage multiple tenants and the ability to provide QoS, billing, and reporting for each of the tenant user’s storage consumption usage. Within Cloudian HyperStore, this portal called the Cloudian Management Console (CMC) controls which users and ACL groups have access and permissions for accessing and managing their cloud storage services. You can define groups and control access to configured bucket endpoints containing the object data. Cloudian’s HyperIQ provides service providers and IT administrators a way to monitor the HyperStore cluster with data analytics and actionable insights to allow rapidly responding to system-wide performance changes, and optimize resource utilization while viewing the operational health of the storage environment. HyperIQ provides a unified view of all user and system resource activity, detecting and alerting when any unusual behavior or overuse of resources occurs, thus allowing infrastructure to continue to run smoothly and delivering the best performance possible.
Further, having a single solution that is serving a potentially large number of clients allows applying configuration changes, security patches, and software maintenance far more quickly and efficiently. Since each node and all tenants use the same software running on each node in the clustered system, applying the rolling upgrades to each of the nodes in the cluster is much more straightforward if the architecture is multi-tenant. In contrast, upgrades to a traditional stand-alone environment where a single tenant may use an independent system or instance would need to have updates applied to each instance and possibly involving multiple steps.
Governance and Compliance
Corporate governance and regulatory compliance are other factors to address. These are concerned with and define who establishes the security policies and possible validation of the system. The security model that applies depends on the tenant and service customer and any industry-standards required of their particular industry vertical. Self-regulation can be sufficient unless tenant customers require the completion of an actual validation or certification by a 3rd party entity. Service providers and organizations alike should determine who the consumers of the cloud services will be and then decide what regulations and security compliance standards must be achieved. Cloudian is one of the very few object storage solutions that has completed a Common Criteria EAL2 designation, FIPS 140-2 validation, and SEC 17a-4(f) assessments for its HyperStore solution.
The federal government is rapidly adopting the use of cloud services, and data security ranks as the top concern. According to a report from Thales Security, 92% of federal agencies will access sensitive data within the cloud, big data, IoT, and container technologies.3 And, an alarming 71% of these government environments indicated that they are adopting such advanced technologies without proper security policies being in place.
Implementing the use of a secure multi-tenancy solution alleviates many of these concerns and issues. The Cloudian HyperStore solution has achieved NIST FIPS 140-2 validation, Common Criteria designation, and SEC 17a-4(f) certification.
Conclusion
A primary benefit of a cloud service is the ability to host multiple consuming organizations on a shared pool of network, servers, storage, and application resources. To achieve a profitable scale of economy, the business case use for a public cloud to run application services relies on numerous tenants sharing the same infrastructure. With a private cloud or managed service provider deployment, multiple companies may not be sharing the same hardware. Still, there may be various departments or project/application development teams that require separation and data isolation, cloud tiering, data and network traffic analytics, and separate billing and chargeback support may be needed.
In a managed service or cloud service provider environment, there are flexible ways to customize how networks, servers, and storage are separated, and if or how multiple consuming organizations are isolated from one another. The Cloudian HyperStore solution can help reduce the cost of delivering S3 compatible cloud storage and services while balancing the imperative need for security within a multi-tenant architecture.
Cloudian HyperStore reduces the total cost of ownership by providing centralized management of multi-tenant storage services that are deployable in secure on-premises, hybrid, or multi-cloud environments. Cloudian users and administrators get the benefits of a true S3 cloud service isolation, protection, scale, global management, and visibility – which can only be provided through a multitenant architecture.
Read on:
Cloudian’s Managed Service Provider Program provides benefits and expertise to help ensure your success – Learn more in our Cloudian Managed Service Provider Guide
link: https://data.cloudian.com/NGA-0317-MSP-Program
Leverage the benefits of Cloudian object storage to enable new cloud services revenue opportunities – Learn about New Cloud Services Opportunities with Cloudian and VMware
link: https://www-cloudian-com-staging.go-vip.net/lp/cloud-services-opportunities/
References
1 https://www.marketsandmarkets.com/Market-Reports/managed-services-market-1141.html
3 https://dtr-gov.thalesesecurity.com/2017/
Sources
https://www-cloudian-com-staging.go-vip.net/products/security-features/
https://bigdatawg.nist.gov/_uploadfiles/M0007_v1_3376532289.pdf
https://searchcloudcomputing.techtarget.com/definition/multi-tenant-cloud
https://www.appdynamics.com/blog/engineering/multi-tenant-cloud-architecture/