This whole topic has been bubbling for a while as we consider fully virtualized (and inherently oversubscribed) pools of resources which will form the basis of so many service provider (cloud?) models going forward.
A small skirmish erupted when NetApp started promoting a solution they dubbed SMT -- secure multitenancy. While there were aspects that did address some concerns around security (but not all), and some concerns around multitenancy (but not all), many of us felt it was being over-marketed in several regards.
Indeed, I saw a nasty take-down by @texiwill at GestaltIT's Field Day about the security aspects. I could do a similar take-down on the multitenancy aspects as well.
The purpose of this post isn't to slam any competitor, it's to drive towards two key discussion points -- (a) what is needed, and (b) how do SPs monetize it?
And I don't think I can do all of this in one post.
To Begin With
Enterprise IT folks are concerned with security: identifying and mitigating risks. They do this in their traditional data centers using largely traditional approaches.
If a service provider comes to them and offers to take some of that work away, they have a rightful concern that security measures (and reporting) are at least as good as -- if not better -- than what they've got today.
Introduce a pooled resource model (shared servers, storage, network, back-end services, etc.) and that concern is heightened considerably.
A parallel discussion arises with service delivery, considering performance as an example. Enterprise IT are in charge of service delivery, and have existing processes and capabilities to do so in their largely physical IT world.
Move to a world where everything is dynamically pooled (and presumably under the control of a service provider), the concerns are heightened.
Adding Balance To The Discussion
Not every enterprise IT function is created equally. Not everything requires high levels of security, or robust service delivery. There's plenty of market opportunity for SPs that don't want to invest in this stuff.
However, all the interesting enterprise IT workloads generally require high levels of auditable security and compliance, and generally require a robust approach to service delivery. "Interesting" is code for "profitable" in this context.
And there's the halo effect -- even though your tenant may not need these things today, there's comfort in knowing that their SP can deliver these things if needed. Today's pilot program is tomorrow's mission critical application, for example.
So, more often than not, I believe that most SPs offering IT infrastructure, platforms or applications as a service will want to invest in these capabilities, and become proficient at them. It makes a certain sense to have premium capabilities, and then down-feature as needed to meet price points in the market.
So, how might we think about this?
Digging Into Security A Bit
Bring up the topic of security in any IT discussion, and opinions and perspectives will flow like booze during happy hour. But how do we create a framework for sorting out what matters, and what doesn't?
My current thinking (with the help of others) has evolved to the following perspective.
a) the security, audit and compliance capabilities should -- at a minimum -- meet the defined requirements of the tenant.
b) all aspects of security, audit and compliance capabilities should be completely transparent and under the control of the tenant, and not the service provider.
c) the security capabilities must be able to protect against an untrusted service provider -- because everyone has a bad day once in a while.
If that's the baseline, there's some extra-credit available as well ...
d) ideally, the security capabilities available should exceed what the customer has (or needs) today.
e) there should be provisions for forensic support.
The last one (forensic support) I owe to Edward Haletky at www.virtualizationpractice.com, also known as @texiwill.
He made the insightful point that -- from time to time -- tenants of a service provider run into legal difficulty. Standard practice is to confiscate the computer equipment as evidence.
Well, if the offending party happens to be a single tenant of a multitenant SP environment, that could create an ugly situation for everyone else, no?
The answer lies in the ability to provide a legally compliant "snapshot" of the tenant's information footprint on demand -- not only apps and data, but access logs, etc. and do so following chain-of-custody evidence rules. At EMC, we've done that sort of thing for law enforcement agencies for a while, so no biggie -- *if* we think of it ahead of time, that is :-)
Now, if we could do all of this security stuff in a pooled, dynamic, virtualized (and oversubscribed) environment -- without resorting to "old school" physically isolated infrastructure, so much the better.
Going back to what was being proposed by another vendor, we could argue about (a), but (b) and (c) were clearly lacking.
Digging Into Multitenancy
At one level, when discussing multitenancy, the real issue becomes around having the capability to guarantee certain performance levels for individual tasks, applications, tenants, etc.
These core capabilities, in turn, form the basis of so many different business models that underpin various SP offerings.
In the physical world, this was straightforward. You needed more speed, you bought faster server, more storage, faster storage, more pipe, etc. Welcome to the world of physical hosting, co-lo, outsourcing et. al.
In this new pooled, dynamic and virtualized world, it's not so straightforward.
Everyone is sharing the same pool of goodies, so there are some new issues to consider. SPs make good money if they get good at managing oversubscribed services.
More importantly, it's possible to vary service levels up and down quickly -- if needed -- creating a fertile space for all manner of interesting pricing models.
So, if I were putting together a list of IaaS multi-tenancy asks, it'd go something like this.
a) the ability to set minimum thresholds of services delivered, cast in whatever terms make sense to the customer -- IOPs, GHz, MB/sec, users, response time, transactions, etc.
b) the ability to dynamically vary these service levels on short notice, pending available shared resource.
c) all aspects of service delivery transparent and visible to tenant (including costs!)
d) protection against unruly tenants who exceed their allocated resources.
Going for extra credit, I'd add:
e) the ability to establish maximums as well as minimums
f) the ability for tenants to "sub-let" available resources (and manage associated service deliver) to multiple applications or sub-tenants.
Again, going back to what a certain vendor was proposing, I could argue that the server and network components did a decent job at (a), (b) and (d) but didn't address (c). And the storage vendor couldn't do any of (a), (b), (c) and (d) as far as I could see. They had a piece of software that would "suggest" to the shared resource what should be done, but that was about it.
Hence my rant.
Secure Multitenancy -- Enabling Technology
Frankly speaking, I think most of the pieces are coming together to nail most of this during 2010 and 2011. It's not all here yet, but it looks like it will be soon.
The underlying premise around security is simple -- as virtualization establishes a "new perimeter" for security, it can form the basis of security, auditing and compliance measures that are potentially far more secure and streamlined than anything we've seen in the physical world.
One fascinating piece is the "trusted hardware root" technology coming from Intel, VMware and RSA. It arguable can be used to create a more trusted -- and verifiable -- security environment than *anything* available today -- physical and virtual. Complement these with more standard integrated security offerings for fully virtualized worlds, and it becomes interesting. Add in the potential future capability to encrypt on a per-VM basis (where the tenant owns the keys), and it becomes downright compelling.
Coming in from the other side, there's increasing capabilities to put "tenants in control" of security, auditing and compliance. Security event information management (or SEIM) is an example of a high-level security control point. As is IT compliance. As is DLP. As is advanced identity management and verification.
All of these feeding into a GRC framework (such as Archer) that gives enterprise tenants far better control over their risk profile than they have today.
When it comes to multitenancy -- and delivering dynamically managed service levels from shared infrastructure -- there are some strong capabilities today, but more to do.
Generally, our friends at VMware and Cisco do well for their part. Plenty of ability to segment and adjust workloads using the hypervisor, or converged network. By and large, I think they've done their part.
On the storage front, perhaps the best capability in the industry can be found on Symmetrix VMAX -- which has not only the ability to dynamically manage different levels of storage media performance (think FAST), but has sophisticated controls around related resources: cache, processor and port bandwidth. More to do here, though -- it's not as perfect as we'd like yet.
On the management front, the challenge is being able to carve off the required virtual resources needed to deliver a given service level, expose their components, put them under tenant control and let the tenant subdivide those resources as need be.
You can see a promising start to this in the next version of EMC Ionix UIM, but it's got a ways to go before it delivers on the potential. Related efforts are underway at VMware as well.
Again, don't let anyone tell you that all the pieces are completely in place today, but -- as far as I can tell -- there's enough to get started with, and more on the way.
The Bottom Line
It's an embryonic discussion within the industry, so your comments and thoughts are appreciated.
One example of this happened at EMC World where @texiwill, @basraayman and @storagenerve joined me for a two hour discussion on these very topics.
Add that to about a dozen others I've had, and some consensus is starting to slowly emerge.
What do you think?