How to Design a Secure Multi-Tenancy Architecture with Object Storage

Posted on June 6, 2022 by rawee.k

Now that data is stored everywhere – from file shares and streaming media, to hosted applications, containers and microservices – the lack of control over corporate and customer data is unprecedented. As a result, IT departments, are juggling a multitude of priorities for prevention and preparedness at the same time.

Due to its built-in data protection capabilities, object storage has become widely-deployed across a spectrum of federally regulated, security-sensitive industries and domains – financial services, health care (hospitals and biosciences), government agencies – to prevent ransomware attacks or a data loss event.

🛡️ How to design a secure multi-tenant architecture with object storage?

The immutable architecture of object storage (meaning data cannot be updated in place unlike with a file system) protects data from threats that attempt to change data. In addition, Ceph-based object storage architectures, like the OSNexus QuantaStor software-defined storage platform, take these benefits further with enhanced data protection and security capabilities.

How does the built-in object lock feature in object storage protect data against ransomware?

Object lock is an immutability feature which prevents data from being changed or deleted. In a typical ransomware hack, attackers take over and encrypt an organization’s data, then charge a ransom in order to decrypt the data.

To protect its data, IT leaders need to make sure hackers are unable to change their data. An important feature to enable for backups & archive, object locking is configurable with Amazon S3 on per bucket basis, while backup technologies, such as Veeam Backup & Replication, leverage object lock to ensure that backups cannot be modified by hackers.

How does storage tiering for Amazon S3 work with object storage?

Object storage generally provides an S3-compatible on-premises backup storage target, which is a more cost-effective and performant storage tiering strategy to archive warm data that’s less frequently accessed. However, OSNexus QuantaStor improves upon this capability by assigning a single namespace as a storage array to be configured as a backup storage target for all S3-compatible buckets. Using the same APIs, data or applications written with the S3-protocol, including Veeam, VMware Cloud or Docker, can have a local backup to reduce public cloud storage cost.

How does storage tiering for Amazon S3 work with object storage?

Logically separating a namespace for different S3 buckets provides greater security, as it contains data from different tenants – either an individual customer (or client), or group of users within an organizational department. In addition, each tenant group only has the ability to view or access the storage array assigned to their S3 bucket.

How can object storage simplify management in a multi-tenant environment?

Just like the public cloud, separating user groups within a single namespace makes it easier for storage administrators to manage customer data and provision resources. This mechanism is ideal for managed service providers (MSPs), or departments within large organizations, to easily monitor and track data usage by individual client or departments, as well as simplify charge-back accounting.

🛡️ Which QuantaStor data protection features secure multi-tenant environments?

As a member of the Ceph Foundation, OSNexus incorporates the open source cluster technology into its QuantaStor SDS platform to deliver scale-out object storage, NAS, and SAN capabilities without the need for Ceph or Linux expertise.

QuantaStor provides multi-tenancy with S3-compatible object storage that can be logically separated into namespaces for each tenant. This enables complete separation of the S3 buckets so that different tenants are not able to access the data of another tenant or even list names of the buckets of another tenant.

At the same time, QuantaStor extends the capabilities of Ceph by delivering a broad suite of load balancing, monitoring capabilities, and hardware integrations for IT teams to deliver secure object storage to support a broad range of applications from backups, archive, AI/ML, and CDNs

Combined with object locking, QuantaStor enables secure and compliant multi-tenant object storage environments that can be deployed on federally regulated on-premises, hybrid & multi-cloud infrastructures, due to data protection and security features that include:

  • 🌐 KMIP Server Integration – Security keys for data encryption-at-rest can be stored centrally and separately from the storage cluster.
  • 🖥️ Hardware (SED/Opal 2.0) & Software Encryption Support
  • FIPS 140-2 L1 Certified – QuantaStor is compliant with major security standards, including NIST SP800-53, SP800-171, HIPAA and CJIS.
  • 📄 Patented RBAC System – Create admins and designate roles to apply the ‘principle of least privilege’ across a user group.
  • 🗃️ LDAP & Active Directory Integration – Easily integrate QuantaStor into existing authentication systems with single-sign-on and SMB-based NAS file share support.

Learn more about Pogo Linux Object Storage Solutions

If you’d like to learn more about how Pogo Linux storage solutions enable secure multitenant environments that prevent ransomware attacks or a data loss event, give us a call at (888) 828-7646, email us at or book a time calendar to speak. We’ve helped organizations of all sizes deploy scalable, high-performance object storage solutions for just about every IT budget!