IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [multi-tenancy]

Multi-tenancy involves a single software instance serving multiple groups, each of which has specific privileges to maintain separation of concerns.

Multi-tenancy involves a single software instance serving multiple tenants, or groups of users who share specific privileges access to the software instance. Each tenant has a dedicated share of the application (data, configuration, user management, etc).

18 questions
17
votes
3 answers

Multi-tenancy, SSL Certificates, and Subject Alternative Name

The X509 specification allows a CA to issue a single certificate for multiple hostnames, by using the "Subject Alternative Name" extension. From the spec: The subject alternative name extension allows identities to be bound to the subject of the…
AviD
  • 72,138
  • 22
  • 136
  • 218
7
votes
2 answers

Manage SSL certificates for a multi-tenant website

We have given customers the option to allow custom domains which ultimately point to our server by changing the CNAME. Some of our customers would like to have SSL enabled to their domain but I am wondering how to manage certificates for them. I am…
Chandra Paudel
  • 71
  • 3
5
votes
2 answers

How to manage customer-supplied encryption keys in a multi-tenant cloud SaaS?

I'm working at an EU-based company and we'd like to offer business customers some kind of OS-independent cloud-based SaaS platform for processing and storing sensitive (health) data. We'd like to implement our software on the Google Cloud…
Lucas
  • 51
  • 2
3
votes
2 answers

It it a good idea to whitelist inbound email using a Hash on the address? (Similar to BATV, but with DKIM)

Problem Statement I'm looking at ways to ensure that business partners, or emails from trusted senders, never get quarantined; ....in other words prevent "ham being seen as spam". Ideally this would guarantee delivery even if the sender was…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
3
votes
1 answer

How to manage passwords in a multi-tenant surrounding?

I am building a multi-tenant application in a shared database model. I would like to encrypt sensitive data so that only a particular tenant could have access to his data. What is the best mode to keep/provision passwords and where should I keep…
Dan
  • 163
  • 4
2
votes
0 answers

Is it secure for a platform to use the same private key for multiple clients' SSH connections?

https://nexla.zendesk.com/hc/en-us/articles/360053720333-Database-Connection-Options Specifically: In a text editor, add the below public SSH key to the authorized_keys file. The key must be all on one line. Make sure that you don’t introduce any…
TCooper
  • 336
  • 1
  • 8
2
votes
0 answers

Sharing individually encrypted elements between users of a system

I'm creating a file sharing system, in which the unique key of a file is one of the critical components to the retrieval of that file. For simplicity, lets say the unique keys are the file names. I'd like to keep these filenames secret, and make…
David Goldbarsht
  • 21
  • 1
1
vote
0 answers

Does a shared (but encrypted) private key for a group of users reduce the effectiveness of the encryption?

That is, is it generally considered more secure to save a single application-wide private key on the web server compared to storing (protected/encrypted) private keys in the database? More specifically, would storing multiple copies of the same…
James
  • 113
  • 5
1
vote
0 answers

Security concerns over predictable URLs in a multi-tenant environment

Consider a multi-tenant SaaS application that uses domain names to identify which customer to serve. Customers access the application using client001.ourdomain.com, client002.ourdomain.com, etc. The code base is shared among all customers. Two…
Appleoddity
  • 503
  • 1
  • 4
  • 7
1
vote
1 answer

Security risks of multitenancy

Is there a security risk of using same firewall hardware as the company perimeter firewall device (providing multi-tenancy) which is already shared by other companies? Is there a possibility of being affected our firewall tenant if some other…
user145935
  • 11
  • 2
0
votes
1 answer

Reverse proxy sharing one certificate for multiple servers using Subject Alternative Name

The following is a scenario for an attack where one website can impersonate another. I am told (including by this answer) that it's impossible, but I would like to understand exactly what prevents it. Alice uses websites that fetch a trusted JS…
Thomas K
  • 103
  • 3
0
votes
0 answers

How should SQL Server users be managed for a multi-tenant application?

I've looked extensively for a duplicate question, but I couldn't find anything that answers this question exactly. I have a SQL Server that will be used to store data for a multi-tenant application. Every tenant will have their own database, and…
NicholaiRen
  • 1
0
votes
1 answer

Which OAuth2 flow should I use?

Context I'm trying to build an hybrid multi-tenant API using OAuth2.0 using Laravel 8 Passport, so my system has 2 parts: one process the request from the tenant application, and the other part process the request from my front-end which allows to…
Ger
  • 143
  • 6
0
votes
1 answer

PCI Compliance and multi tenancy?

I am developing a Multi-tenant application to allow tenants to open an e-commerce shop (similar to Shopify). We are hosted on AWS. At this point there will be under 20,000 transactions in the first year but I am a bit confused regarding PCI…
shimsag
  • 1
  • 1
0
votes
0 answers

Secure authentication for sites which allow user to modify js/html

We have a site builder, allows users to add/modify JS/HTML/CSS. Is it possible to provide a global authentication for it? I mean users login once but can interact with all sites as their own names. Those sites should not be able to steal user token…
hjahan
  • 101
1
2