Can we use some of this Risky Social Behaviors post to aid us in finding an adequate definition for Secure Multi-Tenancy? Perhaps more to the point it can define how we look at multi-tenancy today. On a recent VMware Communities podcast we were told two things that seem contradictory to current security thinking. The first is that going to the cloud reduces your risk, and the second was that the definition of the cloud must include multi-tenancy.
Risk is measured differently by different groups of people, what may be a risk from a business perspective is a different risk from a security perspective. I would agree that from a business and ROI perspective, the cloud looks very attractive. But the statement you ‘reduce risk by going to the cloud’ without qualifiers such as business risk or security risk is delivering an incomplete message.
Business risk is related to the security risk. If your business depends on the security of your data then using the cloud could be a very risky venture at the moment.Secure Multi-Tenancy is all about the data, with the biggest risk from those who manage the cloud. Those who manage the cloud should never be able to touch, record, or modify the data stored within the cloud.
I heard an interesting case this week from one of my customers. He uses a SaaS that provides them with a necessary aspect of their business. Using this service does lower their overall business costs and has a better ROI than implementing the solution themselves, which could be considered a reduced business risk, which is great for them. However, the SaaS provider consistently modifies their data even though this is not an aspect of the SaaS that this customer desires to use and has attempted to disable. This is an increased security risk to their data.
To me this cloud SaaS is not multi-tenant nor secure in any fashion. The SaaS owners should never be able to modify this data for this customer. There are no controls in place to prevent the account managers, administrators, and other SaaS personnel from seeing, touching, recording, or modifying the data. This customer cannot protect their business from the SaaS provider at this time therefore their risk has increased.
Some may say, this is a problem with the software, but it is also a process problem. The customer of a cloud provider needs a way to dial the security to be less or more depending on their needs. If they want the service that disallows the cloud provider from seeing, touching, recording, and modifying the data then that needs to be available to them. The data access process of the provider should be written, followed, and audited to ensure this does not happen. This would be the first steps to Secure Multi-Tenancy; process and auditing. But I would also say, this is a failure within the SaaS software as the ‘preventative’ controls are apparently not in place or disabled. In this particular SaaS some customers want their data to be optimized for them, with others they do not. A dial-able security setting is what is needed.
So like the Risky Social Behaviors discussion, anything you place into the cloud is viewable by others. These others maybe restricted to the providers employees, contractors, and possibly partners, or it could be wide open if the tenant did not dial the security properly. Secure Multi-Tenancy is about protecting the data which may lower the perceived risk by the tenant but unless a provider implements proper Secure Multi-Tenancy, this is just a perceived reduction in risk not a true reduction in risk.
Before you use a cloud service you need to understand all the risks, business as well as security.