You have to hand it to the Rolling Stones. They foretold the current debate over…
Multi-tenant cloud computing has been growing at a phenomenal rate. According to IHS Technology, global multi-tenant data center revenue totaled $4 billion, and is expected to grow another 8.4% in 2016. However, in finance, where security and compliance requirements are strict, architecture is a crucial factor and not every multi-tenant cloud solution is suitable. Here’s what you need to know.
The Basics of Multi-Tenant Cloud Computing
In multi-tenant cloud computing, multiple groups of users (tenants) share resources in a common set of hardware. Tenants may or may not have separate application stacks, but all multi-tenant clouds share compute, along with some degree of software architecture.
Some people define the term “multi-tenant cloud computing” narrowly. In this model, a system is considered multi-tenant only if each tenant is running the same application and database. Usually, each tenant has their own login and stored data. They can also have branded UI and individual settings, but they’re all running on the same underlying software architecture.
Webmail services like Gmail are multi-tenant in this sense. Each organization has its own domain, but the service provider runs a single instance of a program for all users, or for every certain number of users (usually, in the thousands).
However, in a multi-tenant data center, customers may be running completely separate virtual environments. They will be on the same servers with the same networking, firmware and other basic infrastructure, but each will run their own OS and application stack.
A better way to conceptualize the multi-tenant cloud is to talk about degrees of multi-tenancy. According to this concept, multi-tenancy is based on how much software architecture is shared by the tenants. Nearly all clouds are at least somewhat mult-tenant in this sense, because users share some level of software functionality. However, systems where tenants share an application and database are more multi-tenant than those sharing just a platform, which are above those just sharing infrastructure.
Software multi-tenancy isn’t the same as virtualization. A virtualized system uses multiple copies; they may be identical copies, but they’re still logically independent. So, if two companies shared a server instance each had its own virtual machine running an SAP HANA® cloud instance, the server would be multi-tenant, but the SAP HANA virtualization would not be.
The Benefits of Multi-Tenant Cloud Computing
The most obvious benefit of multi-tenancy is cost. In a multi-tenant database, the provider saves money based on the economy of scale. Hardware, infrastructure staffing and DR are cheaper to provide with a massive server farm than it is to tailor individual clouds for each user. This also cuts cost for higher-end enterprise cloud providers offering IT managed services like workload balancing, DR and patching.
Multi-tenant cloud computing at the database level also allows a lot of flexibility for certain workloads. Users can spin up an almost unlimited amount of new resources whenever they need the compute. This can be an asset for R&D, and can be used to stop demand surges from overwhelming resources.
At the application level, multi-tenant cloud computing is also a cost saver. Rather than running thousands of environments, the service provider only has to operate one, cutting resource use. The approach also decreases labor. Patches and updates take less time and work, and the provider doesn’t have to maintain multiple older versions of the software for customers who haven’t updated yet. All of that cuts costs — usually for the customer as well as the operator.
This model may also alleviate some security and stability concerns — particularly for smaller companies that don’t have extensive IT resources. Single-tenant enterprise software usually requires patching, as well as expertise to configure the system properly. With multi-tenant cloud computing, configuration is simpler, and users can rely on the provider to patch vulnerabilities.
By freeing up the service provider, application-level multi-tenant cloud computing can lead to faster innovation. Companies can concentrate on developing and optimizing new features or innovating UI and workflow, rather than supporting a diverse range of custom environments. This is great for tasks like catalog management, where companies won’t require a high degree of specialization. It can also be an appealing model for cloud computing in finance — particularly for SMBs, which don’t need more functionality than off-the-shelf accounting and financial management software provides.
Finally, data aggregates may lead to better performance and user satisfaction at all levels of multi-tenancy. The multi-tenant cloud computing provider can benchmark performance metrics like end-user response time across many users. This can result in fast, stable performance without the need for clients to monitor and tweak the application in-house.
Compliance and the Multi-Tenant Cloud
In finance, organizations are required to put in rigorous controls to protect data. Regimes like PCI have strict hardware and software controls, mandating data segregation, and making the multi-tenant cloud unusable for certain types of data. A properly configured enterprise cloud or managed private cloud can comply with any regime. However, the same can’t always be said about the commodity cloud, or multi-tenant applications.
PCI cloud guidelines have strict standards to ensure cardholder data isn’t compromised. Neighboring tenants are considered untrusted — if your data is stored in the same server or cluster as a poorly secured neighbor, a hacker could potentially use their poor security to breach yours.
The best way to do this is with physical, logical and networking data separation. PCI data should be on its own server, with strict access controls policies to prevent it from being attacked, along with encryption, monitoring and other security measures.
PCI doesn’t technically require this physical data separation, but it’s very difficult to meet compliance requirements without it. If the cloud service provider doesn’t meet PCI standards for separating data, the cloud will be considered “non-segmented,” putting all the data in scope, and increasing the regulatory risks and burdens. Multi-tenant cloud computing apps are even less likely to be adequately protected — any application where organizations share a database management system is considered non-segmented.
Software-level multi-tenant cloud computing in finance also poses a challenge to companies that are subject to Sarbanes-Oxley compliance. Financial executives are legally responsible for ensuring regulators the financials are accurate and all procedures are followed, which indirectly makes them responsible for change management. When an application is updated, it can affect the behavior of the software, potentially creating regulatory compliance issues. Enterprises normally audit proposed updates, document changes and retrain workers to minimize the compliance risks.
However, when updates are pushed out automatically, you don’t have the chance to do any of this. In a major update, your workers may already be using substantially different applications before management is even fully aware of the changes. And even more importantly, if you find the new changes unacceptable, there may be no way to opt out without completely shutting down operations until you can migrate.
Multi-tenant cloud computing can be very secure if it’s properly implemented and managed. Particularly in a managed service situation, it can be safer than on-premise, since onsite IT typically lack the time and expertise to provide adequate cyber security services.
A lot of the fear around multi-tenant cloud computing comes from the mistaken belief that multi-tenant servers “mix data together.” However, that’s never the case in a properly configured cloud. Each tenant runs in a virtual machine (VM) — basically, a smaller computer defined by software within the server with its own share of memory and processing. Tenants only have access to the virtual environment, not the hardware environment. A tenant can’t ask the server to give them information on another company stored in a different location in the server or data center — they can only ask for data stored on their particular VM.
Data should also be encrypted. Encryption scrambles data using a string of numbers called the key, which is only known by a designated user or recipient. Without the key, a malicious user won’t be able to read the data. Even if they get access to it somehow, all they’ll see is a string of meaningless characters.
Network security architecture best practices also protect data from outside threats, using Access Control Lists (ACLs) — rules that control who can access the network. High-security areas are restricted by stringent rules to stop potential cyber criminals, while less secure areas such as public-facing web pages allow greater levels of access.
Managed cyber security services can also reduce the risk of a breach by hardening the multi-tenant cloud computing environment. The security and compliance team will review your network, reducing your attack surface (the number of places a hacker could try to gain access). In an ERP landscape such as an SAP HANA cloud, unused services pose a risk; they may be left on without proper configuration, patching or monitoring, allowing a hacker to use them to sneak into the network. By finding them and turning them off, the multi-tenant cloud computing provider completely closes the back door, making it much less likely a malicious actor could penetrate your network.
Cloud computing in finance can be a particular benefit if you have a partner with adequate breadth of services and experience. The right cloud provider can offer a secure data center footprint, with access control and monitoring SMBs can’t afford to implement in-house. The provider should also implement security and compliance monitoring, including 24-hour incident detection and response. Hackers typically spend months probing ERP before they find a way inside, and months more expanding access inside the network. A vigilant cyber security team can usually stop a major threat long before it becomes a potential breach.
However, that doesn’t mean all multi-tenant cloud computing environments are safe. Multi-tenant financial applications gather a lot of valuable information in one place, making a tempting target for hackers. Additionally, thousands of customers may share access to one database and application stack. That doesn’t necessarily mean your data isn’t safe — if it did, webmail would have never taken off. But it does mean you have to carefully weigh the risks, and verify that the provider has adequate controls in place.
Other Requirements of Cloud Computing in Finance
Financial computing clouds need to have high reliability and consistent performance — particularly in high-speed trading and other areas that depend on a high volume of quick transactions. For a high-speed trading firm, just cutting latency (wait time) by 1 millisecond can boost annual profits by $100 million.
High power processors aren’t enough alone; cloud computing in finance also needs the ability to store, retrieve and analyze data efficiently. And as big data continues to grow, the power to maintain vast amounts of information for actionable insight is becoming key to staying competitive in the financial industry.
The financial cloud can help with all of these needs. A well-designed enterprise cloud allows organizations to leverage a degree of server and network performance and raw power they wouldn’t be able to sustain onsite. Partner expertise can also help enterprises plan an optimal cloud and IT infrastructure, run it efficiently, and plan an ongoing upgrade strategy that minimizes disruption and maximizes competitive advantage.
However, not all multi-tenant cloud computing is suitable for the needs of financial enterprises. The public cloud often suffers from mediocre reliability and fluctuating performance based on other tenants’ usage, which can cause financial businesses to slow down just when the market demands quick action. Your provider should have explicit SLAs, and be setting aside at least 20% of their cloud in reserve so that demand surges don’t bring everything to a crawl.
Additionally, cloud computing in finance can sink or swim based on the quality of disaster recovery or high availability. Companies need to be aware that cloud disaster recovery will only allow assure your company’s survival if it has adequate RTO and RPO.
Your provider should be able to offer virtually any recovery timetable you need at a reasonable rate — down to 10 minute rollovers. Additionally, they should regularly test rollovers and have a dedicated team available to quickly restore your system in the event of a failure. Quick rollovers aren’t worth as much if you have to spend two hours navigating help menus to start the process.
Finding the Best Fit Financial Cloud
There’s no single cloud that will solve every financial organization’s problems, or even solve one organization’s problems at every stage of the business lifecycle. A simple, low cost solution that might be great for a financial startup could easily hold a more seasoned organization back or expose it to unnecessary security and compliance risks. Ultimately, financial organizations will benefit from an evolving combination of public cloud and managed private cloud strategies, furnished by a partner that understands both compliance and technical requirements for a financial organization.
Symmetry provides complete IT solutions for enterprise finance, from brainstorming through building, running and upgrading a best fit cloud. Our IT consulting services will work with you to assess your current and future needs and build a strategic cloud strategy to get there.
Our consultants draw on a broader array of skills and deeper wealth of industry experience than nearly any other enterprise cloud provider. That allows us to address all aspects of your IT landscape, including the security and compliance needs that are so crucial for cloud computing in finance. With tools like ControlPanelGRC®, and our 24/7/365 intrusion detection service, we can spot both compliance issues and threats in real time, allowing your organization to fix potential problems before they become actual breaches.
Contact us to learn more about how we can help your financial organization build a winning cloud solution.