Skip to main content

Tenant isolation

In a SaaS environment, it's imperative to maintain tenant isolation and avoid data leaks between tenants. Where you're running a SaaS Vault and deal with multiple tenants, you can choose to run Piiano Vault so that:

  • Each SaaS tenant has a corresponding and dedicated Vault tenant.
  • A single Vault serves all the tenants.

Having dedicated tenants increases the isolation guarantees at the expense of the total cost of ownership. However, with either option, data can leak between tenants because of a software defect or misconfiguration.

Vault has a safety feature to prevent such issues and helps enforce tenant isolation. To start, Vault can include a tenant ID on every record it stores. Then, when making a call, you include the ID of the requesting tenant in the call's X-Tenant-Id header. If the requesting tenant ID doesn't match the tenant ID on the data requested, the Vault drops the request to avoid data leakage and logs the details. With the logs, you can identify and fix issues with tenant isolation.

Each tenant should have a unique ID. Ideally, you should retrieve that ID from a source other than your usual code path. For example, you could retrieve the tenant ID from a trusted third-party authentication system for every request.

To illustrate, take a system with multiple tenants, each with many Person records in Vault. Each tenant has a unique ID on its objects stored in Vault. A request arrives from tenant T to retrieve the person P details. The call includes X-Tenant-Id: T in the request's header. Vault checks that the tenant ID on person P matches the tenant ID in the header. Where there isn't a match, that is, person P doesn't belong to tenant T, the request is dropped, and the request details are logged.

See Authenticate with a Bearer authorization header in the API documentation for more information.