A Telco operator is considering offering IaaS services from the same infrastructure used for their own workloads. I don’t think this is a good idea, especially from a security point of view but I need to come up with solid reasons why and I am struggling. Can anyone with IaaS provider experience let me know what are all the security considerations needed for providing IaaS service including the networking layer.
Hello Fortune
First of all, I agree with you. The ideal is to separate the ISP workloads from the customer-facing workloads. This is true not only of IaaS but also of any infrastructure/services a service provider offers to customers. There are many reasons for this, one of which is definitely security as you mention. However, here are a few more arguments in favor of separating the ISP workloads from the customer-facing services that may help you:
-
Security: Separating infrastructures helps to mitigate risks associated with cross-contamination or security breaches. If the infrastructure hosting customer workloads is compromised, having separate systems can help protect the service provider’s internal data and vice versa. It also simplifies the security management as each environment can have its security controls tailored to specific needs and threats.
-
Performance Management: Different workloads have different performance requirements. By segregating infrastructures, the service provider can optimize each environment according to the specific needs of the workload. This avoids scenarios where customer workloads might compete for resources with the service provider’s own applications, leading to potential performance degradation.
-
Compliance and Privacy: Many industries are governed by strict regulatory requirements that dictate how data is handled, processed, and stored. Separating infrastructures makes it easier to ensure that compliance is maintained for customer data without imposing unnecessary restrictions on the service provider’s internal operations. For instance, customer data may need to be stored in a specific geographical location or require enhanced security measures that aren’t necessary for the provider’s own data.
-
Maintenance and Updates: By having separate infrastructures, the service provider can schedule maintenance and updates with minimal disruption to either customer workloads or their own internal operations. This can also prevent issues in one environment from affecting the other.
-
Customization and Scalability: Separating infrastructures allows for greater flexibility in customizing environments to suit specific workload demands and scaling them independently. This is crucial in cloud environments where customer demands can fluctuate significantly.
But as always, there is a tradeoff. Separation of infrastructures adds to the complexity and the costs, so there is always a process of weighing the importance of separation compared to the complexity and costs. However, for most service providers, especially those handling sensitive or mission-critical workloads, this practice of separation is advisable.
I hope this has been helpful!
Laz
Thanks Laz, much appreaciated.
1 Like