|By Srinivasan Sundara Rajan||
|April 14, 2011 11:00 AM EDT||
Multi Tenancy Database Design and Security
We have seen that there are multiple ways a multi-tenant database can be designed. The important options being:
- Separate Database: Each of the tenants is allocated a separate physical database for storing their data.
- Separate Schema: Each of the tenants is allocated a separate logical unit called Schema, within a single physical database.
- Separate Rows: Each of the tenants is allocated same physical database and schema, but their information is separated using primary keys which are allocated as part of the data base design and all the information is kept within the same physical tables.
A diagram of these types of database designs can viewed here: MSDN article on Multi-Tenant Data Architecture.
As evident in some of these architectures, we store data from multiple clients in the same database and securing each client's data from others is of utmost important. While we could code these as part of our application code such kind of custom coded security is subject to breach if the developers miss a point or two and the verification is not done properly. Also custom coded security has the drawback of not enforcing it, if the database is accessed outside of the application like using another reporting tool or interactive SQL query studios like Sql*Plus, iSQL etc...
So Security for the Multi Tenancy Databases are best implemented if the underlying database platform itself is aware of Multi Tenancy Rules and prevent unauthorized access to data whatever the client tool that is accessing the data.
One such built-in feature built inside the Oracle 11g database is called as Fine-Grained Access Security, which is also known as Virtual Private Database, which provides transparent security cover for Multi-Tenant databases.
Virtual Private Database
An Oracle Virtual Private Database (VPD) is an aggregation of server-enforced, application-defined fine-grained access control, combined with a secure application context in the Oracle database server.
Much of security on a multi-tenant SaaS application is based on one simple principle: Users have to be identified and distinguished from each other. This is true for applications and for databases. This security tenet is exemplified in our world every day. Email applications show only the emails for the user who has logged in. Financial reports are delivered only to those authorized to receive them. For these applications to work effectively, you have to know who the person is before you can know if they are supposed to access an email or financial report.
A Virtual Private Database (VPD) allows you to build the security policies based on User's identity that can be applied to tables are views. One important factor about VPD is that, user's identify is not restricted to the ‘Database User' but the application user, which in a multi-tenant scenario is the actual tenant of the application.
The following are the typical steps in implementing the VPD for your multi-tenant databases, the detailed implementation is available on the Oracle manuals.
- Design the Multi-Tenant database with appropriate database columns to store the Tenant identity
- Create a function to apply the FILTERING conditions based on the multi tenant inquiry of data
- Create a policy to use the function so that the policy can be applied to different database objects
- Use the DBMS_RLS function to apply the policy to the multi-tenant database tables
- Use the Oracle client functions to set the Tenant identify from the application, so that the policy is applied transparently such each tenant views only the data owned by the tenant
In spite of having VPD on the multi-tenant database, most times Auditors would like to see the reports on database access patterns , especially access to the sensitive information. FGA (Fine Grained Auditing) provides the most granular level of auditing in a multi-tenant database.
This method creates audit records based on the exact query, condition, and data retrieved or manipulated by the statement. It provides a facility to audit only those statements (including actual values of possible bind-variables) that reference a particular column. DBMS_FGA package facilitates creation of FGA policies.
The salient features of FGA can be segregated as following:
Column Referencing: We can define policy such that audit is triggered only if the specified columns are referenced in query statement. For example in a multi-tenant application for e-Commerce, this can setup for columns like credit card number.
Conditional auditing: As explained in previous example also, auditing can be condition driven using FGA. For example, in a multi-tenant database if any one tried to query information of a specific client or across clients.
Oracle on the Cloud
While we see many new players in Analytical databases , ‘NO SQL' databases on cloud, Oracle continues to be a leading database in data centers for OLTP and - many high performance applications. There are several possibilities of implementing Oracle database on Cloud for your multi tenant application.
- Oracle versions are available as AMI on Amazon EC2
- There is a proposal to bring Amazon Relation Database Service (RDS) using Oracle 11g database
- If the organizations are building Private Clouds, HP's Blade System Matrix can be installed with Oracle to achieve the full potential
- Private Cloud In a Box(Buy) solutions like Oracle Exadata Database machine provide Oracle database on private cloud
Success of SaaS applications will be measured by the time-to-market, which means that faster we roll out our application we capture the market better. This can be achieved only if the best of the out-of-the-box features available in the product vendors are utilized, so that the much needed, Security, auditing and performance of the application are maintained. Oracle's VPD / FGA are one such feature which needs to be analyzed , if you plan to deploy your multi tenant application on Oracle platform.
- Java EE 7 and Cloud Computing
- Windows Azure vs VMware vFabric
- Cloud Computing Reference Architecture – Review of the Big Three
- PaaS: .NET vs Java EE
- Using Amazon Elastic MapReduce in the Automotive Industry
- Five Factors to Influence Cloud Adoption – The Pros and Cons
- Dynamic Scaling and Elasticity - Windows Azure vs Amazon EC2
- Cloud Analytics - The Big Four Offerings
- Enterprise Java EE PaaS - OpenShift vs Google App Engine for Java
- Dynamic Scaling in Windows Azure Revisited