The recent SolarWinds cyberattack showed that governments urgently need to rethink how and where they store citizen data. For months, foreign hackers roamed the networks of at least eight federal agencies. Their targets included the Treasury, Homeland Security, Energy and State departments, along with the National Nuclear Security Administration.
As more facts emerge about how deeply those attacks penetrated sensitive realms of the U.S. government, so do key insights. One important takeaway for me, drawn from my years working in government IT, is that the foundation of public-sector IT platforms must become more secure, especially as they shift from on-prem infrastructures to storing sensitive data on public cloud platforms.
Too many agencies essentially hand off responsibility for protecting sensitive data to their cloud vendors—a mistake that could eventually cost them dearly. The smarter approach is to understand thoroughly the risks and rewards of different IT architectures, and choose accordingly.
Multi-tenant vs. multi-instance IT architectures
Many of the most popular SaaS and cloud-storage vendors rely on “multi-tenant” IT architectures, where key computing resources are shared across hundreds or even thousands of unrelated organizations.
[Read also: Digital transformation in the public sector]
By contrast, too few agencies have recognized the advantages of a “multi-instance performance” IT framework. In a multi-instance structure, such as the one ServiceNow founder Fred Luddy designed as a core element of the ServiceNow platform, each organization manages its own computing resources. This gives IT leaders greater visibility into data management while reducing operational risks and downtime.
Multi-instance architecture is not necessarily more secure; no organization or system is immune from vulnerabilities. But it can provide much more control over an organization’s most vital asset—its data—at a critical time when public agencies have become major targets of cybercriminals.
Shared tables, shared risks
Multi-tenant architectures have been around for nearly as long as computers. The original cloud providers were vendors like Oracle, SAP, and IBM that sold huge databases to government agencies for on-prem computing environments. Thanks to virtualization, they discovered they could sell the same real estate to multiple customers by moving enterprise applications into the cloud.
Here’s the problem: When a cloud provider deploys multi-tenant architecture, every agency that relies on this provider shares common database tables—for example, those that contain the Social Security numbers of employees or taxpayers.
While the IT architecture separates that data logically so that one agency can’t access SSNs stored by another, multiple “tenants” still share a common codebase. Thus, when a breach or a system crash occurs, every agency reliant on that table suffers the consequences: One application’s crash or weak security brings all the agencies offline at the same time. That often leads to unscheduled downtime and uncertainty about when systems can be brought back online.
Multi-tenant architectures have been around for nearly as long as computers.
To manage these risks, cloud providers rely heavily on service level agreements (SLAs), which define what remedies (and often penalties) they are responsible for in events such as breaches or outages. But in many cases, it can take a long time to move every customer to a backup system and bring them back online.
With multi-instance infrastructure, every agency maintains its own virtualized version of core databases and doesn’t share data tables with other organizations. If the software fails, the crash affects only one agency at a time. And if it requires maintenance, IT managers can schedule it when convenient for them, not for their cloud partner.
At ServiceNow, as an additional backstop, we continually replicate customer databases at a secondary data center based in a separate location. If a data table encounters a problem at the data center, the affected workload automatically fails over to the secondary site, then switches back when the problem is resolved. This eliminates the need for downtime to be built into the SLA.
Because it consumes more computing resources, multi-instance architecture is typically more expensive than multi-tenant, although not all multi-tenant cloud providers are known for passing those savings onto their customers.
Any organization, public or private, that stores sensitive data in the cloud needs to understand its cloud providers’ system architecture and assess whether lower costs justify any additional risks. In most cases with public agencies, they don’t, which is why multi-instance frameworks deserve a closer look.