TABLE OF CONTENTS
1. Introduction2. Multi-tenancy Applications: Advantages Security Considerations for SaaS Application Security Conclusion5. CloudThat 6. FAQs
Introduction
Multi-tenant architecture allows multiple users to share one instance of a software app and access to AWS resources. Tenants can be an individual user but more often it is a group of people such as customers. Customers will share the same access and privileges within an application instance. Each user’s data will be isolated and inaccessible to all other users who share the application instance. This ensures data security and privacy for all users.
Tenants can be associated with the shared resource policies that are customized for them. This allows them to control who has access to the resources.
Multi-tenancy applications have many advantages
Scalable: Users can add or remove resources as needed. It can be customized to meet any requirement.
Cost-effective: Multiple tenants share the resources, making it cost-effective. Users are only charged for what they use. Cloud hosts manage staff, maintenance, and onboard new users.
Secure: Multitenancy is effective at threat detection and tenant data is isolated. The shared resources are subject to custom policies.
Multitenancy makes better use of infrastructure. Multiple users can access the same instance, instead of restricting it to one user.
Maintenance is free: The host will take care of all maintenance, updates, or upgrades to the infrastructure.
Security Considerations for SaaS Application Security
Security is a major concern for all types applications. It is an important consideration when deploying SaaS applications. It is difficult to secure SaaS applications in an environment with multiple tenants. Multi-tenant applications have unique security concerns compared to single-tenant ones. Multi-tenant applications should focus on an additional layer security.
Identity:
A single tenant can access SaaS applications via a web application, or API. Each user is uniquely identified, and associated with authentication information such email address, name, role. Tenants are also defined as a group or individuals with the same access rights to the application. The roles assigned to tenants can differ from those of other tenants.
The user must enter the tenant details and the authentication details when attempting to access the application. The application will verify the information, and make the authorization decision.
Two methods can be used to authorize a SaaS application: Authorization in token (IdP) or Using an identity provider.
Use an Identity Provider
Some web applications store user data in a relation DB. After successful user authentication, the application will issue a Session ID. The user will provide the Session ID to the app in order to make frequent requests. The application will then issue authorization decisions based on the sessionID.
Each request results in at most one database cache lookup, which causes a bottleneck in the data store that stores the session or user information.
When the user authenticates with an ID provider, the identity provider issues a standard token.
Tokens to represent Identity
The signed token is often used to signify identity. JSON Web Tokens (JWT) is often used to refer to JSON web signature. The token can contain several key-value pairs, called claims. The tokens are issued by the identity provider. It also contains tenant and user information.
{“sub”: “aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee”,”cognito: groups”: [“TENANT-1″],”token_use”: “access”,”auth_time”: 1562190524,”iss”: “https: //cognito-idp.us-west-2.amazonaws.com/us-west-2_example”,”exp”: 1562194124,”iat”: 1562190524,”origin_jti”: “bbbbbbbbb-cccc-dddd-eeee-aaaaaaaaaaaaa”,”jti”: “cccccccc-dddd-eeee-aaaa-bbbbbbbbbbb
