Cloud Hosting Architecture: Tenant Isolation

Cloud Vendors Compromised

Given the number of backchannels we are a part of we get to hear horror stories where Cloud Vendors are compromised in some way or get hit by an encryption event that takes their client/customer facing systems out.

When we architect a hosting system for a hosting company looking to deploy our solutions in their hosting setup, or to set up an entirely new hosting project, there are some very important elements to our configuration that would help to prevent the above from happening.

A lot of what we have put into our design is very much a result of our experiences on the frontlines with SMB and SME clients.

One blog post that provides some insight: Protecting a Backup Repository from Malware and Ransomware.

It is absolutely critical to isolate and off-site any and all backups. We've also seen a number of news items of late where a company is completely hosed as a result of an encryption event or other failure only to find out the backups were either wiped by the perps or no good in the first place.

Blog Post: Backups Should Be Bare Metal and/or Virtually Test Restored Right?

The full bare metal or virtual restore is virtually impossible at hyper-scale. Though, we've seen that the backups being done in some hyper-scale cloud vendor's environments have proven to be able to be restored while in others a complete failure!

However, that does not excuse the cloud customer or their cloud consultancy from making sure that any and all cloud based services are backed up _off the cloud_ and air-gapped as a just-in-case.

Now, to the specific point of this blog post.

Tenant Isolation Technique

When we set up a hosting solution we aim to provide maximum security for the tenant. That's the aim as they are the ones that are paying the bills.

To do that, the hosting company needs to provide a series of layered protections for tenant environments.

1. Hosting Company Network
• Hosting company AD
• All hosting company day-to-day operations
• All hosting company on-premises workloads specific to company operations and business
• Dedicated hosting company edges (SonicWALL ETC)
2. Tenant Infrastructure Network
• Jump Point for managing via dedicated Tenant Infrastructure AD
• High Availability (HA) throughout the solution stack
• Dedicated Tenant Infrastructure HA edges
• Risk versus Reward: Could use the above edges but …
• Clusters, servers, and services providing the tenant environment
• Dedicated infrastructure switches and edges
• As mentioned, backups set up and isolated from all three!
3. Tenant Environment
• Shared Tenant AD is completely autonomous
• Shared Tenant Resources such as Exchange, SQL, and more are appropriately isolated
• Dedicated Tenant AD is completely autonomous
• Dedicated Tenant Resources such as Exchange, SQL, and more are completely isolated to the tenant
• Offer a built-in off-the-cloud backup solution

With the solution architected in this manner we protect the boundaries between the Hosting Company Network and the Tenant Environment. This makes it extremely difficult for a compromise/encryption event to make the boundary traversal without some sort of Zero Day involved.

Conclusion

We've seen a few encryption events in our own cloud services tenants. None of them have traversed the dedicated tenant environments they were a part of. None. Nada. Zippo.

Containment is key. It's not "if" but "when" an encryption event happens.

Thus, architecting a hosting solution with the various environment boundaries in mind is key to surviving an encryption event and looking like a hero when the tenant's data gets restored post clean-up.

Thanks for reading!

Philip Elder
Microsoft High Availability MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book
www.commodityclusters.com
Our Web Site
Our Cloud Service

Disclosure Post: Promise, LSI, Intel, and Others

Lately, we have been putting a lot of time in to building up our lab infrastructure as part of our research and development for new business.

Because the R&D requires a heavy investment by us we reach out to the various manufacturers whose products we deal with to see if we can land any demo product to help defray some of those costs.

Those that have stepped up over the last couple of years include the following:

• Promise Technologies
• Loaned us a VTrak E610sD RAID Subsystem for our initial testing with the Intel Modular Server.
• We purchased that VTrak via the Promise Partner program.
• Extensive communications with key folks in the VTrak program.
• LSI
• Provided us with a pair of LSI SAS6160 Switches for our initial tests.
• We did not get too far with them due to business being quite brisk.
• Supplied a discount via Canadian distribution (Synnex Canada) for the purchase of a pair of our own LSI SAS6160 Switches.
• The pair we purchased about two months ago are now being tested.
• Provided us with a set of four 2M SFF8088/SFF8088 SAS Cables
• Extensive communications with key folks in the storage program.
• Intel
• Intel Modular Server demo product.
• Original sent 3 years ago to begin our pilot build of a Hyper-V Cluster.
• Demo IMS sent again last year to test with LSI SAS Switches and our own IMS.
• Intel supplied demo product.
• Intel Server System SR1695GPRX2AC
• Intel Xeon Processor X3470
• Above received in FY2010-11.
• Pair of Intel Xeon Processor E5-2650 CPUs
• Just received today June 15th.
• Extensive communications with key folks in the Intel Modular Server team.
• Great support via our IPD contacts.

Microsoft has provided us with great support and great product team access over the years. Being a Microsoft MVP has really helped open the doors to key folks and their knowledge.

Though the advent of some absolutely awesome blogs on the products we are focused on has reduced the need to ask a lot of those N00b type questions. :)

Microsoft provides awesome resources within its Partner Program including the Partner Learning Center and now the Microsoft Virtual Academy.

The MVA is an awesome resource for getting a lot of the N00b type questions answered with a lot of hands-on and visual walk-through processes. It is also an excellent resource for answering more advanced questions.

There are certainly other little SWAG and SPIFF bits that we have received over the years. The list above covers some of the major items that have come across our threshold.

Thanks to Promise, LSI, and Intel for the great support and direction.

Thanks to Microsoft for the great resources provided to us both within the MVP realm as well as via the Partner Program and so many other avenues.

A special mention and thanks to Eric Ligman as he has been absolutely amazing when it comes to Microsoft Licensing questions.

The best is yet to come!

Thanks to all y’all for your support and for reading!

Have a wonderful weekend … especially you Dads out there!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

LSI SAS6160 Switch Compatibility List

We are in the process of setting up a number of Intel Server System SR1695GPRX2AC units along with our soon to be two Intel Server System R2208GZ4GC units to one Promise VTrak E610sD RAID subsystem.

Out of the box we are dealing with 3Gbit/Second SAS connections with the VTrak so we are not able to use the more advanced features the SAS Switch offers.

The LSI SAS6160 Switch compatibility list can be found here:

• LSI SAS6160 Switch Hardware Compatibility List (PDF)
• If the link is broken then the LSI SAS6160 product page is here.

Specifically we are looking for a replacement for the Promise VTrak that will give us access to SAS 6Gbit/Second and the advanced features offered by the SAS Switch.

Now, note that the Promise VTrak E610sD requires firmware 3.36.00. Our current unit is at 3.34.00. So, we are on our way to updating the firmware in the Promise before we can draw any conclusions as far as setting things up.

As far as a replacement for the Promise the first in the above list is actually a NetApp appliance. We will be looking into their products. We have already been in conversations with IBM over their DS3524 dual controller SAS unit so we shall see where that goes.

For now, we are on the road to bringing a very flexible, high performance, and highly redundant hardware solution online to deliver Hyper-V Failover Clusters as well as a Private Cloud solution.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

Confirmed: Intel Server System R1208GZ Integration For Our 2 Node Hyper-V Failover Cluster Is A Go Plus RemoteFX Compatibility!

We mentioned that we were looking at the new Intel Xeon E5-2600 series 1U and 2U server systems.

• MPECS Inc. Blog: New Intel Server System R1208GZ Integration Notes for 2 Node Cluster Deployment

We now have it on good authority that an external LSI based SAS connector is available in the Intel RAID Controller RS25GB008:

Not only that we have the nVidia Tesla C2070 series and the PNY nVidia Quadro 6000 series graphics processors showing as being compatible with this particular server system.

We would be utilizing a 2U configuration if we were going to run with RemoteFX capabilities for our client’s VDI needs though. These boards are quite large so won’t fit in t 1U chassis depending on the add-on components are installed on the server board.

Since these particular adapters show up on the R1208GZ series 1U we checked to see if the R2208GZ series 2U configuration has them:

They do indeed.

Now to see if we can gain access to either of the graphics products to run some tests on our own setups! They are quite expensive. :)

We are one step closer to Private Cloud and RemoteFX based VDI!

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer