Multi-tenancy can mean different things to different people. In software, it is defined as when a single instance of a software application (and its underlying database and hardware) serves multiple tenants (or user accounts). But, multi-tenancy can also refer to cloud hosting offerings, whereby a single physical computer or virtual machine (VM) is shared among multiple users or client organizations. For service providers (SPs), it means ensuring resources for all tenants and reducing management overhead, which turns it into a balancing act.
Two years, ago Cohesity embarked on an exciting journey, partnering with service providers across the world (SPs) to deliver exciting and resilient data management services to customers. We engaged with many cloud infrastructure providers, managed hosting providers, managed services providers, and many other leaders in the cloud and IT services space, co-building offerings to improve customers’ business agility by simplifying data and application management, with one platform delivering multiple product offerings, including backup, disaster recovery, file and object services, archive, test/development, analytics, and custom services.
This blog is the second in a series focused on the milestones we have accomplished with our service provider partners (the first blog in the series breaks this down) and how we continue to jointly innovate. In this blog, we look at how we built our multi-tenancy capabilities with feedback from our SP partners.
A Platform That Delivers Multi-tenancy, Made Simple
Cohesity Founder and CEO Mohit Aron was at the forefront of developing Google’s hyperscale Distributed File System and also pioneered and coined the well-known industry term of hyper-convergence. Cohesity’s focus from the very beginning has been to build a web-scale, software-defined data management platform. This vision and execution certainly meets and exceeds the needs for enterprise-ready and scale, and it’s also interesting that this also inherently applies to the needs of service providers, too. In fact, the underlying architecture, platform services and approach of Cohesity’s Helios platform is completely in sync and proportionate to the multi-tenancy and other needs of SPs.
SPs serve many customers on shared infrastructure, and they need a platform that scales-out, is easy to integrate, and operates, manages and builds new services easily. To achieve these goals, Cohesity worked with SPs as design partners to understand these needs in-depth and bake these capabilities into the platform itself. As a Principal Architect at a Tier 1 SP said, “Cohesity has, by far, the best multi-tenant design compared to other vendors.”
Cohesity’s value proposition for service providers is simplicity. Cohesity helps you simplify your data silos so you can focus on delivering superior customer experiences and enable multiple use cases all with one singular Data Management platform. This chart illustrates the development areas Cohesity focused on to build an enterprise-ready platform that would meet the needs of SPs—with contributions from SP partners like Expedient, QTS, Fundaments and many others.
The following brief look at what is involved in building a comprehensive “multi-service platform” for SPs (and with them), goes through each part of the chart, starting with unified management.
Before Building Multi-tenancy: Key Helios platform Data Design Elements
Before you build multi-tenancy to deliver true scale-out, you need to build modular foundational elements that become the building blocks for launching multiple use cases on a single platform.
As we addressed the components in the multi-tenancy for SPs chart, we kept these elements in mind.
Returning to the chart, we start with unified management. Cohesity’s SaaS-based platform, Helios, provides a single view and global management of all your Cohesity clusters, whether on-premises, in the cloud or virtual edition, regardless of cluster size. You can quickly connect clusters to Helios and then access them from anywhere using an Internet connection and your Cohesity Support Portal credentials. You can also deploy Cloud Edition clusters using Helios.
With Helios, you can actively manage all your clusters, including multi-cluster monitoring, reporting, and orchestrated upgrades, from a single dashboard. Search across clusters and take action right from the search results. For example, search for all unprotected VMs and create jobs to protect them. SmartAssist automatically schedules and orchestrates jobs and workloads to help meet your SLAs and makes recommendations based on capacity forecasting and disk failure prediction.
Helios also has security tools to help detect threats and other anomalies across clusters with the unified Alerts page. Ransomware detection through machine learning algorithms enable you to prevent, detect and respond to threats. With MarketPlace Apps, you can also run Cohesity and third-party apps directly on Cohesity Helios to gain valuable insights into the data that is stored on the cluster.
Cohesity’s platform is secure by design:
Service providers cannot access the data on a tenant’s NAS share.
Service Providers can restore to a tenant’s VM, but they cannot access files restored. from a tenant’s backup directly, not even restore via download.
SPs cannot decrypt tenant data. Even though SP’s have physical access to the hard drives, they cannot access the data because it’s encrypted.
Only tenants have access to their data.
Multi-tenancy offers SPs numerous advantages, such as investment efficiency, security, and data isolation. Secure multi-tenancy is a crucial part of planning corporate IT infrastructure today, and providing security guardrails is built into the core architecture of the Cohesity Helios platform. With Cohesity Helios, SPs can create an “Organization” corresponding to each tenant customer on the Cohesity cluster.
Secure multi-tenancy is achieved by providing a logical separation between the multiple tenants hosted on the Cohesity cluster. Each tenant is represented in Cohesity as an organization. Each organization can also be associated with a VLAN per organization, this enables logical isolation on physically shared hardware.
Pre-built integrations for all backup workloads with VMware vCloud Director, ServiceNow, and VMware vRealize Suite, plus flexible options for self-service tenant management through Cohesity and third-party GUIs simplify operations. Service providers can configure role-based access control (RBAC) to provide role-based access to the employees within each tenant organization. This chart shows roles and how roles are assigned privileges.
In the platform, you can create roles (which capture privileges, i.e., allowable actions). You can create users, assign them a role, and indicate their data access boundaries. Examples of such boundaries are which VMs, vCenters, NAS shares, or other data sources they can access, This dual mechanism makes role-based access controls simple.
Tenants, called organizations, are very similar. An organization logically groups a set of users and has data boundaries. Organizations can be defined with their own AD domains or groups. And, within the organization, users (or groups) can have certain roles and, optionally, can be further restricted in their data boundaries. Organizations also have data boundaries, such as a specific set of VMs, or a resource pool in a vCenter, or an entire vCenter.
This concept is taken further to enable fine-grain RBAC control by source as shown here.
By enabling finer-grain control, SPs can create custom roles and assign specific sources to manage. This further enables self-service data protection to their tenants and allows organizations to manage and control their data sources.
The API-first design of Cohesity Helios enables automation and orchestration for almost all the workflows available in the cluster.
We learned from our experience and our SPs that automation is absolutely essential, requiring a platform that, from the ground up, delivers an API first design. Not all SPs are created equal. They have various cloud management portals and various self-service portals, and they have built these capabilities over time. A platform must deliver APIs that enable them to easily integrate and build services in their ITSM infrastructure and platforms.
Web-Scale, Advanced Global Deduplication
Cohesity provides the industry’s leading web-scale, performant, and capacity-efficient solution for SPs. Cohesity’s Helios platform is built on a web-scale architecture, which scales infinitely; you buy as you go. Node additions are non-disruptive, as are software upgrades. Using a technique called “rolling upgrade,” we choose a node, reroute all client traffic around it, take it out of service, upgrade it, and re-add it to the cluster, so there is no downtime. ‘
Web-scale architecture also provides greater storage efficiency, thanks to our advanced global deduplication. This storage efficiency led a Tier 1 SP and Leader in the Gartner Magic Quadrant for DRaaS, 2016-19, to say, “Cohesity delivered such impressive storage efficiencies that the business case versus our current vendor became incredibly powerful.” Our SPs have provided us with valuable ideas and feedback related to web-scale and deduplication.
Advanced Global Deduplication
Service providers have seen valuable storage efficiencies with our variable-length, sliding-window, global deduplication. Storage capacity efficiency yields have been in the order of 10-20 percent better than traditional fixed-length deduplication. With variable-length deduplication, the block size is not fixed. Instead, our algorithm divides the data into chunks of varying sizes to achieve the maximum possible matching of duplicate data chunks. By contrast, conventional fixed-length deduplication places markers at fixed-length intervals. Small file changes result in a loss of efficiency. This diagram shows what this looks like.
Here’s what happens when just one block changes and the sentence becomes “Know data is king.”
With fixed-block deduplication, unless the changes are exactly a multiple of the fixed block size, all of the data past the first change is shifted. The shift changes subsequent blocks in the file with respect to the fixed-block boundaries. As a result, the changes look new to the fixed-block deduplication engine. Variable deduplication, on the other hand, is flexible when data changes. Only the new or changed data is stored and the remainder of the file is not affected, which allows for near-maximum data storage efficiency.
Cohesity’s implementation of advanced global deduplication delivers real and significant value to SPs. The 10-20 percent savings inefficiency results in higher revenues for their services running on shared infrastructure.
Many other vendors have siloed deduplication, such as deduplication in a backup job, in a single workload type (Windows, Linux), or only in a single node or physical box. The Cohesity difference is that deduplication occurs with no boundaries and across the largest possible data set. Cohesity provides global deduplication across everything in a cluster.
Extending Cohesity’s deduplication advantage to SPs, we even allow (an optional) cross-tenant dedupe. Cross-tenant deduplication is optional because it affects secure isolation. While tenants do remain isolated at the management level, they share one encryption key. Service Providers can expect to see around 5-10% additional savings using cross-tenant deduplication.
Now, for an SP, this is not an either-or decision. SPs can offer:
A dedicated secure storage domain per tenant
Both: 1) for some tenants and 2) for other tenants, po at different pricing tiers or for different customer target segments.
Public Cloud-Native Integration and Multi-Cloud Mobility
Cohesity Helios has native public cloud integrations and provides multi-cloud mobility, making it straightforward to keep extending your system’s capacity and capabilities. Service providers using public cloud in their backup framework or delivering cloud backup as a managed service on public cloud can use Cohesity Cloud Edition to get the same performance and efficiency benefits of their SP data center on the public cloud.
Reporting and Analytics
Cohesity Helios gives SPs access to usage metrics to help them implement chargeback. With deep visibility into backup statistics, service providers can implement accurate pricing and chargeback mechanisms, isolated by tenant. Service providers can retrieve and analyze these metrics via:
Support for Frontend and Backend Charging models and chargeback reports for storage consumed at the organization (tenant) and job level. These reports can be automated and called from APIs and integrated into SP billing systems, simplifying the billing and invoicing process easier for Service Providers.
Built-in reports. These are accessible in the Cohesity Helios browser UI or via APIs into an SP’s choice of Cloud Management Platform
Custom reports that can be generated using the Cohesity REST API and the custom Reporting Database. This database is now natively embedded in the platform and can be integrated to any BI tool of choice to build predefined and ad-hoc reports.
Furthermore, Cohesity added JReports, a reporting application in its AppStore that enables Service Providers to build reports using this app and leverage the ‘rich schema’ available in the native reporting database.
All of these capabilities continue to simplify and help SPs deliver profitable services on their shared infrastructure.
Feedback and Collaboration Drives Multi-tenancy Made Simple
We could not offer multi-tenancy made simple without our unique model of feedback and collaboration with our service partner partners. We’ve worked very closely with Expedient, QTS, Fundaments and many SPs to build out these valuable capabilities. Cohesity’s Helios platform is richer because of their input. Stay tuned for another story of collaboration in my next blog!