Google “network access control” (NAC) and you’ll see about a half-million references. Add “multi-tenant” and 95% of them disappear. Repeat with terms like “network management” and ITOM and the pattern repeats — add multitenancy to the search, and just 2% of the references remain. You might think multi-tenant NAC and ITOM don’t yet perform in the real world. But they do, and in large, high-stakes applications. One example: for years, more than half of all savings banks in Germany have met rigorous banking security requirements by subscribing to a single provider of cloud-based, multi-tenant NAC-as-a-Service (NACaaS).
- Why the Scarcity of Multi-Tenant Platforms?
- Who Should Consider Multi-Tenant Network Management?
- Multi-Tenant by Design
- Health Care
- Financial Services
- Expanding the Scope of Control for Network Operators and Technicians
- Scalability and Functionality
- Few Vendors, Few Customers, But a Compelling Business Case
Largely ignored by the major hardware makers who focus on network management and network access control — of their own brand of equipment — multitenancy has not had marketing push behind it, and few IT leaders appear to focus on its advantages. This is unfortunate because in its place — for many IT departments — is a troublesome, costly-to-maintain basket of unrelated tools. Multitenancy is a tremendously underused productivity booster, as well as a “secret weapon” for security. It provides centralized visibility and control, and combines connectedness and security between networks.
It is a technical feat to create a cohesive platform that delivers true multi-tenancy and completely insulates each tenant’s data, while scaling to fulfill the demands posed by dozens or hundreds of diverse networks. Since the operator of the multi-tenant application cannot dictate what brands of equipment each tenant uses — because it’s a multi-vendor world — the multi-tenant solution requires the ability to discover and monitor every brand, model, and version of equipment. That 100% discovery sets the bar high, but without it, multitenancy is probably a non-starter. Just say yes to heterogeneity.
Multitenancy is especially relevant — a natural fit — for IT infrastructure control, network management, and NAC. Many IT professionals have the impression that the only way to “go multi-tenant” is to license a splatter of separate tools — products created as an afterthought — with complicated licensing requirements. Multitenancy has captured the interest of hosting companies, a few organizations that require distinct multiple networks, and SaaS providers like Finanz Informatik in Germany (see below) who leverage it to quickly roll out a new service.
Multi-tenant network management and NAC can benefit organizations across a wide range of industries:
- Service providers with many customers for NAC or IT operations management (ITOM), or who seek to rapidly deliver a new service to new customers.
- Financial institutions with multiple networks, or entire industries where many companies — e.g., banks, — must comply with the same security or operational mandates, and ensuring compliance on their own would be expensive and require new skills and technology.
- Franchisors serving multiple franchisees with distinct networks.
- Health care providers with multiple care facilities on separate networks.
- Holding companies likely to acquire other companies and suddenly inherit their networks.
- Any enterprise that sees advantages to managing networks of different locations or subsidiaries as distinct entities insulated from one another.
The key to delivering a single, coherent integrated platform, where single and multi-tenantoperations are identical, is to build the solution from the start to function equally well in both modes. The advantages of a unified platform are multiplied when you apply them to 10 or 100 networks; so are the disadvantages of complicated, partial multi-tenant add-ons.
Ideally, each tenant can discover and oversee its own network from a “single pane of glass” (SPOG). No tenant can ever see or touch another tenant’s network; true multi-tenancy insulates tenants completely from one another. Service providers or central IT groups use a central console, where an operator oversees all the tenant networks, using whatever network management functions have been enabled. While some may question the need for a SPOG approach, the fact is that without full visibility of all network devices, ports, and endpoints, multi-tenant management would be somewhat chaotic. The “uber operator,” for example, couldn’t possibly know and compensate for the blind spots on each tenant network.
Multitenant ITOM and NAC have a good operating history in demanding, large-scale applications; the benefits achieved in practice are substantial. One health care provider, for example, operates dozens of separate hospitals, other care facilities, and nursing homes; each facility has its own network, and the corporate IT department oversees all the networks — on a single multi-tenant instance of its network discovery and management platform. Each hospital’s small IT group has visibility and control of its own network, with centralized oversight, at a superior level than before, without adding IT staffers at each facility.
A much larger-scale example of multi-tenancy at work can be seen in financial services. Roughly 240 networks encompassing 15,000 bank branches and 24,000 ATMs — and nearly 300,000 endpoints — in Germany meet government-imposed NAC requirements by subscribing, as tenants, to a service delivered by SaaS provider Finanz Informatik. New bank networks can be on-boarded rapidly, so this installation is growing. Some of these individual tenants have sizable networks; while the average subscriber has about 1,100 endpoints, some are considerably larger.
Multi-tenancy in NAC and ITOM is good — very good — for productivity. One operator at the master console of a multi-tenant network management implementation gains a scope of control that otherwise might require dozens of operators.
- A security policy can be implemented immediately across all tenant networks, rather than one network at a time. Policies can also be applied to groups of networks, such as all banks in a region, or franchisees over a certain size or subsidiaries running a particular e-commerce application.
- It is a simple matter to query the platform’s dynamic CMDB to gauge the readiness for a particular equipment or software upgrade across all the tenants or a group of tenants.
Moreover, capabilities that make the “uber-operator” more productive — such as single-pane-of-glass network management — also boost the capabilities of the operator of each tenant network.
If a multi-tenant platform lacks complete insulation between tenants, or requires any tenant to adhere to, or convert to, a homogeneous, uni-vendor IT infrastructure — it will disappoint.
Extreme scalability — in capacity, speed, and cost economies — is also a necessity, because multi-tenant implementations tend to grow. Healthcare industry installations typically have a ratio of one network per care facility. Where a SaaS provider serves an industry, the number of tenants can go into the high hundreds.
Extensive network management functionality — whether it is network access control or at ITOM capability — is usually needed within each tenant network, not just for the uber-operator at a central console which provides a central view over all tenants. It is very cost-efficient to provide infrastructure control and/or NAC for many networks on a single appliance or software instance.
A quick search will tell you that while there are few vendors, and relatively few companies running multi-tenant NAC and ITOM, the technology works and works well. Real-world implementations are running with hundreds of sizable tenant networks, providing complete insulation between tenants and full visibility within each network and to the master operator. The reduction in maintenance costs and on-board expertise required for each tenant, on its own, makes a powerful business case. There is no need to sacrifice functionality, give up vendor independence (heterogeneous infrastructure), nor put up with a patchwork, bolt-on approach to running multiple networks.
If your organization fits any of the profiles described above, it’s well worth investigating what multi-tenant platforms for NAC and/or ITOM are currently available, fit your network makeup, and are proven in large-scale, heterogeneous implementations.
This article was originally posted “Time to Look at Multi-Tenant Infrastructure Control, Network Management, and NAC” from Cloud Strategy Magazine.