Multi-tenant Environment Research Articles

Fortifying the Cloud: Navigating Data Security Challenges and Pioneering Future-Ready Solutions

Cloud computing has transformed data storage, management, and processing, offering scalability, flexibility, and cost-efficiency. However, it presents significant security challenges. This paper examines critical data security elements in cloud computing, with a focus on maintaining confidentiality, integrity, and availability. Current security mechanisms, including encryption, identity management, firewalls, and intrusion detection, are reviewed alongside their limitations in multi-tenant environments, insecure APIs, and insider threats. Network challenges are addressed, particularly the integration of IoT, edge, and fog computing for improved security and efficiency. Emerging trends such as zero trust architecture, AI-driven security, quantum-safe encryption, and blockchain solutions are highlighted as pivotal developments. The paper underscores the need for proactive, adaptive security strategies to protect sensitive data amid evolving threats and regulatory complexities in cloud security.

HE-AO: An Optimization-Based Encryption Approach for Data Delivery Model in A Multi-Tenant Environment

HE-AO: An Optimization-Based Encryption Approach for Data Delivery Model in A Multi-Tenant Environment

Access control for trusted data sharing

In the envisioned 6G landscape, data sharing is expected to become increasingly prevalent, giving rise to digital marketplaces that foster cooperation among organizations for collecting, sharing, and processing data for analysis. These marketplaces serve as connectors between data producers and consumers, empowering multi-tenancy scenarios for seamless and secure data sharing both within and outside organizations. Given that 6G networks promise ultra-low latency, enhanced connectivity, and massive data throughput, the need for robust data access control mechanisms becomes imperative. These mechanisms ensure security and trust among entities, particularly in multi-tenant environments where multiple organizations share infrastructure and data resources. In this paper, we have designed and implemented a novel access control mechanism tailored for a distributed data streaming system developed by Nokia Bell Labs. Our approach leverages fine-grained policies, dynamic enforcement, and transparency mechanisms to enhance trust between data owners and consumers. By facilitating secure multi-tenancy data sharing, our solution contributes to the seamless exchange of data across diverse entities within the next-generation communication ecosystem. We demonstrate that our proposed access control mechanism incurs minimal overhead while ensuring data confidentiality and integrity. The introduction of such advancements in data sharing markets strengthens the overall ecosystem by providing heightened transparency and enhanced control over data, promoting collaboration and innovation in the 6G era.

Fast and isolation guaranteed coflow scheduling via traffic forecasting in multi-tenant environment

Fast and isolation guaranteed coflow scheduling via traffic forecasting in multi-tenant environment

PrismParser: A Framework for Implementing Efficient P4-Programmable Packet Parsers on FPGA

The increasing complexity of modern networks and their evolving needs demand flexible, high-performance packet processing solutions. The P4 language excels in specifying packet processing in software-defined networks (SDNs). Field-programmable gate arrays (FPGAs) are ideal for P4-based packet parsers due to their reconfigurability and ability to handle data transmitted at high speed. This paper introduces three FPGA-based P4-programmable packet parsing architectural designs that translate P4 specifications into adaptable hardware implementations called base, overlay, and pipeline, each optimized for different packet parsing performance. As modern network infrastructures evolve, the need for multi-tenant environments becomes increasingly critical. Multi-tenancy allows multiple independent users or organizations to share the same physical network resources while maintaining isolation and customized configurations. The rise of 5G and cloud computing has accelerated the demand for network slicing and virtualization technologies, enabling efficient resource allocation and management for multiple tenants. By leveraging P4-programmable packet parsers on FPGAs, our framework addresses these challenges by providing flexible and scalable solutions for multi-tenant network environments. The base parser offers a simple design for essential packet parsing, using minimal resources for high-speed processing. The overlay parser extends the base design for parallel processing, supporting various bus sizes and throughputs. The pipeline parser boosts throughput by segmenting parsing into multiple stages. The efficiency of the proposed approaches is evaluated through detailed resource consumption metrics measured on an Alveo U280 board, demonstrating throughputs of 15.2 Gb/s for the base design, 15.2 Gb/s to 64.42 Gb/s for the overlay design, and up to 282 Gb/s for the pipelined design. These results demonstrate a range of high performances across varying throughput requirements. The proposed approach utilizes a system that ensures low latency and high throughput that yields streaming packet parsers directly from P4 programs, supporting parsing graphs with up to seven transitioning nodes and four connections between nodes. The functionality of the parsers was tested on enterprise networks, a firewall, and a 5G Access Gateway Function graph.

EnergAt: Fine-Grained Energy Attribution for Multi-Tenancy

In the post-Moore's Law era, relying solely on hardware advancements for automatic performance gains is no longer feasible without increased energy consumption, due to the end of Dennard scaling. Consequently, computing accounts for an increasing amount of global energy usage, contradicting the objective of sustainable computing. The lack of hardware support and the absence of a standardized, software-centric method for the precise tracing of energy provenance exacerbates the issue. Aiming to overcome this challenge, we argue that fine-grained software energy attribution is attainable, even with limited hardware support. To support our position, we present a thread-level, NUMA-aware energy attribution method for CPU and DRAM in multi-tenant environments. The evaluation of our prototype implementation, EnergAt, demonstrates the validity, effectiveness, and robustness of our theoretical model, even in the presence of the noisy-neighbor effect. We envisage a sustainable cloud environment and emphasize the importance of collective efforts to improve software energy efficiency.

Evaluating intrusion detection for microservice applications: Benchmark, dataset, and case studies

Microservices are predominant for cloud-based applications, which serve millions of customers daily, that commonly run business-critical systems on software containers and multi-tenant environments; so, it is of utmost importance to secure these systems. Intrusion detection is a widely applied technique that is now being used in microservices to build behavior detection models and report possible attacks during runtime. However, it is cumbersome to evaluate and compare the effectiveness of different approaches. Standardized frameworks are non-existent and without fairly comparing new techniques to the state-of-the-art, it is difficult to understand their pros and cons. This paper presents a comprehensive approach to evaluate and compare different intrusion detection approaches for microservice applications. A benchmarking methodology is proposed to allow users to standardize the process for a representative and reproducible evaluation. We also present a dataset that applies representative workloads and technologies based on microservice applications state-of-the-art. The benchmark and dataset are used in three case studies, characterized by dynamicity, scalability, and continuous delivery, to evaluate and compare state-of-the-art algorithms with the objective of tackling intrusion detection in microservices. Experiments show the usefulness and wide application range of the benchmark while showing the capacity of intrusion detection algorithms in different applications and deployments.

OctoFAS: A Two-Level Fair Scheduler That Increases Fairness in Network-Based Key-Value Storage

We identified a fairness problem in a network-based key-value storage system using Intel Storage Performance Development Kit (SPDK) in a multitenant environment. In such an environment, each tenant’s I/O service rate is not fairly guaranteed compared to that of other tenants. To address the fairness problem, we propose OctoFAS, a two-level fair scheduler designed to improve overall throughput and fairness among tenants. The two-level scheduler of OctoFAS consists of (i) inter-core scheduling and (ii) intra-core scheduling. Through inter-core scheduling, OctoFAS addresses the load imbalance problem that is inherent in SPDK on the storage server by dynamically migrating I/O requests from overloaded cores to underloaded cores, thereby increasing overall throughput. Intra-core scheduling prioritizes handling requests from starving tenants over well-fed tenants within core-specific event queues to ensure fair I/O services among multiple tenants. OctoFAS is deployed on a Linux cluster with SPDK. Through extensive evaluations, we found that OctoFAS ensures that the total system throughput remains high and balanced, while enhancing fairness by approximately 10% compared to the baseline, when both scheduling levels operate in a hybrid fashion.

A Testbed Platform to Support an IoT City Lab

This paper describes the development activity that has been carried out for a living laboratory for the city of Cagliari aimed at functioning as a learning center for local SMEs willing to improve their skills in IoT and create applications that will be integrated in an open innovation ecosystem. The many users belonging to the various SMEs involved in the project required an ICT laboratory with a platform that could manage them and provide a multi-tenant environment for the development of IoT applications. The architecture also had to be scalable and interoperable, and the resulting platform had to collect many kinds of data from sensors or other data sources, elaborate them, and show georeferenced information on a 3D satellite interactive view along with statistics on side panels. This work was based on a platform already developed by CRS4 for a previous project. Preserving the concept of the decision-making tool for Smart Cities, almost every component was redesigned, and, in this paper, we describe the new solutions that have been implemented. Starting from the former structure, further features were added in a novel way in order to offer an enhanced framework that can deal with the activities of the laboratory, exploiting the scalability of the open-source systems involved, their robustness and flexibility, and leveraging domain standards. In this article, the main challenges involved in the development of the platform are described, as well as the solutions that have been implemented so far.

Secure and Scalable Architectures for Cloud Computing

Cloud computing has emerged as a cornerstone of modern computing infrastructure, offering unparalleled scalability and flexibility for diverse applications. However, the widespread adoption of cloud services has also raised significant concerns regarding security and scalability. As organizations increasingly rely on cloud environments to store and process sensitive data, ensuring robust security measures while maintaining scalability becomes paramount. This paper presents a comprehensive examination of secure and scalable architectures for cloud computing, addressing the challenges and proposing innovative solutions to enhance the resilience and efficiency of cloud infrastructures. The first section of the paper delves into the fundamental principles of cloud computing, outlining its key characteristics and architectural components. By understanding the underlying architecture of cloud systems, stakeholders can better appreciate the intricate interplay between security and scalability. Subsequently, the paper elucidates the multifaceted security threats facing cloud environments, ranging from data breaches and malicious attacks to insider threats and compliance issues. These challenges underscore the critical importance of implementing robust security mechanisms to safeguard sensitive data and infrastructure resources. In response to these challenges, the paper presents a systematic analysis of existing security mechanisms and architectural paradigms designed to fortify cloud environments. This includes encryption techniques, access control mechanisms, authentication protocols, and intrusion detection systems, among others. Furthermore, the paper explores the concept of defense-in-depth strategies, emphasizing the importance of layering security measures to mitigate the impact of potential breaches and vulnerabilities. In tandem with security considerations, the paper examines strategies for achieving scalability in cloud architectures. Scalability is a defining characteristic of cloud computing, enabling on-demand resource allocation and elastic scaling to accommodate fluctuating workloads. However, achieving scalability while ensuring security presents unique challenges, particularly in multi-tenant environments where resources are shared among disparate users. To address these challenges, the paper explores architectural frameworks such as microservices, containerization, and serverless computing, which offer inherent scalability benefits while facilitating robust isolation and security. Moreover, the paper investigates the role of automation and orchestration in optimizing cloud scalability and security. Through the use of DevOps practices and infrastructure- as-code tools, organizations can streamline deployment processes, enforce security policies, and dynamically scale resources in response to evolving demands. Additionally, the paper examines emerging technologies such as edge computing and federated architectures, which extend the scalability and security benefits of cloud computing to edge devices and distributed environments. In conclusion, this paper underscores the intrinsic link between security and scalability in cloud computing architectures. By adopting a holistic approach that integrates robust security measures with scalable design principles, organizations can mitigate risks, enhance operational efficiency, and unlock the full potential of cloud computing. As the landscape of cloud technologies continues to evolve, ongoing research and innovation in secure and scalable architectures will remain essential to address emerging threats and optimize performance in cloud environments.

Performance Analysis of Container Effect in Deep Learning Workloads and Implications

Container-based deep learning has emerged as a cutting-edge trend in modern AI applications. Containers have several merits compared to traditional virtual machine platforms in terms of resource utilization and mobility. Nevertheless, containers still pose challenges in executing deep learning workloads efficiently with respect to resource usage and performance. In particular, multi-tenant environments are vulnerable to the performance of container-based deep learning due to conflicts of resource usage. To quantify the container effect in deep learning, this article captures various event traces related to deep learning performance using containers and compares them with those captured on a host machine without containers. By analyzing the system calls invoked and various performance metrics, we quantify the effect of containers in terms of resource consumption and interference. We also explore the effects of executing multiple containers to highlight the issues that arise in multi-tenant environments. Our observations show that containerization can be a viable solution for deep learning workloads, but it is important to manage resources carefully to avoid excessive contention and interference, especially for storage write-back operations. We also suggest a preliminary solution to avoid the performance bottlenecks of page-faults and storage write-backs by introducing an intermediate non-volatile flushing layer, which improves I/O latency by 82% on average.

Modular models for systems based on multi-tenant services: A multi-level petri-net-based approach

Recently, the emergence of multi-tenant services-based systems (SBS) in cloud has gained significant attention. These systems, commonly adopted by Cloud software vendors, offer the advantage of building software as a service (SaaS) in a multi-tenant environment with distinct variability plans. However, the task of managing the SBS is challenging due to the interdependence among its diverse components. The difficulty primarily stems from the specific performance requirements of different variability plans and the interdependence between these plans. The main concerns involve effectively representing the components and levels of this system, and establishing synchronization rules to ensure its seamless operation. Refining these rules is crucial for improving coordination among the various components and levels of the SBS. However, it becomes particularly challenging when there are correlation issue among services that fall under different plan characteristics. In this context, it is vital to guarantee performance differentiation for each tenant by adhering to predefined quality of service (QoS) specified in Service Level Agreements (SLAs).To address these challenges, we propose a modular modeling approach based on multi-level Petri-Nets (n-NLS). By adopting these approach, the ambiguity of SBS system can be significantly reduced. An example of a SBS application illustrates our modular modeling approach using n-NLS.

The Benefits and Challenges of Customization within SaaS Cloud Solutions

The Benefits and Challenges of Customization within SaaS Cloud Solutions

A Multi-tenant Key-value SSD with Secondary Index for Search Query Processing and Analysis

Key-value SSDs (KVSSDs) introduced so far are limited in their use as an alternative to the key-value store running on the host due to the following technical limitations. First, they were designed only for a single tenant, limiting the use of multiple tenants. Second, they mainly focused on designing indexes for primary key-based searches, without supporting various queries using a combination of primary key and non-primary attribute-based searches. This article proposes Cerberus , a Log Structured Merged (LSM) tree-based KVSSD armed with (1) namespace and performance isolation for multiple tenants in a multi-tenant environment and (2) capability for processing non-primary attribute-based search queries. Specifically, Cerberus identifies the tenant’s namespace and splits a single large LSM-tree into namespace-specific LSM-tree indexes for tenants. Cerberus also manages secondary LSM-tree indexes to enable non-primary attribute-based data access and fast search query processing. With the SSD-internal CPU/DRAM resources, Cerberus supports non-primary attribute-based search queries and handles complex queries that are combined with search and computing operations. We prototyped Cerberus on the Cosmos+ OpenSSD platform. When there are multiple tenants, Cerberus exhibits up to 2.9× higher read throughput and negligible write overhead compared to existing KVSSD. Cerberus also shows lower latency by up to 9.31× for non-primary attribute-based queries.

FlashAlloc: Dedicating Flash Blocks by Objects

For a write request, today's flash storage cannot distinguish the logical object it comes from ( e.g. , SSTables in RocksDB). In such object-oblivious flash devices, concurrent writes from different objects are simply packed in their arrival order to flash memory blocks; hence data pages from multiple objects with different lifetimes are multiplexed onto the same flash blocks. This multiplexing incurs write amplification, worsening the performance. Tackling the multiplexing problem, we propose a novel interface for flash storage, FlashAlloc. It is used to pass the logical address ranges of objects to the underlying flash device and thus to enlighten the device to stream writes by objects. The object-aware flash storage can now de-multiplex concurrent writes from multiple objects with distinct deathtimes into per-object dedicated flash blocks. In essence, the interface enables the per-object fine-grained write streaming. Given that popular data stores tend to separate writes by logical objects, we can achieve, compared to the existing solutions, transparent streaming just by calling FlashAlloc upon object creation. Also, FlashAlloc is adaptive to workload changes, and liberates the stream conflicts in the multi-tenant environment. Our experimental results using an open-source SSD prototype demonstrate that FlashAlloc can reduce the device-level write amplification factor (WAF) under RocksDB, F2FS, and MySQL by 1.5, 2.5, and 0.3, respectively and improve their throughput by 2.7x, 1.8x, and 1.2x, respectively. Also, FlashAlloc can mitigate the WAF interference among tenants: when running RocksDB and MySQL together on the same SSD, FlashAlloc reduced WAF from 2.5 to 1.6 and doubled their throughputs.

An adaptive auto-scaling framework for cloud resource provisioning

Cloud computing emerged as a technology that offers scalable access to computing resources in conjunction with low maintenance costs. In this domain, cloud users utilize virtualized resources to benefit from on-demand and long-term pricing strategies. Although the latter consists of a more cost-efficient solution, it requires accurate estimations of future workload demands, which is a challenging task. Furthermore, clouds offer threshold-based auto-scaling rules that need to be manually controlled by the users according to application requirements. Still, tuning scaling parameters is not trivial, since it is mainly based on static scaling rules that may lead to unreasonable costs and quality of service violations. In this work we introduce ADA-RP, an adaptive auto-scaling framework for reliable resource provisioning in the cloud. ADA-RP uses historical time series data for training K-means and convolutional neural networks (CNN) to categorize future workload demands as High, Medium or Low based on CPU utilization. We auto-scale cloud resources in real-time based on the predicted workload demand to reduce costs and improve application performance. The experimental analysis is based on TPC-C runs on MySQL containers deployed on the Google Cloud Platform. Experimental results are prosperous, demonstrating the ability of ADA-RP (i) to reduce MySQL deployment costs by 48% in a single-tenant environment, and (ii) to double the executed queries per second in a multi-tenant environment considering user’s budget requirements.

ZNSwap: un-Block your Swap

We introduce ZNSwap , a novel swap subsystem optimized for the recent Zoned Namespace (ZNS) SSDs. ZNSwap leverages ZNS’s explicit control over data management on the drive and introduces a space-efficient host-side Garbage Collector (GC) for swap storage co-designed with the OS swap logic. ZNSwap enables cross-layer optimizations, such as direct access to the in-kernel swap usage statistics by the GC to enable fine-grain swap storage management, and correct accounting of the GC bandwidth usage in the OS resource isolation mechanisms to improve performance isolation in multi-tenant environments. We evaluate ZNSwap using standard Linux swap benchmarks and two production key-value stores. ZNSwap shows significant performance benefits over the Linux swap on traditional SSDs, such as stable throughput for different memory access patterns, and 10× lower 99th percentile latency and 5× higher throughput for memcached key-value store under realistic usage scenarios.

Blockchain and Game Theory Convergence for Network Slice Brokering

As a distributed ledger technology, blockchain has received significant attention in revolutionizing telecommunication and networking domains. This article proposes a blockchain-based network slice brokering mechanism for multioperator and multitenant environments of the envisioned 6G networks.

DRL-Based Slice Admission Using Overbooking in 5G Networks

In 5G-and-beyond networks, the concept of Network Slicing is used to support multiple independent and co-existing logical networks on a physical network infrastructure. The infrastructure provider (InP) owns the set of virtual and physical resources that are used to support the tenant slice requests. Each slice request specifies a service level agreement (SLA) that contains the required slice-level resources (computation and communication) and the revenue provided by the tenant. Due to limited resources, the InP cannot accommodate all requests made by the tenants. In general, it has been found that tenants tend to overestimate their resource demands (e.g., for 5G Core computation) to reduce possible SLA violations. In this paper, we consider two major slice types: Elastic (low priority and low revenue) and Inelastic (high priority and high revenue). We apply the concept of overbooking, where the InP accepts more slices while considering slice priorities in order to maximize the overall revenue and utilization. We consider a multi-tenant environment and propose a slice admission system named PRLOV, which is based on Reinforcement Learning (RL) and prediction methods. The system predicts the future resource demands of Elastic slices and applies an opportunistic overbooking technique to overbook InP for accepting more slices. In addition, the admission decision is formulated as an Markov Decision Process (MDP) problem and solved using standard RL techniques (Policy Iteration, Q-Learning, DQN). The performance of our proposed work is compared against three other heuristics (Basic, Prediction, PRL) that do not use overbooking. Data traces from the Materna data center networks were used for prediction purposes. The important performance metrics measures include InP total revenue, the acceptance rate of respective slices and overall resource utilization for different slices. The results show that the proposed work significantly outperforms the other mechanisms in terms of revenue gain and resource utilization. Simulation results show that PRLOV provides a revenue gain of 6%, 26%, and 102% compared to the PRL, Prediction and Basic scheme.

Analysis and detection of insider attacks using behaviour rule based architecture in enterprise multitenancy

The enterprise level data security and privacy are one of the focal key challenges to the pr enterprise and security companies to prevent private data from outside and inside attacks. The insider threats and attacks can pretense a real defense risk to the various internal multi-tenants of various enterprises and companies. The data thievery by insiders of the companies is as a great deal the consequence of enterprises failing to execute the scheme and expertise to member of staff supervise activities and administrate the authenticated data-access to data as it the authentic spiteful activities of member of staff looking for economic benefits in multi-tenancy environment. This research composed with three major objectives: Description of insider attack causes with their impact factors; Implications of behavior rule-based architecture in enterprise multitenancy; Integration of behavior rules with prevention thresholds to control user accessibility for prevention of insider attacks and threats; This paper has described the efficient security scenario to avoid insider attaching complexities. This research is more helping the cyber security experts and network administrators to reduce the insider attacks by building the efficient monitoring intelligent system. The experimental scenarios built with125 authenticated, 29 non-authenticated internal users, and 62 authenticated, 18 non-authenticated external users of single enterprise level and avoided insider attacks and threats.