- Service Delivery Program
- About Us
TABLE OF CONTENT
|2. Advantages of Multi-tenancy Applications
|3. SaaS Application Security Considerations
|5. About CloudThat
The multi-tenant architecture enables multiple users to share a single instance of a software application and the AWS resources. A tenant can be an individual user, but most frequently, it is a group of users – such as a customer organization. The customers will share the common access and privileges within the application instance. Each user’s data is isolated and invisible to other users sharing the application instance, data security, and privacy for all the users.
Tenants are associated with the customized policies for the shared resources, liking controlling which user must access the resources.
Security is one of the major concerns for all types of applications. It is one of the significant considerations while deploying the SaaS application. Securing SaaS applications in an environment where multiple tenants share is challenging. Multi-tenant application has unique security considerations when compared to single-tenant applications. Multi-tenant applications must concentrate on an additional layer of security.
Single tenant accesses SaaS application through a web application or API. Each user is uniquely identified and associated with the authentication information such as email address, name, and role. The tenants are also defined as a group of one or more users with the same privileges to access the application. Roles assigned to the tenants may differ from other tenants.
When a user tries to access the application, the user must provide the tenant details alone with the authentication details. The application will verify the information and makes the authorization decision.
There are two techniques in a SaaS application: Using an identity provider (IdP) and Authorization in a token.
Using an Identity Provider:
Some web applications will store the user data in a relation DB, post the user authentication is successful, the application will issue a session ID. For the frequent request from the user, the user will pass the Session ID to the application and the application will make the authorization decision based on the session ID.
Each request usually results in at least one database cache look-up, creating a bottleneck on the data store handling the user or session information.
The identity provider issues a standardized token when the user authenticates with an identity provider.
Representing Identity with tokens
The signed token usually represents identity. JSON web signature is often called JSON Web Tokens (JWT). The token contains several key-value pairs called claims. The identity provider issues the tokens. It also contains user and tenant information.
“cognito: groups”: [
“iss”: “https: //cognito-idp.us-west-2.amazonaws.com/us-west-2_example”,
Sample Access Token Claims
The user and the tenant the user is associated with are represented by this token. The token contains the user identification details and the tenant ID in the Cognito: groups claim. SaaS application receives a JWT as request, the application will validate the token and unpacks the data to make the authorization. Tenant context is the claims within the token set.
Tenant isolation will ensure that the data is isolated for all the SaaS applications. One tenant must not access the data or resources of another tenant access.
SaaS applications use three types of isolation models: Silo, Pool, and Bridge. Let us look at each one of them in detail.
In Multi-tenant SaaS applications, security is one of the significant concerns. As per the best practice, it is recommended to follow one of the security considerations for the application to be safe. Based on the requirement of the customers, the security considerations can opt.
CloudThat is the official AWS (Amazon Web Services) Advanced Consulting Partner, Microsoft Gold Partner, Google Cloud Partner, and Training Partner helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Explore our consulting here.
If you have any queries regarding AWS multi-tenant SaaS environment, security best practices, or any other AWS service, drop a line below the comments section. I will get back to you at the earliest.
The tenancy model does not make any changes to the application’s functionality. We must consider the application layer to decide on the tenancy model. The tenancy model may differ if the application layer is divided into components. Some application components must be treated differently regarding both tenancy and the storage technology/platform used.
Following are the criteria to be considered: Scalability, Pre-Tenant cost, Development complexity, Operational complexity, and Customizability.
Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!