How secure is a multi-tenant cloud? What kinds of questions should we be asking the vendors about being part of a multi-tenant cloud?
The multi-tenancy approach -- in which multiple customers, or "tenants," share a single instance of a software application -- always generates questions about security. Specifically, what each tenant wants to know is: How are things divided to prevent other tenants from being able to access my sensitive information?
The most important thing to ask multi-tenant cloud vendors is whether they have security certifications.
Nearly all public clouds use the multi-tenant model. Cloud providers typically go through extensive and painstaking steps to eliminate security holes that might allow unauthorized access to any tenant's information. Still, there are always concerns about having multiple customers using a shared host. For that reason, some providers, such as Amazon Web Services, are starting to support the concept of a "dedicated instance." This approach allows for the provisioning of an entire server strictly for one tenant's use, which eliminates the concerns that may come up when using virtualized servers.
The most important thing to ask multi-tenant cloud vendors is whether they have security certifications or other external validation of their security levels and practices. Other questions to ask: "How do you make sure other tenants can't access my data? Do you use server-side encryption to prevent anyone else from accessing my data? What sort of regular tests do you run to make sure my information is safe?"
Companies working with medical information should also ensure the multi-tenant cloud provider complies with the requirements of the Health Insurance Portability and Accountability Act.
Of course, the risks associated with relying on a multi-tenant cloud vendor are almost always minimal compared to extra cost and work involved with running your own cloud. Most of these systems are quite secure and run on trusted technology that's either open source or stems from open source software. Generally, the more clients a given cloud vendor has, the more tested it is, and the more you can rely on it to protect your information.
Dig Deeper on PaaS and other cloud development platforms
Related Q&A from Chris Moyer
Can an application have Python as a container, run SQL queries on an external Microsoft SQL database and publish the results on an Apache web server ... Continue Reading
The wait is over, as you can now trigger Lambda functions with SQS messages. Follow these steps to get up and running with this new capability. Continue Reading
Event-driven computing means no IaaS provisioning and no data center to run. Can I migrate all enterprise apps to be event-driven? Continue Reading