Wednesday, September 23, 2009

Multi-Tenancy Security Approach

Security is the key factor for any application hosted as a “Software as a Service” (SaaS) model. Data is the most important asset for most business applications - data about employees, products, customers, suppliers, and more. There are three main approaches for data architecture for SaaS applications –
1. Totally isolated: Separate databases per tenant
2. Partially shared: Shared database, separate schema
3. Totally shared: Same database, same schema
We will be focusing on the data security of multi-tenant SaaS applications. The data isolation for security conscious tenants is more enhanced with approaches #1 or #2 above for data architecture. But implementing the totally shared approach for data architecture requires more additional effort for data security with well-defined security mechanisms. So here we will cover data security by explaining the Encryption and Permissions based Shared Data mechanisms for the “totally shared database” approach.
Sharing approach for data security: The isolated and partially shared approaches of data architecture secures the database/schema and even tables by granting access to tenants and hence making it easier to isolate data at the tenant level. The diagram below shows the approach to achieve the same in totally shared database tables (which needs to be secured).
In the above approach, the horizontal partitioning is done on master table using a tenant ID and then granting access to partitioned tables (for each tenant) by tenant ID and hence securing the database tables access by
tenant. The SaaS application can be coded to always perform create/update/delete operations on the master table and a trigger on master table will update the appropriate tenant specific table. But the same SaaS application needs to perform the read operations on the partitioned table for better performance. By this approach, we are making sure that the tenant will be accessing the data/tables to which it has been granted permission.
Also, the above approach requires partitioning at the database level and implementing application changes to read from the necessary tables to achieve the data security. Another approach to achieving shared security can be by using a SQL View for each tenant. The application may use the SQL view for accessing the data in a given table based on their tenant ID and hence restrict the sharing of data with other tenants. This approach does not separate the data in the database by tenant and also does not simplify the backup service as per tenant.
Encryption for data security: Irrespective of what data sharing approach has been followed for a multi-tenant database, the data needs to be encrypted before persisting in a cloud or any multi-tenant environment. Encryption is especially important in situations involving high-value data or due to privacy concerns, or when multiple tenants share the same set of database tables. So the ideal approach will be to use a shared keys approach for encrypting data while communicating with SaaS applications: Symmetric key and Asymmetric keys. Symmetric keys will be used for encrypting and decrypting the data in storage. Asymmetric keys will be used for encrypting and decrypting the symmetric keys during data transit. During the tenant provisioning process, the SaaS application provider will provide a private key to a tenant and will keep each tenant’s public key in their key store; so the data will be always stored as encrypted (with symmetric keys) in database. The SaaS provider can keep different symmetric keys for each tenant ID at their end. In short, the key to privacy in the cloud is the strict separation of sensitive data from non-sensitive data followed by encryption of the sensitive elements.
In addition to this, a tenant should perform off-site backups (possibly encrypt it as well) to make sure that any current and historical data can be recovered even if a SaaS application provider goes out of business. Organizations have expressed concerns over hosting their sensitive data on the cloud and these need to be assessed for organization specific needs, standards and regulatory requirements.
In addition to data security, a SaaS application provider should secure their infrastructure with network and host security. With the above mentioned approach, multi-tenant data security looks much better than with traditional internal data center. We will cover multi-tenant UI security with respect to authentication and authorization in an upcoming article.

No comments:

Post a Comment