Multi-Tenant Public Clouds: Security Risk or FUD?
Cloud provider Rackspace seeks to dispel the myth that multi-tenancy makes public clouds an inherent security risk.
If you're concerned about cloud security, you're not alone: One in four CSOs report not feeling confident about the security of their data currently stored in the cloud, according to recent IDG research.
But much of that concern may be misplaced, some experts say. For example, consider the often-repeated claim that public clouds are insecure by virtue of the fact that they are multi-tenant.
That claim has more to do with FUD (Fear, Uncertainty, and Doubt) than reality, according to Rackspace CTO John Engates. In an interview with eSecurity Planet at the Interop networking conference last week, Engates emphasized that at all modern networking is multi-tenant at some level: When you think about it, we all share the same basic switching and networking infrastructure.
"The Internet is a big multi-tenant network," Engates said. "We're doing multi-tenancy all over the place -- [yet] people embrace it in one place and then on the other hand they downplay it like it's the worst thing. At this point, I think it's more about lack of awareness -- and Fear, Uncertainty, and Doubt."
As an example, Engates noted that years ago, people were concerned about using their credit cards online. That's a concern that has faded over time, and Engates expects the same to happen to the public cloud. He added that there are many secure workloads that are running today in the public cloud.
Looking at the credit card vendors, he noted that credit card companies get hacked all the time and it's not because they are in a multi-tenant cloud. Those companies have operations in secured, hardened data centers with appropriate security controls.
"I don't think that it is because of multi-tenancy that you're at risk," Engates said.
Security at Rackspace
"Security is a moving target, and it's an evolving science," Engates said. "As the guys out there get more evil, we have to get better at protecting ourselves. We have evolved to the point where we have very serious internal security controls, policies, and procedures -- and a lot of auditing going on all the time," Engates said.
From a customer perspective, Rackspace protects customers with pre-built, hardened operating systems images. Those images are more secure by default, as the less secure items are locked out.
"We ask them (customers) to open things up in as limited a way as possible to protect them and our other customers," Engates said.
Rackspace also has dedicated security teams that work on evaluating technologies and code. There is also an annual review cycle for data center audits.
When it comes to open source code that Rackspace contributes out into the community, there is also a high degree of scrutiny. Rackspace is one of the leaders of the open source OpenStack cloud platform that has been embraced by IBM, HP, Dell, Cisco, and other IT industry titans.
"Before we contribute code to the open source community, we do a lot of code reviews and a lot of external third party audits on our data centers," Engates said.
Watch the full interview: