In a multi-tenant architecture, a single instance of the software and its supporting infrastructure serves multiple customers (or tenants). Customers can be separated at various logical levels but often share application instances and databases - leading to integrity and confidentiality risks.
“Software as a Service” (SaaS) providers tend to offer multi-tenant arrangements because it allows them to service a high volume of customers at the same time, often leading to easier setup and onboarding and less of a maintenance burden for customers, because upgrades and maintenance are usually handled centrally by the SaaS provider.
There are 3 ways to improve the resilience of your multi-tenant environment. Identifying and assessing the risks of your SaaS vendor and the supporting infrastructure, developing a business continuity plan, and testing this plan to ensure it is effective. We’ll talk you through them below.
Identify and define the security responsibilities across your organization, the vendor, and cloud service provider. This will be key to finding and addressing any vulnerabilities across the supply chain. Also, assess your risk exposure across these key areas 👇
A comprehensive assessment of these areas should let you identify and classify the use of the SaaS application as a high, medium, or low risk to your organization and should help determine the most suitable level of protection for the application.
Because a customer in a multi-tenant cloud environment shares the hosted production environment with other tenants, it will not typically be possible for a SaaS vendor to agree to release access credentials to an end-user should they experience a technical outage.
This would present too much of a risk to the other tenants who share the same environment.
Because of this, end-users will need to implement a business continuity plan to ensure they can re-platform the third-party application.
As part of your business continuity plan, initiate a Software Escrow Agreement to ensure business-critical material such as application source code, data, and cloud infrastructure are held in a secure environment. Discover our sample agreements here.
This gives you the assurance that should the need arise, you have access to the necessary materials to replicate the SaaS vendors' cloud-hosted production environment and restore critical data in a useable format.
Download free Sample Escrow Agreement
If your firm doesn’t have its own in-house technical expertise to interpret the technical information provided by the SaaS vendor how else are you going to redeploy the application if the multi-tenant environment is compromised?
Only by testing and validating the business continuity plan can you be confident that it works!
Software Escrow Verification validates the accuracy and usability of the materials deposited in escrow, such as source code and infrastructure as code, and gives you the knowledge required to execute your continuity plan accordingly. Discover our sample Escrow Verification reports here.
The technical documentation produced following the verification provides a step-by-step guide on the process of rebuilding the third-party SaaS application, so you can redeploy and maintain the application, without additional support from the SaaS vendor.
To quickly recap
Interested to know how we can support you mitigate cloud computing risks? Get in touch with the team below 👇
Interested in learning more?