Some recommendations for cloud security in the MTDC market

Ford and Grogan 451InsightaaS perspective: 451 Research is one of the world’s leading sources of insight into cutting edge technologies — especially in areas that are important to InsightaaS and our principals, including cloud, analytics, and sustainable IT.

451 Research is very active in researching the Canadian cloud and multi-tenant data centre (MTDC) markets. Within the past year, it has published dozens of short-form research pieces examining Canadian MTDC and cloud data centre launches, client agreements, and mergers and acquisitions. 451 Research also published a very thorough long-form research piece, "Canada MTDC Market Assessment: Supply and Providers" which InsightaaS has reviewed with several clients.

In the following analysis, 451 Research analysts Jim Grogan and Glenn Ford drill down into a specific aspect of MTDC tenancy - the need to provide for security for cloud applications. It advises customers to evaluate four aspects of security (physical, electronic, configuration control and data storage lifecycle) and offers suggestions on how to address these areas.

Note: if you are interested in obtaining a copy of this report or the Canadian MTDC report, please contact 451 directly, or contact InsightaaS at


Multi-tenant datacenter (MTDC) providers are actively participating in the cloud computing market. As recently analyzed in The 451 Research report, Multi-Tenant Datacenter Providers Evolve With Cloud Offerings, the maturation of production cloud services is leading to growing numbers of mission-critical applications being hosted within the cloud.

While the recent report covers several areas of market dynamics for MTDC providers and cloud, here we focus on the unique dimensions of cloud security in a multi-tenant hosting environment. Every mission-critical business application has information security needs, based on the critical application capability provided or as a result of regulatory requirements — or both. When considering cloud security issues in the MTDC environment, it is essential that both providers and customers understand where they have responsibility, especially when such responsibilities are shared.

Cloud security elements in the MTDC environment

Several key areas need to be part of the cloud security conversations between providers and customers. These include:

  • Physical security at the cloud datacenter: Primarily the responsibility of the MTDC provider in what is a shared environment, customers also need to frame and align their security programs within the context of the providers' security configuration.
  • Electronic security: This responsibility will shift between provider and customer depending on the cloud service model, with the customer having greater responsibility under an infrastructure-as-a-service (IaaS) deployment, and the provider having greater responsibility under any cloud software-as-a-service (SaaS) model. In all cases, the shared responsibility dictates an ongoing operational conversation between providers and customers to deliver effective electronic information security.
  • Configuration control: A cornerstone of information security is effective and timely management of configuration control, including patches required to keep security software at current revision levels. Both platform-as-a-service (PaaS) and SaaS cloud deployment models have a primary role for the MTDC provider in managing these patch applications and revision levels. In the PaaS model, it is critical for the customer to recognize that after the MTDC provider has made upgraded security fixes and upgrades available within development libraries, each customer may need to actively integrate those improvements within its own cloud applications.
  • Data storage life cycle: The owners of data are those that collect the information for business purposes, and these data owners have a responsibility to keep that data secure from collection through archiving and ultimately, through destruction when it is no longer needed. Regulatory compliance is a significant driver in such data security, and may dictate minimum standards of both how operational controls may need to be implemented as well as data retention policies and actions required should a data breach or storage violation occur. While the customer remains the data owner, there may be a requirement for formal agreements between the customer and the MTDC provider to define particular roles, such as a business associate agreement (BAA) under HIPAA regulations for healthcare applications.

MTDC cloud security recommendations

In the mutually shared security responsibilities for MTDC cloud services, several areas deserve highlighting when customers and providers are entering into service agreements.

  • Understand what level of control is necessary, either due to the sensitive nature of the business data involved, or as dictate by regulations. Choose a cloud deployment model (IaaS, PaaS or SaaS) within the ranges of public and private cloud services that ensure appropriate control for the data owner.
  • Configuration control and patch management can never be a 'once and done' proposition. Providers and customers need to be working together through the term of their business relationship to ensure that timely application of critical updates is achieved.
  • Data management addresses the life cycle management of data. Clear understanding between MTDC providers and customers is required for effective execution of data protection schemes. Often overlooked is the process necessary — often required under regulatory measures — for the destruction of data when it is no longer needed. In the world of MTDC storage — whether on cloud storage or other shared storage services — it may be required that storage locations are overwritten with a bit pattern to ensure the complete removal of data before that storage is released back for allocation to another customer or another application; the customer is responsible as the data owner, and in some cases forensic data services may be offered by the MTDC provider to assist in this process.