Announcing Secure Application Workspaces with Pure Storage

By Don Poorman, senior technical evangelist, enterprise storage and cloud computing specialist, Pure Storage, Inc.

Secure Application Workspaces (SAW) is available with FlashBlade and FlashArray with Purity updates, beginning in July 2024. Learn more about how this allows storage administrators to logically divide storage to better align with upstream demands.

Pure Storage, Inc. is proud to announce SAW;– our enhanced implementation of storage multitenancy (SMT) on our FlashBlade and FlashArray storage endpoints.

The company has a long history of customer-centric design principles, which means we often modify industry standard/accepted technical concepts to improve them for a better implementation approach. SAW is no exception. We didn’t just rename ‘secure multitenancy’ to be different. Its name conveys an improved perspective. 

To us, ‘multitenant’ means an organization of users that simply needs file or block storage space that exists on a storage host where their competitors sit (i.e. major cola brand vs. major cola brand). While that is one philosophy of consumption, we should also consider applications/ workloads as tenants, with each one needing its own performance and availability SLAs. SAW also aligns better with the containers space, since the word ‘application’ is a core part of its concept. 

Multitenancy has always been a thing
Multitenancy isn’t new. It actually has existed as a concept since 1922 but has changed names over the years as the concept evolved.

If you’re familiar with any of these phrases, you’ve worked in a multitenant environment: 

• Time-sharing (IBM)
• CP/M Multiuser DOS (Digital Research/Novell)
• NT Virtual DOS Machine (Microsoft)
• Virtual Domains (Sun Microsystems)
• X86 OS Virtualization (VMware/RedHat/Microsoft)
• Cloud Computing (AWS/Azure/GCP)

In fact, any OS service that allows multiple OSs, applications, or users to simultaneously access its kernel is considered multitenant.

Multitenant enterprise storage: Fundamental to cloud operating models and beyond
Storage multitenancy has also existed for quite some time.

Legacy vendors have implemented it in various forms in their products based on a common set of reasons:

• Tenant isolation for better security and autonomy
• Faster time to service for end consumers
• Improved storage resource management to include chargeback

While the introduction of SAW is great news for our service provider customers and prospects for multitenant hosting and management, we believe any IT operation can benefit from leveraging it in its data center.

For instance, implementing a storage multitenant environment in core enterprise storage can make corporate merger or acquisition migrations smoother because file structures and namespaces can be preserved in the consolidation. Another example is isolating tenants by department and regulating their storage CPU and resource consumption with QOS rules to avoid the, ‘…noisy neighbor’ risk. And while it may not be a mainstream practice, implementing SMT also offers the possibility of a tenant managing its own storage space, giving the data center operators back cycles to fight other fires that are inevitably raging in other spots.

Realms: the root of all tenants
The heart of Pure Storage SAW lies in the concept of ‘realms,’ a logical construct to group storage objects together to deliver multi-tenancy. Think of a tenant’s realm as a self-contained, virtual storage environment capable of delivering data over any protocol, overseen with highly configurable management policies for availability SLAs or quotas, and QoS variables for limiting the ‘noisy neighbor’ risk.

Realm creation and management
Because realms are considered a logical construct, only an array user with array_admin privileges can create, manage, and destroy them. Think of that user as the landlord of an apartment building and the individual units as tenants. The admins manage the building and its tenants from an ‘outsider’ perspective by securing residents in vacancies and maintaining the collective order and ownership for any problems that crop up. The inside part is managed by the tenant in how they arrange furniture, decorate, and live.

Realm administration is a similar effort in that the array_admin user cannot only create and destroy them, but also manage their size quota and QoS as they relate to other realms on the same array. They also have the ability to move workloads in and out of realms, as well as delegate ‘consumers’ – tenant users who can manage data services inside a realm as a tenant. 

SAW sample use case:Test/Dev operations
Implementing a storage multitenancy model isn’t just for service providers wanting to securely isolate tenants to prevent data spillage between the 2. There are other possibilities. Consider an array that concurrently supports production workloads and the Test/Dev team. Many data center architectures might mitigate CPU overconsumption by controlling resources to VMs between those tenants but have no way of accomplishing the same with the enterprise storage side. This becomes an easy fix with Pure Storage SAW, where the Test/Dev environment is set up as a consumer tenant that can be managed with a quota and QoS, while doing its testing on replicas from production data and managing its own snapshots. This configuration allows for end-to-end mitigation of noisy neighbors constraining storage resources.

Pure Storage FlashArray and FlashBlade: Dead Simple SAW Now Included
The company is proud to announce that both FlashBlade and FlashArray will be capable of supporting SAW with Purity updates beginning this month. Once updated, both array models will be capable of allowing storage administrators the option to logically divide their storage to better align with upstream demands from their end customers and workloads.

Here are some highlights on how our multitenancy approach shines brighter than our competitors:

• Calling it ‘SAW’ matters. ‘Secure application workspace’ isn’t just us trying to be clever with a different name for multitenancy. We’re embracing the ‘workspace’ concept as a crucial part of container management.

• Simpler configuration for shared infrastructure. SAW requires 75% fewer parameter definitions compared to the competition, making it simpler to implement and manage.

• Better visibility and isolation capabilities. This allows an infrastructure owner to provision more workloads per array, thus increasing array utilization.

And, in true Pure Storage fashion, SAW will be included with no extra costs and be simple to implement and manage. In fact, any volumes or file systems that belong to a pod will be able to non-disruptively migrate into a new tenant space.

Some initial release nuances
All software releases come with conditions, and SAW is no exception. On its release, FlashArray will support SAW on block-only volumes, while FlashBlade will support it on File workloads. It will be available on FlashArray Files later in the year. SAW will also be only accessible via the command line on initial release. It will be integrated into the array UIs by the end of the year, as well.

Test Drive SAW
The Pure Storage release of SAW comes at a great time in the industry, when many organizations are looking to make their data center infrastructure more “cloud-like” in how it operates. Head on over to our test drive page to kick the tires on it. Look for the ‘FlashArray and FlashBlade Bleeding Edge Lab.’

And reach out to your account’s principal technologist or field solutions architect for a deeper dive.