Stackato delivers PaaS with a punch: Secure Multi-tenancy on HP Cloud Services
by Diane Mueller

Diane Mueller, January 12, 2012

ActiveState is pleased to offer Stackato's secure multi-tenancy capabilities for those of you deploying to the HP Cloud. HP Cloud Services–currently in private beta–is HP’s next generation of cloud infrastructure, platform services and cloud solutions for developers, ISVs and businesses. The HP Cloud is based on HP's Converged Infrastructure, a combination of HP hardware, software, services, and OpenStack technology. Stackato’s support for HP Cloud Services gives enterprise developers a more secure PaaS option.

Built on VMWare's Cloud Foundry Open Source project and hardened for the enterprise, ActiveState Stackato works on vSphere, Amazon EC2, and OpenStack, and will also support other infrastructure platforms.

While some PaaS offerings are content to rely on user-based Unix security, but ActiveState’s Stackato takes security a big step further, and is the first PaaS to bring lxc-based containerization to the HP Cloud, creating a more-trusted, commercial-grade level of security to private PaaS deployments.

So what’s the big deal about deploying a secure multi-tenant PaaS on HPCS, rather than on one that relies on Unix-based user level security, or one that shares resources amongst its tenants?

Why does multi-tenancy matter? (Hint: It’s more efficient.)

True multi-tenancy enables your organization to squeeze efficiencies out of a shared IaaS-level resource pool by running multiple applications on the same cloud servers. Multi-tenancy is what distinguishes PaaS offerings from Orchestration tools that do not manage multiple guest applications, but rather act as simple installers onto bare IaaS instances.

While multi-tenancy allows you to maximize usage of your allotment of cloud servers, having multiple applications running on the same server can be tricky (if not impractical) to secure.

Playing well with others in the PaaS playground

When you deploy a Platform as a Service, you provide a shared “playground” for a number of guest applications (tenants). The resource pool is presented as a single logical layer to those guest applications--The PaaS manages pools of OS resources and co-habits applications on shared instances.. Those guest apps should not have to be aware of the details of components that lie beneath the PaaS at the infrastructure level, nor should they have to be designed to play nicely with others. The PaaS layer should insulate both infrastructure and application from each other, and ensure that guest applications are not forced to be aware of other guest applications running on the same resource pool.

Some PaaS offerings manage the boundary between infrastructure and the application, But most do not, and PaaS solutions that offer only Unix user-level security leave openings for untrusted applications or users to exploit, and do not provide adequate security guarantees for the enterprise.

Securing the PaaS

Early on in the development of Stackato, ActiveState made the decision to extend Cloud Foundry, and take advantage of Linux technologies to provide better security. ActiveState's Stackato creates isolated, lightweight containers known as “lxc containers,”, Virtual Private Servers (VPS), or Jails. Conceptually, the containers are built atop several Linux technologies which provide each guest-application container with a segregated file system with web and ssh services.

The containers are protected from each other: a guest application in one container cannot read files owned by another container, or kill its tasks. With the Stackato-container approach, the outside world can still reach web servers and ssh servers on the containers and, more importantly, the hosting PaaS can protect its key files from guest applications and users in the containers.

The containers effectively allow Stackato to partition the resources into isolated groups to better balance conflicting demands on resource usage between the isolated groups. Stackato's innovative containerization approach has the dual benefits of running applications on a seemingly separate machine while still leveraging many of the underlying resources. As far as the guest application is aware, the PaaS has provided a private Playground. The architecture makes Private Cloud even more "private." For enterprises, the operational and security advantages of sharing these resources while isolating the guest applications can also lead to significantly lower overhead than true virtualization.

Implications for the HP Cloud Services platform

Adding support for HP Cloud Services to Stackato reinforces ActiveState’s commitment to providing the best-of-breed secure Private PaaS layer in the cloud that runs on HP's world-class hardware and software on OpenStack™ technology - giving your organization a clear alternative to Amazon Web Services.

The end result is a highly flexible, secure, multi-tenant PaaS layer that can be run in any environment (on-premises or in the cloud) helping your organization deliver a knock-out punch when if comes to securing your Cloud.

Stackato is a private PaaS that enables deployment, scaling, and management of Java, Python, Ruby, PHP, Perl, Node.js, Scala, and Clojure applications to any cloud. Stackato delivers the power of PaaS on-premise with the security, privacy, and control behind a corporate firewall. With Stackato, customers can deploy an application to either a private internal cloud (like one powered by VMWare vSphere™, Citrix XenServer, Linux KVM, or OpenStack™) or one hosted by a third-party cloud-hosting provider (such as Amazon or HP Cloud Services).

To see Stackato working with HP Cloud Services, we've provided this short screencast.

Developers and cloud administrators can download Stackato, currently in open beta including the free Stackato Micro Cloud, at:

Subscribe to ActiveState Blogs by Email

Share this post:

Category: stackato
About the Author: RSS

Diane Mueller is a Cloud Evangelist at ActiveState. She has been designing & implementing financial applications at Fortune 500 corporations for over 20 years. Diane has been actively involved in development efforts of XBRL Open Standard ( since 1999.


1 comments for Stackato delivers PaaS with a punch: Secure Multi-tenancy on HP Cloud Services

Congrats on the announcement Diane!

This is great. We're a huge fan of multi-tenant architectures.

As a complement to the post I would suggest this blog post from Anshu

We're moving forward with the research on Stackato (I've got one engineering testing Komodo IDE this week).