Tenant Separation on a multi-tenant microservice platform

Abstract: Axis Communications wishes to investigate their PaaS system, Axis Connected Services(ACX), with regard to separation of the tenants of the platform to ensure the implemented separation technologies are used correctly and to find out whether more separation is necessary. ACX ties together several previously separate services under a single umbrella, with the goal of improving usability and increasing inter-service functionalities and centralisation of the software products Axis has developed for their devices. This thesis investigates alternative tenant separation technologies especially for data at rest and access management but also for data in use. The different technologies for at rest separation are logical separation, separate schema, separate encryption and separate database. For access management 6 technologies are presented; the three models access control list(ACL), role based access control(RBAC) and attribute based access control(ABAC), and also three specifically multitenant technologies for access management; Secure logical isolation for multitenancy(SLIM), Obejct tag access control strategy (OTACS) and Key insulated attribute based data retrieval scheme with keyword search (KI-ABDR-KS). Data in use separation technologies are shared instances, division of processing, VM separation and server separation. The technologies above and ACX's implementation are analysed and compared to arrive at a resulting proposition for the tenancy separation and access management solutions for ACX. The investigation found that as ACX contained minimal sensitive information, separate database and encryption are too complex and costly to be worth the increased confidentiality, and separate schema is not an increase in separation compared to a well implemented logical separation solution. Access management is too decentralised and opaque in access enforcement, thus centralisation of access evaluation through a policy agent is proposed. To enforce tenant separation during sessions, the tenant identifier is also added as a parameter of the session to increase the distinction between tenant contexts. In conclusion, the chosen technologies for data at rest, data in use and access management, being logical, shared instances and RBAC, are good choices for the system. The chosen technologies are mainly kept however the logical separation of data can be improved, and access control enforcement should be centralised with a policy agent.