Why Cloud Security Worries Are Overblown

Here's to the multi-tenant application, an invention of the Internet age and without which many of the low-cost services, such as search and travel reservations, would be impossible. And here's to the multi-tenant doubters, such as Oracle's Larry Ellison, who recently questioned its "weak security model" and its "co-mingling of competitors' data."

I'm going to claim an already strong innovation is going to get stronger. Maybe you don't really want to play such multi-user games such as Mafia Wars or Farmville or post to your co-workers' Facebook walls. Even so, you need multi-tenant applications. Without them, we'll need to throw a lot more money and computing resources at the services flowing out of the Internet that we've begun to take for granted.

The development of multi-tenant applications is still an emerging art. It requires a new and sometimes hard to achieve architecture. It can't simply mimic the multi-layered, monolithic enterprise application.

Most of all it has to scale easily to thousands or hundreds of thousands of users. It simply won't do to start up 10,000 instances of an application to satisfy 200,000 concurrent users. The multi-tenant application is the champion of concurrency, and in the Internet age, that makes it better, cheaper, and faster.

Google is a multi-tenant application, if there ever was one. Its design in some respects remains unique, although most multi-tenant applications learn lessons from Google's and eBay's examples.

The more prosaic customer relationship management (CRM) apps offered by Salesforce.com, Netsuite, and SugarCRM are also multi-tenant; multi-tenancy lies at the heart of software-as-a-service, and it's the potential competition coming from that quarter that seem to inspire Ellison's ire.

Oracle has held the number two position in the CRM market, behind SAP, according to Gartner statistics for the year 2008. Salesforce.com was third with 10.6%. Microsoft was fourth with 6.4%. Oracle's application customer base was growing by acquisition. With both Salesforce and Microsoft offering SaaS versions, CRM-as-a-service had grown from 15% of the market in 2007 to 20% in 2008. In all likelihood, that pace of growth continued in 2009 and continues in 2010.

Both Salesforce.com and Microsoft are growing through the acquisition of new application customers, while Oracle grows primarily by acquiring other application companies, concluded InformationWeek Analytics as a result of a survey of 485 application users in January. With Ellison so heavily invested in traditional applications, it's possible to see why multi-tenant applications have found their way into his crosshairs.I'd like to spend a minute on what makes a multi-tenant application tick and why it's the most likely model to dominate the future, including the enterprise application's future.

Multi-tenancy is different from multi-instance, where multiple copies of one application are launched, each to serve a particular set of end users. And multi-tenancy differs from subdividing a host server with multiple virtual machine guests, each with its own operating system. A multi-tenant server only needs one copy of the operating system: the one that it's working with.

Instead, a multi-tenant application aims to serve as many ad hoc, unrelated individual users -- they may come from competing companies, as Ellison said -- as possible, while running one copy of the application. Initially, that meant hundreds of users at the same time; in Internet time, it means thousands or hundreds of thousands. It does this by having all its application logic resident in memory so that operations may be executed at the speed of light. It either does so already or will soon rely strictly on solid-state memory for retrieving data not already pre-fetched in cache; at every turn it seeks to increase speed and reduce latency.

The multi-tenant application is a completely different breed from the monolithic enterprise application which could scale up only by being moved up to a larger server. The multi-tenant application scales out across more servers. To do so it has to command the collective CPUs of a cluster as its central processing unit. It has to combine their memories into a shared caching pool. And most of all, it has to identify, determine ownership of, tag, classify, and, at all times, restrict access to data to its rightful owners. It's this latter characteristic that makes the multi-tenant app controversial.

Customer data has to flow through the same physical memory space, whether on one server or a cluster, so in a traditional sense, the data of one customer is passing in close proximity to the data of many others. What if someone stumbled upon another customer's password or guessed a name or identifier meant to be unique to another customer? Would the data then be exposed? In a shared-memory architecture, the fact of two different owners' data inhabiting the same physical memory is sufficient to brand the approach "a weak security model," as Ellison said.

But the real question is whether this new model has been made safe and can be made more safe in the future. To me, Salesforce.com and other SaaS vendors have established the legitimacy of the multi-tenant model. If it didn't work, we'd be hearing constant complaints about compromises of data and loss of business. The question of whether it can be made safer than it is, however, I would answer at face value, of course it can.Virtual machines operate alongside each other in shared physical memory but are proven safe from the hazards that we know about today; there is no slop-over of data from one virtual machine to another. When we conceive of the data resident in memory of the multi-tenant application, it is assumed that with a slight slip-up, the data of one user might be taken for that of another.

The way to think about how it's actually working, however, is the data of each user has become a virtualized entity inside the application, with an assigned owner, a restricted set of operations that may be performed on it, and a guarded list of potential users. Just as the virtual machine container sets boundaries on memory addresses and storage space that can't be crossed in virtual machine operation, it's possible also to set boundaries around data inside the multi-tenant application that are just as inviolable.

Those in a better position than I to know, experts such as Chris Pinkham, who architected the original Amazon Web Services EC2 setup and is now hard at work at enabling the private cloud at Nimbula, says the security of the multi-tenant applications will depend on how well it's been designed and built. Sanjiva Weerawarana, CEO of WSO2, is likewise providing the components for building multi-tenant services at eBay and other firms. He says it's possible to be safe, but each multi-tenant application has to be reviewed on its merits.

In addition, multi-tenancy has to strive for stateless operations, where each step of the application knows little or nothing about the one that went before. This is harder to write than traditional application logic.

There are also a number of choices to be made on how data of many users is to be stored. It can be stored in a single database system and customers mixed in a single table, as I believe Salesforce.com does, using Oracle. Or each customer can be assigned their own database system and own table, as SugarCRM says it does, using MySQL.

This is not an issue that can be resolved at a glance or with a dismissive walk-off line in an Oracle OpenWorld keynote. Maybe not all multi-tenant applications are going to meet the test. When it comes to payment card industry (PCI) compliance, multi-tenant applications are deemed non-compliant, as best I know.

But from my perspective, that means the PCI standard is showing its age and is in need of revision, rather than that the multi-tenant application has been judged perpetually unsafe. As we gain insight into multi-tenant operations, its architecture will gain in best-practice implementations. It will also take over an increasing share of traditional enterprise operations.