Multi-tenancy — multiple customers sharing a pool of computing resources

Questions 46 to 48 — check if the provider has security controls for virtualisation and separating customer data, and will allow you to test its access controls.

Questions 46 to 48 — multi-tenancy

Table 1 lists who is responsible for answering each question. Both your government organisation and the service provider need to answer question 48.

Context and help for questions 46 to 48

Record your answers to these questions in either:

Questions to answer

  1. Will the service provider allow the government organisation to review a recent third-party audit report that includes an assessment of the security controls and practices related to virtualisation and separation of customer data?
  2. Will the service provider permit customers to undertake security testing, including penetration tests, to assess the efficacy of the access controls used to enforce separation of customer data?
  3. Do the service provider’s processes for customer registration provide an appropriate level of assurance in line with the value, criticality and sensitivity of the information to be placed in the public cloud service?

Table 1: Who answers each question
Entity Questions to answer
Government organisation 48
Service provider 46, 47, 48

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

  • direct communication with the provider
  • the provider’s policies and audit reports on their website
  • previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

  • the provider does not give you their answers or other information you need for your risk assessment
  • you cannot get acceptable third-party assurance
  • there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — New Zealand Information Security Manual

Context and help for questions 46 to 48

The following guidance gives you context and help for answering questions about multi-tenancy — customers sharing a pool of computing resources.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

  • an all-of-government agreement
  • a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at ictassurance@dia.govt.nz.

Resource pooling

The resource-pooling characteristic of public cloud services means there is typically some form of multi-tenancy — multiple customers are sharing a pool of computing resources.

Essential characteristics of cloud services

Benefit of resource pooling

Resource pooling allows service providers to deliver their services at lower costs than traditional delivery models for information technology systems.

Security for resource pooling

The risks of multi-tenancy are typically related to either:

  • infrastructure virtualisation, or
  • data commingling — data being stored in a way that could make it accessible by other customers.

Virtualisation is the base upon which software runs. This base is the simulation of either:

  • software
  • hardware, or
  • both.

Virtualisation allows information systems to be abstracted from the underlying hardware using a hypervisor.

A hypervisor is a specialised operating system that allows server hardware to run multiple guest operating systems at the same time.

Access to other customers’ information

A malicious party could exploit a vulnerability within the hypervisor to gain access to other customers’ information. These are done, for example, by attacks that are:

  • guest-to-host
  • guest-to-guest.

Snapshots of a server’s memory and disk

Virtualisation has made it easy to take a snapshot. This is a copy of a running server’s memory and disk at a point in time for:

  • backup
  • redundancy.

If the snapshots are not protected well, a malicious party may be able to gain unauthorised access to the:

  • information stored on the virtual machine’s local drives
  • encryption keys and data stored in its memory.

Protect snapshots

For the virtualisation environment, find out:

  • its architecture
  • how it’s implemented — that is, put into use
  • how the service provider manages and monitors it.

These details, along with the practices for patch and vulnerability management, help government organisations to put the proper information security controls in place.

Patch and vulnerability management

Platform, Infrastructure and other types of service models

The customer with the weakest security practices and controls may determine the security of the entire environment for:

This is called the problem of the lowest common denominator.

Example of the lowest-common-denominator problem

Another customer, a co-tenant, does not harden its operating systems and application. Being the lowest common denominator, they could define the security of the public cloud service.

To stop this from happening, the service provider needs to have the right controls in place to isolate customers’ virtual machines and networks from each other.

Software and Platform service models

Data is usually commingled within the application, database and backup media for:

SaaS and PaaS services use logical controls to isolate access to each customer’s data within the:

  • application or platform
  • supporting infrastructure.

Logical controls place complete reliance on the quality of the design, implementation and enforcement of access controls within the platforms and applications.

On-demand self-service

This characteristic of public cloud services, on-demand self-service, can introduce security concerns. The registration processes to become a customer are not always robust in confirming a customer’s identity — for example, web-based self-registration.

A malicious party can register for a service to then use it for malicious or fraudulent activities. This can include attempts to subvert the access controls to gain unauthorised access to other customers’ data.

Government organisations must be sufficiently assured that other customers using a public cloud service cannot subvert the service provider’s controls to gain access to its data.

Third-party audit reports and penetration testing

There is a strong dependency on third-party audit reports and penetration testing.

The as-a-service nature of public cloud often means a lack of transparency around the security controls and practices that the service provider has in place to protect their customers’ data.

Make sure the service provider:

  • is willing to make third-party audit reports available to you
  • has credible third-party reports
  • allows you to undertake your own security testing — including penetration tests.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated