Security Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
Showing results for 
Search instead for 
Do you mean 

Blog series - Part 3: Multi-tenant Segmentation in the Cloud

by skathuria ‎10-01-2012 12:22 PM - edited ‎10-01-2012 03:02 PM



In Blog 1 of this 3-part series, I covered some key drivers for why service providers (SPs) offer Security Software as a Service (SaaS) including to be able to extend security for tenants of the cloud and to monetize these services.  In Blog2,  I described where and how SPs place security controls.


In the final blog, I’ll focus on the importance of isolating customer data in the public cloud, as well as potential solutions for doing so.


In a public cloud, multiple tenants share a common set of resources (e.g., data-driven applications and services) that they access over a network. From a security perspective, the first requirement is that the entry point into the cloud must be protected using a Policy Enforcement Point (PEP), such as a perimeter/edge firewall for infrastructure protection. This may be a dedicated/purpose-built hardware device. A second requirement is that policies for different tenants should not overlap. For instance, a change in a security policy for one tenant shouldn’t affect another tenant. It is critical that these tenants’ policies are isolated from one another. To achieve the latter multi-tenant segmentation requirement, SPs have a choice of methods:


1)      Virtual LANs (VLANs) - While many cloud deployments are using L2 networks, since they offer VLANs for multi-tenant isolation, the shortcoming of L2 networks is that VLANs have an upper limit of ~4096 (according to IEEE Std 802.1Q 2011), which many large deployments exceed. Also, beyond the scaling limitation, VLANs can be unruly to manage in a hosted/cloud environment.


2)      Dedicated hardware firewall platform that supports multiple “logical” systems (independent firewalls with completely separate security policies and logs) - As with VLANs, there is a scaling limitation with this approach.


3)      Software-based security virtual machine (VM) running on an x86-based VM host – A key advantage of this method over the other two is that the SP can scale security VMs on demand. Furthermore, the SP can also easily offer customizable firewall controls to customers as an additional managed service, providing new potential revenue sources built on existing infrastructure. 


Software-based security VMs could offer SPs a scalable and flexible method for implementing multi-tenant segmentation, a key requirement for securing customers’ resources hosted in the public cloud.


“Despite the economic malaise still hovering over some of the world’s largest economies, the security service market is strong and growing, driven by increasing global demand from organizations of all sizes due to the proliferation of threats of all types, the complexity of current security solutions, widespread use of a wide variety of devices/platforms/apps, and the desire of many product manufacturers service providers to add revenue and improve margins,” according to market research firm, Infonetics.


Why do Service Providers (SPs) offer Security Software-as-a-Service (SecSaaS)? There are several drivers, including those described in this blog.

  • A SP specializing in security can provide customers with effective security that is in line with the rapidly evolving threat landscape, since it can aggregate threat information from multiple customers hosted in the cloud to correlate, analyze, and develop suitable and effective controls to fight against the newest threats affecting organizations. The SP will proactively monitor and manage customer’s applications and data and can report on any unusual behavior. Also, because it is hosting security services in the cloud (as opposed to on-premise), the SP will also have the flexibility to easily scale these services up or down based on changing customer requirements.
  • The SP has complete control over the cloud environment, enabling cost savings and less complexity. The SP doesn’t have to tailor its own application to accommodate a specific customer’s requirements. It has complete control over being able to optimize the managed cloud for enabling SecSaaS for all of its customers.
  • The SP can have a foreseeable revenue stream. If Sec SaaS is sold on a subscription basis, customers would pay on a recurring schedule. That way, the SP can reasonably forecast revenues. Also, the SP can monitor subscriber usage of its public cloud more easily than would be possible if the customers ran the same application on premise (at their own location), for foreseeable revenue growth.
  • The SP software development team will focus on enhancing core application functionality, fixing issues, and launching features via smaller iterative upgrades in the cloud as opposed to deploying larger massive software patches to each customer site.
  • Once the SP has a revenue-generating business model in place, it can focus more on maintaining its customer base than on attracting new customers.

Service Providers clearly benefit from the Security SaaS model, but just as importantly, they also have a good pulse on where and how to place security controls for maximum benefit to their customers. The next blog in this series will focus on this topic.


About Security Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kevin Walker
Vice President
Security CTSO, Engineering

Profile | Subscribe

Ritesh Agrawal
Software Engineering

Profile | Subscribe

Scott Emo
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Juniper Networks Technical Books