LUP Student Papers

Tenant Separation on a multi-tenant microservice platform

• Mark

Abstract

Axis Communications wishes to investigate their PaaS system, Axis Connected Services(ACX), with regard to separation of the tenants of the platform to ensure the implemented separation technologies are used correctly and to find out whether more separation is necessary. ACX ties together several previously separate services under a single umbrella, with the goal of improving usability and increasing inter-service functionalities and centralisation of the software products Axis has developed for their devices.

This thesis investigates alternative tenant separation technologies especially for data at rest and access management but also for data in use. The different technologies for at rest separation are logical separation, separate... (More)

Axis Communications wishes to investigate their PaaS system, Axis Connected Services(ACX), with regard to separation of the tenants of the platform to ensure the implemented separation technologies are used correctly and to find out whether more separation is necessary. ACX ties together several previously separate services under a single umbrella, with the goal of improving usability and increasing inter-service functionalities and centralisation of the software products Axis has developed for their devices.

This thesis investigates alternative tenant separation technologies especially for data at rest and access management but also for data in use. The different technologies for at rest separation are logical separation, separate schema, separate encryption and separate database. For access management 6 technologies are presented; the three models access control list(ACL), role based access control(RBAC) and attribute based access control(ABAC), and also three specifically multitenant technologies for access management; Secure logical isolation for multitenancy(SLIM), Obejct tag access control strategy (OTACS) and Key insulated attribute based data retrieval scheme with keyword search (KI-ABDR-KS). Data in use separation technologies are shared instances, division of processing, VM separation and server separation. The technologies above and ACX's implementation are analysed and compared to arrive at a resulting proposition for the tenancy separation and access management solutions for ACX.

The investigation found that as ACX contained minimal sensitive information, separate database and encryption are too complex and costly to be worth the increased confidentiality, and separate schema is not an increase in separation compared to a well implemented logical separation solution. Access management is too decentralised and opaque in access enforcement, thus centralisation of access evaluation through a policy agent is proposed. To enforce tenant separation during sessions, the tenant identifier is also added as a parameter of the session to increase the distinction between tenant contexts.

In conclusion, the chosen technologies for data at rest, data in use and access management, being logical, shared instances and RBAC, are good choices for the system. The chosen technologies are mainly kept however the logical separation of data can be improved, and access control enforcement should be centralised with a policy agent. (Less)

Popular Abstract

Why and how shared resources in the cloud can isolate users

Cloud systems share resources between many unaffiliated users, and to preserve confidentiality a compromise must be made between cost and isolation. How can resources be optimally utilised and also provide adequate isolation of users in a cloud system?

Shared resources for all users of a system, even those belonging to separate organisations- or tenants- can cause breaches in confidentiality if not handled with care. Improper authentication, authorisation or enforcement of policies set up by the system could cause data leaks and since the system is multi-tenant this could be to anyone in the system, not just within one organisation. To ensure tenant trust in the system,... (More)

Why and how shared resources in the cloud can isolate users

Cloud systems share resources between many unaffiliated users, and to preserve confidentiality a compromise must be made between cost and isolation. How can resources be optimally utilised and also provide adequate isolation of users in a cloud system?

Shared resources for all users of a system, even those belonging to separate organisations- or tenants- can cause breaches in confidentiality if not handled with care. Improper authentication, authorisation or enforcement of policies set up by the system could cause data leaks and since the system is multi-tenant this could be to anyone in the system, not just within one organisation. To ensure tenant trust in the system, assurance of a stable system with decreased risk of data leaks especially between tenants but also within, is crucial. Essential mitigations for this are clear and concise demarcations between the tenants, my project answers how this is realised with reasonable assurance without significant costs.

The thesis' goal was to investigate the tenant separation of Axis Communication's platform ACX, which offers device management services. During analysis, room for improvement was found and a new design is proposed, suggesting increased clarity in enforcement of the separation between user data when querying databases, and a central access evaluation unit for increased maintainability and homogeneity for the otherwise diverse system.

Some interesting observations were found during the project. Increasing the separation within databases doesn't necessarily increase confidentiality, this is instead wholly dependent on how the data is fetched. Most technologies with greater separation between tenants shift the responsibility from the developers of the system to the infrastructure/the platform, where separate instances or entities are used to help keep data apart. This leads to increased costs since these divisions don't scale as well and requires additional resources. Another interesting observation is isolating processes(when data is updated in some way) is primarily used for systems with greater demands for privacy like healthcare or military systems. This means for the vast majority of systems on the internet, all data is processed with little to no isolation.

The results of this project are suggestions for change to the architecture of ACX, but may work as recommendations for similar large cloud services with many and varying functionalities. The main advantage of the improvements are increased isolation with the same resource utilisation and increased malleability of access control policies for efficiency and simplicity for the parties involved.

Storing and processing data in the cloud is a great opportunity because of the relatively cheap services, ease of use and possibilities of geographical distribution. The trend of most software systems today is to migrate to the cloud, however these benefits of the cloud come with new obstacles to overcome. My report provides support in choosing which separation technology to apply and what to consider when planning the multitenant architecture. (Less)