🗂 Tenant Management

Multi-tenancy is a cornerstone of cloud computing. It allows different customers of a cloud computing provider to share the same physical cloud infrastructure while maintaining strong isolation and security guarantees between tenants. Correctly leveraging the tenant isolation primitives like Accounts (AWS), Subscriptions (Azure) or Projects (GCP) is therefore very important to build a strong foundation for cloud security.

Tenant management is not only important for cloud security. It’s also the fundamental “entry point” into the cloud platform’s control plane for every operation. Whether you’re deploying new cloud resources, configuring IAM or reviewing resource consumption with the platform’s reporting features, the tenant is always part of the operation’s context.

Key Activities in Multi-Cloud Tenant Management

Multi-Cloud Tenant Management involves the following key activities and capabilities

Establish processes for Tenant Provisioning and Tenant Deprovisioning / Decommissioning
Define your organization’s Resource Hierarchy
Build a database of cloud tenants according to your organization’s needs starting with a simple Cloud Tenant Database as the minimum
Establish a process for building and applying landing zones, e.g. Modular Landing Zones

As the cloud foundation approach is all about integrating the capabilities of its constituent pillars, the Tenant Management pillar has several important links to other cloud foundation capabilities

🔐 IAM

As the tenant is a fundamental entry point into the cloud, controlling access to the cloud at tenant-level is a key consideration for a multi-cloud Resource Authorization Management

🔖 Security & Compliance

Tenant databases need to provide necessary metadata to enable Cloud Tenant Tagging and Cloud Resource Tagging for compliance purposes
The tenant management process needs to identify the responsible security contact for each cloud tenant, which is an important prerequisite for establishing an Incident Management Process and informing the right stakeholders about the results of Resource Configuration Scanning

💵 Cost Management

Tenant management process needs to identify the responsible cost owners so that the organization can leverage Chargeback via consumption cost allocation and Monthly cloud tenant billing report for cost owners

🛠 Service Ecosystem

The concept of an “internal customer” that can order cloud tenants seamlessly extends well into also enabling that same customer to provision services from the service ecosystem. This is also a key requirement when adopting a Modular Landing Zones approach that provides baseline configurations for cloud tenants that customers can then extend with additional services

Designing a Multi-Cloud Tenant Management Strategy

Especially when considering a multi-cloud scenario, cloud foundation teams need to design a tenant management strategy that they can implement consistently across all cloud platforms.

Cloud Tenant Management Guide

Learn more about the organizational needs driving cloud tenant database requirements in the "Cloud Tenant Management Guide - what you need to know in 2021" guide.

Learn More →

Key Stakeholders for Multi-Cloud Tenant Management

Cloud Tenant Management is an “original responsibility” of cloud foundation teams. Other Cloud Foundation Pillars like 🔐 IAM or 💵 Cost Management often have existing stakeholders in an IT organization responsible for their respective core activities. Tenant management however is a “new” requirement that arises out of cloud adoption specifically.

Nonetheless, many IT organizations already have encountered similar challenges. For example, IT Service Management requires the notion of an “internal customer”. The “internal customer” is a key concept and any stakeholders involved in their definition like Enterprise Architecture Boards, ITSM, or CMDB teams are important key stakeholders to the cloud foundation team.

Inside the cloud foundation team, there are often different platform specialists or even platform owners focusing on different platforms each. In order to avoid “platform silos” (see Approaches to building a Cloud Foundation section “Platform by Platform”), it’s very important that the cloud foundation team aligns the tenant management processes across all cloud platforms.

Additional stakeholders to the tenant management process are security and compliance as well as cost management stakeholders, as cloud tenant structure and cloud tenant metadata are key enablers for cloud management activities in their domains.

Did this page help you?

Capabilities

Resource Hierarchy

Define a cloud resource hierarchy structure that facilitates tenant isolation and policy enforcement. Maintain the integrity of this hierarchy to ensure capabilities built atop of it remain effective.

Cloud Tenant Database

A central database provides information about cloud tenants using a unified schema. The database records essential metadata like the responsible owner of the tenant and a cost center for chargeback.

Tenant Provisioning

On-demand provisioning of primitive cloud tenants (e.g. AWS Accounts, Azure Subscriptions etc.).

Self-Service Multi-Cloud Tenant Database

Application teams can register, update and remove tenant metadata in a central multi-cloud tenant database in self service.

Link Cloud Tenants to CMDB/EAM

Maintain a link between cloud tenants and a central CMDB/EAM repository (e.g. IT System identifier, Application Id). Linking cloud tenants to CMDB/EAM systems is a foundational capability that enables use cases like basic chargeback, systematic risk ...

Playground / Sandbox Environments

Application teams can quickly provision cloud environments for experimentation and learning. Playgrounds use relaxed policies (e.g. more cloud services are allowed) but come with time- or spend-limits that are tightly controlled. Expired playgrounds ...

Container Platform Landing Zone

A dedicated landing zone offering a developer-centric experience for building and running container-based applications on the cloud on top of a container platform.

Lift & Shift Landing Zone

A dedicated landing zone optimized for lift & shift workloads enables quick onboarding and efficient operations.

Cloud-native Landing Zone

A dedicated landing zone optimized for cloud-native workloads enables quick onboarding and efficient operations.

Tenant Deprovisioning / Decommissioning

Establish a process for safely decommissioning and deprovisioning cloud tenants that are no longer needed by application teams.

Multi-cloud tenant database integrated with lifecycle management

A central database of all multi-cloud tenants initiates tenant provisioning and deprovisioning processes. The database acts as an authoritative source of tenants and ensures tenant metadata is always up to date.

Modular Landing Zones

Landing Zones are extendable with with optional services. These services have their own lifecycle and can be reconfigured during the lifespan of a tenant. The modular design allows combining services like LEGO® blocks.

Data Science Landing Zone

A landing zone optimized for data science workloads like AI/ML models and self-service data analysis.

Tenant Inventory Reconciliation

The inventory of cloud tenants is automatically reconciled against the tenants actually present in the cloud platforms. This allows organizations to detect "shadow IT" or "dark matter" in the cloud. A process is in place to adopt these existing tenan...