Cloud computing enables organizations to run workloads and manage data anywhere, without significant computing…
resources residing in their data centers. Public cloud providers use multi-tenant infrastructures, which are efficient and cost-effective, but such multi-tenancy raises concerns about data separation in the cloud.
Data separation addresses the need to prevent one consumer of cloud services from disrupting or compromising the work or associated data of other consumers of cloud services. In effect, this acknowledges the potential risks of multi-tenant environments, where hypervisor flaws, malicious code running in the applications and other factors can compromise your workloads.
Thus, data separation in cloud computing involves knowing exactly where your workloads and data are running — even though the very nature of a public cloud is intended to obscure such granular notions.
Noisy neighbor problem
Consider the “noisy neighbor” syndrome where your VM instance is running in a public cloud alongside a handful of VMs from myriad other users, all packed onto the same cloud server. Technically, this will not cause any issues until one of the neighboring VMs picks up traffic and takes excess network bandwidth or storage I/O, leaving other VMs — including yours — struggling to maintain performance requirements.
Beyond malicious code and performance sensitivity, today’s legal and geopolitical landscape places serious boundaries on where a cloud customer’s workloads and data can reside. A public cloud — such as AWS, Microsoft Azure or Google Cloud — possesses a global presence comprised of data centers and other points of presence that operate in different countries around the world. In the early days of public cloud, the physical location of servers and storage was largely opaque to users; the very idea of utility computing made such physical distinctions irrelevant.
However, as cloud use has expanded, governments, regulatory bodies and other organizations have become sensitive to the physical realities of global computing infrastructures. Some businesses and government agencies can be severely restricted in a cloud region and tenancy. To address these data separation challenges, cloud providers have given users more control over workload and data placement, as well as reporting.
Implement a data separation strategy
For organizations, the key to optimize data separation is to exercise more control over the physical placement of workloads and data. And depending on the needs of the business, there are several strategies enterprises can implement.
For starters, IT teams need to understand that public clouds operate on the basis of a shared responsibility model. The cloud provider is responsible for securing the physical infrastructure, while the user is responsible for securing the workloads and data. Thus, a cloud user’s responsibility starts with configuration.
Overlooked or incorrect configuration settings could leave a workload or data exposed, and potentially leave the business vulnerable to compliance violations. To avoid this issue, get familiar with the many different configuration options and best practices for your cloud provider’s services. Proper configurations can be streamlined through cloud services — such as AWS CloudFormation — that automatically provision and secure cloud resources across regions and accounts using templates or policies.
Another common practice to guard against the risks of multi-tenancy is the extensive use of strong encryption for any data housed within the public cloud. If the data is exposed through misconfiguration or malicious actions, the content remains secure. Ideally, encryption is applied to data both at rest and in transit.
Cloud services for data separation
Additional strategies to implement data separation include the use of various enhanced cloud services intended to bolster the security and control over cloud content. As an example, users can employ a VPC, which provisions a logically isolated portion of the public cloud to create a user-defined infrastructure with full control over networking, subnets and other network characteristics. Although VPCs are not physically isolated and are still multi-tenant environments, the level of security is much greater for the organization.
Cloud providers are also developing and expanding specialized cloud offerings for performance and security-sensitive users. For example, AWS GovCloud supports numerous U.S. federal standards, including the Criminal Justice Information Systems, the International Traffic in Arms Regulations and the Export Administration Regulations. For additional security and oversight, GovCloud is operated by U.S. citizens within the U.S. and is only accessible to U.S. organizations and account holders that are prescreened.
Cloud providers offer a broad array of dedicated, single-tenant servers and cloud options for users. For example, the Amazon EC2 Dedicated Hosts service offers dedicated server hardware to improve workload performance and compliance. This can also be referred to as a bare metal cloud. Similarly, Amazon EC2 Dedicated Instances can be run in a VPC on hardware that is dedicated to a single customer.
The importance of geolocation
The question of geolocation — knowing and ensuring the physical area of the world where applications and data reside — is a more important consideration than ever before. Although simply selecting a specific region is not a tenancy discussion, location can impact workload performance, compliance and tenancy.
Consider that a region can be selected to improve workload performance since the physical proximity to the workload’s users can significantly reduce network latency. This placement of data can boost the workload’s apparent performance and improve user satisfaction.
Services also vary by region, and not all cloud services may be available in all global regions. This could make it more difficult to deploy or secure workloads or application stacks in some regions. For example, AWS Single Sign-On is not currently available in the U.S. West (Northern California) region.