Datacenter service providers, referred to as Infrastructure as a Service (IaaS), offer compute, storage and network resources to their customers by slicing physical hardware into virtualized tenant resources. Each tenant can subscribe to the datacenter services to obtain a required amount of virtualized compute, storage and network resources and utilize these resources based on their own requirements. Each tenant in the same datacenter expects isolation from other tenants even though underneath they share the same physical infrastructure. Tenant isolation is provided to the tenants through different mechanisms in cloud operating systems.
Isolating compute can be done through the hypervisor that manages the central processing unit (CPU) and memory resources in a server. Storage isolation can be provided by organizing physical volumes into logical volumes and granting access to these resources only to authorized tenants. Network resource isolation is a harder problem to solve as these isolated tenant networks need to reach the external networks through the same physical NIC and the datacenter switching infrastructure. It is easy to find security holes in the datacenter configuration by finding errors in this isolation that lead to “information leaks” between the tenant networks.
Some datacenters have further offered Platform as a Service (PaaS) in addition to the more basic IaaS, where a platform including such elements as a development environment, middleware, databases and similar services. Some PaaS vendors and customers utilize a hybrid configuration where various aspects of the services and applications utilized by each customer run in the datacenter while other services and application run in customer computing devices outside the data center. This hybrid approach seeks to avoid the shortcomings of traditional IaaS and PaaS solutions that cause numerous problems for PaaS customers, in particular large enterprises.
In many cases developers use PaaS to speed up the deployment of applications and services, but the implementation of these application and services are often grinding to a halt because it is unclear what the impact that these new applications and services will have on the security of the existing information technology infrastructure of the PaaS customers. In addition, managing multiple platforms to deploy new systems, apps or features becomes cumbersome.