Trust, But Verify

Lately I’ve been in an increasing number of conversations about “multi-tenancy,” and its viability/fitness for use in business IT. Most start out framed as technology discussions. One recent exchange reminded me of a blog post and comment thread back in January on “secure multi-tenancy.” The comments, predictably, devolved into heated debate over who claimed which technologies could do what, who disputed whose claims, and so on.

For my own part, I don’t see technology alone as adequate. What intrigues me, though, is how many IT people that believe technology can—indeed, must—somehow address all this.

Information Superiority

When I talk with non-IT experts in security and corporate governance, it’s usually quite the opposite. Most acknowlege technology has value, but they almost always emphasize the human element.

It’s not because they’re non-tecchies. It’s because they understand:

  • Human beings are an integral part of any organization’s operational structure.
  • The weakest parts of security and governance regimes are usually human.
  • Security and governance technologies tend to be based on an obsolete notion of algorithmic absolutes.

We technologists tend to believe we can derive a mathematically certain “single version of the truth,” describing the state of an entire IT system, no matter how large or complex. After all, successful complex systems are almost always derived from simpler successful systems. And we built all this stuff using machines where every bit of information is a one or a zero—true or false—and nothing in between.

Large, complex IT infrastructures inexorably frustrate attempts by any person or thing to definitively know the state of every other person or thing at one time—especially in a system that spans the globe. The speed of light alone renders the task impossible. Never mind the fact that humans are involved.

“Network-centric operations,” for example, has become a key factor in deciding modern military outcomes. Nonetheless, today’s battlefield commanders will tell you they’re unlikely to ever get a single, consistent snapshot of what’s going on on a battlefield, much less on a global scale.

But that’s not the goal. It’s information superiority. They want enough information—and sufficient confidence in that information—to be able to act decisively before their opponent can.

That may sound like an extreme example, but we use IT in the business world for the same reason: information superiority. We want enough information—with sufficient confidence—to make better, faster decisions than our competitors.

Chains Of Trust

I think we need to apply this same degree-of-confidence notion to how we handle multi-tenant security. A tenant should be able to establish verifiable chains of trust spanning whatever infrastructures and organizations—i.e., people—are involved in apps and information of concern.

Late last year I spoke with a fascinating mix of service providers and traditional IT shops about Private Clouds. One company there was way ahead of the pack. It was already using an external service provider to house and process their firm’s crucial data.

Get this. It was a legal services company. That’s just about the last kind of firm I’d expect to go all-in on external providers. We’re talking about information subject to all kinds of regulatory requirements, and obviously crucial to the company—and its clients.

How the heck did they pull that off? Did they acquire or invent some new technology to make this possible? No. They used regular, thorough auditing—by themselves or a trusted delegate, not the external service provider. In other words, they they used a combination of technology, process, and people to build a verifiable chain of trust, similar to a chain of custody in law enforcement.

It was a win for the external provider, too. It won business by delegating appropriate control to its legal-services “tenant,” enabling it to build that chain of trust. At the same time, the service provider saved on regulatory effort—and costs.

Keys, Keys, Who’s Got The Keys?

I think we can all agree that self-service portals are a vital key to multi-tenancy scale and efficiency. I would also argue that a notion of recursive delegation of control is key to successfully scaling self-service portals. A tenant should have rights to manage resources and information they “own,” according to the tenant’s agreement with the IT “landlord.” That tenant, in turn, should be able to act as “landlord” for others, and so on. This can include departments within a corporation, or multiple service-provider VARs in an external-provider ecosystem.

Whether or not landlords are permitted to hold “master keys” to tenants’ dwellings should be a point of negotiation—and trust.

About the Author: David Freund