Multitenancy – the concept of using a single (software) platform to serve multiple customers – is a key aspect of nearly every cloud computing platform. Pooling resources results in lower costs for all parties, greater efficiencies, and faster innovation for customers. Are there risks and tradeoffs with this model? Sure, but every technology paradigm has them.
In this blog post, we’ll look at some core principles for successful multitenancy, see how the CenturyLink Cloud provides tenant isolation, and review the ways that CenturyLink Cloud customers create isolation within their own account. The goal is to simply help customers understand what to look for when assessing multi-tenant environments to run their workloads, SaaS applications, and more.
Any service provider delivering a multi-tenant environment must adhere to these six commandments:
- Thou shalt isolate tenants within their own network. This one applies mainly to infrastructure-as-a-service (IaaS) providers who promise secure computing environments. Software-as-a-Service (SaaS) customers on a platform like Salesforce.com don’t have this issue as customers do not have access to low level network traffic. When granting virtual machine access to users, the service provider has to ensure that there’s no opportunity to intercept network traffic from other customers.
- Thou shalt not allow tenants to see another tenant’s metadata. Sometimes metadata can be just as sensitive as transactional data! Multi-tenant service providers must make sure that customers are logically or physically walled off from seeing the settings or user-defined customizations created by other customers.
- Thou shalt encrypt data in transit AND at rest. Providers shouldn’t let their guard down just because data is within their internal network. Rather, data should constantly be transferred over secure channels, and encrypted whenever it’s stored on disk.
- Thou shalt properly clean up deleted resources. In a multi-tenant IaaS environment, there is clearly reuse. When a network is released by one customer, another can use it. When a storage volume is removed, that space on the SAN is now available for others. It’s imperative that service providers reset and clear resources before allowing anyone else to acquire them.
- Thou shalt prevent noisy neighbors from impacting others. This phenomenon is one of the hardest problems to address in multi-tenant environments. As a user, you have no say in who *else* is using the same environment. It’s up to the service provider to make sure that one customer can’t (intentionally or unintentionally) adversely impact the performance of other customers by overwhelming the shared compute, storage, or networking resources.
- Thou shalt define and audit policies to ensure proper administration of shared environments. Let’s be honest – using a multi-tenant environment involves a bit of trust. As a customer, you have to trust that the service provider has built a platform that properly isolates each customer, and that operational staff can’t go off the reservation and compromise your business. However, to run mission-critical apps in someone’s multi-tenant platform requires more than blind trust; you should also be able to demand to see 3rd party certifications and audits that prove that a mature organization is behind the platform.
Built-in Platform Isolation
With those principles in mind, how does the CenturyLink Cloud platform deliver secure isolation?
IaaS customers can create sophisticated network topologies with one or more VLANs. All of these logical networks are part of a giant physical network and we do best-practice VLAN isolation to make sure that data packets stay within the appropriate VLANs. This ensures that our customers cannot intercept traffic from other customers and creates a protected barrier around your virtual hardware.
What about data? The CenturyLink Cloud makes it easy to provision terabytes of persistent storage that you can easily resize as needed. But when it comes time to delete volumes, we make sure that all virtual disks are automatically wiped so that the next customer always get a blank volume with no way to retrieve data from the previous user. Regarding data encryption, by the end of 2014 we plan on being 100% encrypted at rest and support 3rd party tools for customers to manage their keys.
As mentioned above, noisy neighbors are one of the biggest challenges for multi-tenant cloud providers to handle. The CenturyLink Cloud takes a multi-pronged approach. First, we always leave headroom on host machines and closely monitor usage to know when it’s time to scale. Second, we use features in our hypervisor platform to protect against capacity and latency bursts in CPU and disk. Our storage subsystem is built to handle multi-tenancy and provide protection against I/O bursts. Third, the network is designed to prevent any one tenant from overwhelming the firewalls, and our ample bandwidth ensures that network saturation is nearly impossible.
Finally, you can certainly just “trust us” that we do everything right. But most customers, at first anyway, trust those who audit us. Our data centers and policies are regularly reviewed and we maintain certifications and standards that prove our extreme focus on building a secure environment for your applications.
The platform itself provides built-in multi-tenancy to isolate customers, but how can you build your own isolation WITHIN your account? This is a common scenario for resellers, SaaS provider, and large enterprises who want to logically segment business units or departments. Let’s look at a few options.
One of the best ways to create isolation in your account is through sub-accounts. Sub accounts are containers that can have unique users, permissions, billing procedures, networks, and even branding (look-and-feel). You can choose to inherit various settings from a parent account (e.g. “share parent networks”, governance limits) or treat them as completely independent resources.
Another choice? Use separate VLANS to isolate servers within an account. Consider providing users with remote access to cloud servers but only allowing a small subset of administrators to place the servers on the appropriate VLANs. This makes it possible to have project-specific VLANs where traffic is cleanly isolated from other networks in the account.
A final way to isolate users within an account is through the use of different data centers. The CenturyLink Cloud is spread across the globe, and expanding even more this year. It’s easy to spin up sub-accounts and intentionally constrain users to a chosen set of data centers. This helps you isolate accounts (and applications) to the geographies that work best for your business.
The most advanced cloud deployments depend on multi-tenant platforms. Building systems in this way isn’t easy - it takes careful upfront consideration and steady vigilance to ensure that all users get reliable, consistent performance. The CenturyLink Cloud was designed from day one to excel at multi-tenancy, and you can see that in how we’ve architected the platform and the features we expose to our customers.
Want to try it out? Spin up an account and see how our high-performing cloud can meet your needs today.
Last year, we made 12 predictions about what would happen in the cloud space in 2013. As the year comes to a close, it’s only fair for us to assess our hits and misses to see how well we did.
Recap and Scorecard
PREDICTION #1: 2013 will be the year of cloud management software.
REALITY: Hit. We saw this come true on multiple fronts. First, cloud management providers Enstratius and ServiceMesh were acquired by Dell and CSC, respectively. Tier 3 – known for the sophisticated management software that runs our IaaS – was acquired by CenturyLink. On top of this, Gartner estimates that a new vendor enters the cloud management space every month, and nearly every cloud provider is constantly beefing up their own management offerings. This shows the strategic value of comprehensive management capabilities in a cloud portfolio. Customer adoption of these platforms is also on the rise and Gartner sees 60% of Global 2000 enterprises using cloud management technology (up from 30% in 2013).
PREDICTION #2: While the largest cloud providers duke it out on price and scale, smaller cloud providers see that enterprise adoption really depends on tight integration with existing tools and processes.
REALITY: Mixed. Of course, cloud prices definitely declined in 2013 and massive scale continued to be a key selling point. Hybrid cloud picked up momentum this year as more companies looked to establish an IT landscape that leveraged on-premises assets while taking advantage of cloud scale. In order to maximize the efficiency of hybrid scenarios, companies need consistency in processes and tools. While cloud management platforms have helped with this a bit, there wasn’t a wholesale move by cloud providers to seamlessly integrate their core offerings with established products.
PREDICTION #3: Enterprises move from pilots to projects, and architecture takes a front seat.
REALITY: Hit. There’s been much less gnashing of teeth on “should I use the cloud” this year, and much more discussion about how to capitalize on the cloud. We’ve seen our customers move to more substantial solutions and ask for more sophisticated capabilities, such as self-service networking. Throughout the industry, we’re seeing more enterprise-class case studies where customers are putting mission critical workloads in the cloud. However, outages still occur on any cloud, and providers are publishing guidelines on how to properly architect for high availability. The recent AWS conference was full of sessions on architecture best practices, and developers are hungry for information about how those best practices are applied.
PREDICTION #5: Standalone, public PaaS offerings will be slow to gain enterprise adoption.
REALITY: Hit. In 2013 we saw renewed discussion on what PaaS actually is and what it SHOULD be. Longtime PaaS providers Microsoft and Google added IaaS products to their portfolio, while smaller firms like Apprenda saw success in private PaaS. Our sister company, AppFog, has launched over 100,000 apps, including some impressive enterprise deployments. Former Tier 3 colleague Adron Hall asked whether PaaS was still “a thing” or whether new container technologies like Docker were going to replace it. However, as some like our own Jared Wray and Red Hat’s Krish Subramanian have said, PaaS is about more than JUST application containers. A rich PaaS also includes the orchestration, management, and services that make it a valuable platform for web applications of any type. Either way, PaaS is still in its infancy and will continue to morph as customer scenarios take shape.
PREDICTION #6: Public goes private.
REALITY: Mixed. There were hints of this in 2013 as Amazon won a bid to win a private cloud for the CIA (and for you too if you have half a billion sitting around!), Microsoft offered a “pack” for making on-premises environments resemble their public cloud, and platforms like OpenStack gained traction as a private cloud alternative. We continued to make advances in supporting private scenarios by adding self-service site-to-site VPN capabilities to an already-robust set of connectivity options. I gave this a “mixed” score because as a whole, public cloud providers don’t yet (and may never) make it simple to run their stack in a private data center for mainstream enterprises.
PREDICTION #7: Cloud providers embrace alternate costing models.
REALITY: Hit. 2013 saw some changes to how cloud customers paid for resources. We modified our pricing to decouple some components while still making it easy to provision exactly the amount of CPU, memory and storage that you need for a given server. Google and Microsoft both launched their IaaS clouds with “per minute” pricing for compute resources. Cloud providers have yet to move to a “pay for consumption instead of allocation” model for things like storage, but overall we’ve seen a maturation of pricing considerations in 2013.
PREDICTION #8: While portability will increase at the application and hypervisor layer, middleware and environment metadata will remain more proprietary.
REALITY: Mixed. We might have been too pessimistic last year! DevOps tools have flourished in 2013 and platform adapters have made it possible to move workloads between clouds without a massive re-architecture effort. To be sure, code portability is still MUCH simpler than environment portability. Each cloud provider has their own value-added services that rarely transfer easily to other locations, and no clear IaaS standard has emerged. However, platforms like OpenStack are attempting to make cloud portability a reality, and the increasing prevalence of public APIs makes it possible for tools like Pivotal’s BOSH or Chef to orchestrate deployments in diverse provider environments.
PREDICTION #9: Global expansion takes center stage.
REALITY: Hit. One of the first questions we hear from prospective customers is “where are your data centers?” This year, almost all of the leading cloud providers expanded their footprint around the globe. For our part, we added data centers in Canada, the UK, and Germany. Now, as part of CenturyLink, we have major expansion plans in 2014.
PREDICTION #10: IaaS providers who don’t court developers get left behind.
REALITY: Hit. In 2013, Stephen O’Grady wrote that developers are the “new kingmakers” and this was reinforced by Gartner analyst Lydia Leong who wrote that IT operations no longer has a monopoly on cloud procurement. Developers are now running the show – bringing in vendors that meet their unique criteria. Consequently, a new crop of developer-centric cloud providers has popped up. While they don’t offer managed services or sophisticated resource management, they DO help developers get going quickly in the cloud. We wooed developers with new self-service capabilities, API improvements, and with new features like Autoscale and webhooks. Developers will continue to be a focus for us at CenturyLink and we plan on continuing our regular Open Source contributions!
PREDICTION #11: Clouds that cannot be remotely managed through an API will fall behind.
REALITY: Hit. APIs are the gateway to modern services and allow ecosystems to flourish. Consider the vibrant crop of cloud management platforms discussed in prediction #1. And that is just one small example. The vast majority of clouds listed in Gartner’s 2013 Magic Quadrant for Cloud Infrastructure have public, comprehensive APIs that developers can use to consume the cloud in whatever way they want. In 2013, we started an effort to replace our existing API with an even more expansive offering that offers complete parity with our industry leading Control Portal user interface. That effort will continue into the next year. When complete, a new host of capabilities will be accessible for CenturyLink, our partners, and mostly important, our customers.
PREDICTION #12: Usability and self-service become table stakes for cloud providers.
REALITY: Mixed. In 2013, we seemed to hit the point where “clouds that aren’t really clouds” struggled as the market began to demand more. Customers expected more and more self-service capabilities, and Tier 3 – along with most every other major provider – focused heavily on that in 2013. Platform usability was a lesser focus this year. While new clouds from Microsoft and Google included relatively straightforward user experiences, few providers made any massive visual improvements. While the CenturyLink Cloud continues to be lauded for an easy to use, powerful interface, we haven’t stood still. A major redesign is underway that will surface more data, simplify activities, and improve performance.
2013 was an important year in the maturation of the cloud industry. New vendors were introduced, popular platforms were acquired, and consumption of cloud services skyrocketed. What will happen in 2014? Stay tuned for our predictions!
It’s difficult for businesses to compare so many diverse players in the cloud. To make the task a bit easier, the team at Cloud Spectator recently issued a useful report: “IaaS Performance and Value Analysis.” View it here, registration required to download.
At CenturyLink Cloud, we’ve always claimed to be a “high performance” cloud (who doesn’t?), so it is nice to see this validated by a third party. A summary of findings that brought a smile to our faces:
- #1 “Performance Leader” for overall system results
- #1 performance leader for Disk and RAM
- #2 performance leader for CPU and internal networking
My personal favorite passage:
UnixBench highlights the significant system performance difference among the top providers in the IaaS industry. The highest and lowest scorers show a difference of 4.7x in system performance; CenturyLink Cloud’s average UnixBench score is 2998, while Amazon EC2’s is 642.
For the 3rd straight year, CenturyLink Cloud was recognized by Gartner in its influential Magic Quadrant (MQ) for Cloud Infrastructure-as-as-Service [Get a free copy from CenturyLink Cloud!]. Readers of the MQ don’t just like it because it summarizes an entire industry with a single visual representation. Rather, its real value is derived from the deep analysis of vendors and market dynamics. Each year, the criteria for inclusion gets tougher as the demands of enterprise customers mature. In 2013, vendors can’t simply offer a warmed-over virtualization environment and brand it a cloud.
Download Report >>
Gartner went hands-on with our platform and came away impressed.
CenturyLink Cloud combines an excellent, highly differentiated set of features on a well-engineered platform with an easy-to-use self-service portal. It is one of the few services with both cloud-native capabilities that are attractive to developers and the governance and management features needed by large enterprises.
In fact, one of their “cautions” about our company included an important compliment. Gartner says that we “will be challenged to match the engineering resources available to the market leaders, and therefore challenged to maintain its platform lead.” We aren’t a big company, but our engineering team has accepted that challenge head on. We look forward to building on this lead in the months and years ahead.
How does Gartner see the market evolving, and what does that mean for CenturyLink Cloud and our customers?
The MQ flags important trends enterprise customers to consider. Many of them map closely to our product strategy.
- Gartner Take: Cloud IaaS is not a commodity. . All clouds are not created equal, and each cloud has their own set of value-added features. While this can limit portability between providers, this issue isn’t a unique to the cloud and is an accepted aspect of most IT vendor relationships. We’re obsessed with automation and user experience, and this manifests itself through a set of services that you can’t easily get elsewhere. It needs to be easy for customers to enter – and exit – our cloud, but our product and roadmap is full of customer-driven features that make it easier to create and manage sophisticated infrastructure environments.
- Gartner Take: Hybrid cloud is not yet a reality. Gartner’s point here is simply that it’s not easy to migrate or manage servers that reside in disparate (cloud) environments. That said, from a different perspective of hybrid cloud, we’re seeing a measurable uptick in requests for deep integration between on-premises and cloud environments. Our recent introduction of self-service networking features, coupled with our VPN and Direct Connect capabilities, makes it possible for enterprises to truly treat the CenturyLink Cloud cloud as a close knit extension of their existing data centers – complex network topology and all.
- Gartner Take: One size does not fit all. Customer needs are far from uniform. Gartner points out that for any given workload, the priority could be performance, availability, security, customer service, ease of use, or something completely different. Not every cloud is suited for each dimension. While we like to think that we can run most any workload, we’ve optimized the platform for business applications, enterprise development and testing, ISV-to-SaaS transformation, and resellers looking to expand their portfolio of services.
- Gartner Take: IaaS can be used to run a wide range of workloads. In 2013, the cloud isn’t just a playground for prototypes. Not only is it ideal for applications architected specifically for cloud-scale, but also for existing systems that reside in corporate data centers. Our reliable cloud services are there for applications that have to scale out *or* up. We work with numerous enterprise customers who don’t have cloud-native applications but still see significant value in running it in an agile cloud environment (The most common motivation is to accelerate the transition to IT-as-a-service). In those cases, there’s a premium placed on chargebacks, reliability and management of relatively static resources.
- Gartner Take: Buying centers for IaaS are diverse. We are excited that our bet on developers as the new kingmakers is paying off. But while engineering plays a HUGE role in cloud adoption, Gartner recognizes that many cloud initiatives are led by business or IT operations. We have won several big accounts because of our sophisticated capabilities around account management, billing, rebranding, auditing, governance, and network management. Unless an organization is ONLY run by developers (like an early stage startup), there’s a need for automation, and practical capabilities that reduce the human cost of using the cloud..
- Gartner Take: The cloud IaaS market is more similar to a software market than a traditional IT services market. Our interpretation: self-service and automation are critical to a successful cloud implementation. We couldn’t agree more. There’s a massive, unseen human cost to cloud that isn’t reflected in the cold costs of CPUs and RAM. Staff has to be trained to administer and manage the shared pool of resources. Automation provides the only way that an organization can successfully secure, patch, and manage their cloud environment. Our cloud services are chock full of ways to automate deployments and maintenance and we’re adding more every month!
Each year, the Gartner MQ gives IT leaders a pragmatic and unbiased way to get a handle on a very fluid industry. We’re proud of our strong showing in the last 3 editions, but don’t take Gartner’s word for it; try our cloud out for yourself! And if you love the idea of working on leading-edge technology for a hot-shot cloud company, join our team!
We generate massive amounts of data every day. Research firm IDC estimates that 90% of the world’s data was created in the last two years, and the volume of data worldwide doubles every two years. Enterprises are a key contributor to this data explosion as we produce and share digital media, create global systems that collect and generate data, and retain an increasing number of backup and archive data sets. This rapid storage growth puts pressure on IT budgets and staff who have to constantly find and allocate more usable space. CenturyLink Cloud wants to help make that easier and just launched a new Object Storage service to provide you a secure, scalable destination for business data.
What is Object Storage from CenturyLink Cloud? It’s a geo-redundant, elastic storage system for public and private digital data. Based on the innovative Riak CS Enterprise platform, Object Storage infrastructure is being deployed across three global regions: Canada, United States, and Europe. Each region consists of a pair of CenturyLink Cloud data centers that run Riak CS Enterprise on powerful, bare-metal servers. The Object Storage nodes are deployed in a “ring” configuration where data is evenly distributed across the nodes, thus assuring that your data is available even if multiple nodes go offline. When objects are loaded into one data center, they are instantly replicated to the in-country peer data center. This means that an entire data center can go offline, and you STILL will have uninterrupted access to all of your latest enterprise data.
Before diving into this new service, let’s define a few terms:
- Object. An “object” is any digital asset that is less than 5 GB in size. This could be a video that you display on your public website, a PDF file that you are sharing with a business partner, or a database backup file. If the object is larger than 5 GB, then you can do a multi-part upload!
- Bucket. Objects are stored in buckets. A bucket is a logical container that can hold an unlimited number of objects, but not other buckets.
- Region. CenturyLink Cloud has architected Object Storage with unique clusters in three different geographies. Each geographic region has a pair of data centers that hold all of the data uploaded into that region.
- User. An Object Storage user is different from a CenturyLink Cloud platform user and is created separately. While you may create an Object Storage user to represent an individual person, you may also choose to create users that correspond to an application. For example, you may define a user leveraged by your public website that retrieves images and videos from Object Storage.
- Owner. Each bucket has an owner. This is the user that automatically has full control over the bucket and its objects.
- ACLs. Access Control Lists govern who can manage buckets and see objects. By default, Object Storage does not allow any public access to buckets or objects. If you choose, you can provide public, unauthenticated users with the ability to read individual objects. Or, you can choose specific users that have permission to add objects to buckets or view an object.
Managing Object Storage
Interacting with Object Storage is easy. We’ve added a management interface in our Control Portal for Object Storage administrators. From here, you can view a list of users, add new users, and reset user credentials.
The Control Portal also has a bucket administration component where you can view, create, secure, and delete buckets.
Each bucket can have its own security profile. For a bucket such as “website media”, you may let “All Users” have read access to its objects. For buckets set up to exchange large files with business partners, you would likely add read and write permissions for a user representing the chosen partner.
It’s unlikely that you’ll only use a single interface to interact with your data objects. Thanks to the inherent S3 compatibility offered by Riak CS Enterprise, you don’t have to! There is an entire ecosystem of tools for working with object storage that support an Amazon S3-like interface. Want to use a client tool to upload and delete objects? Then check out a utility like the freemium S3 Browser where you can plug in your Object Storage user credentials (and CenturyLink Cloud Object Storage URL) and manage buckets AND objects.
Looking to mount Object Storage as a drive on your database server so that you can easily create and restore backups? Look to a product like ExpanDrive which makes it easy to add Object Storage as a storage volume.
CenturyLink Cloud is among the first cloud providers to offer native, geo-redundant object storage and we’re excited to see how our customers use this to escape the burden of endless provisioning of on-premises storage! Our Canada region is live today, with the United States and Europe following closely. Existing customers can get started right away, and new customers can take Object Storage for a spin by signing up today.