A Step Toward a Secure Multi-Tenant Cloud

How to turn a step into a leap?

This week Cisco, NetApp and VMware announced an integration model for a multi-tenant virtual infrastructure that stresses isolation at the virtual, CPU, network and storage levels. Wow! Concern over isolation failure is a major cloud security stumbling block. After reading through the 82 page “Designing Secure Multi-Tenancy into Virtualized Data Centers,” I see this as a great step in the right direction. It’s a step—not a leap. As a start, we need tighter management integration.

From the outset, the triad is clear that this is an integration of off-the-shelf products. There is no secret sauce cooked up here. For example, management requires: Virtualization (VMware vCenter, vShield Manager and NetApp Snap Manager for Virtual Infrastructure); Compute (Cisco UCS manager and Data Center Network Manager); and, Storage (NetApp SANscreen, FilerView, Provisioning Manager, Protection Manager, Operations Manager and Snap Manager for Virtual Infrastructure). Granted the NetApp products integrate as a suite and Snap Manager is a vCenter plug-in. However, there are at least five configuration and management points to properly implement a secure multi-tenant infrastructure leaving significant room for configuration error and complex provisioning lifecycle management.

To achieve tighter integration we need the following: More prescriptive guidance on making LDAP a central authorization and authentication policy repository; leveraging standards like eXtensible Access Control Markup Language (XACML) and Security Assertion Markup Language (SAML) for authentication and authorization policy management; and extending vCenter Orchestrator to support Cisco and NetApp. These moves turn a big step into a leap toward a secure multi-tenant cloud.