Secure Multi-tenant Application in Software as a Service

Transcription

1 M. D. Samrajesh 1, andn.p.gopalan 2 1 Research and Development Centre, Bharathiar University, Coimbatore, Tamil Nadu , India. 2 Professor, National Institute of Technology, Tiruchirappalli, Tamil Nadu , India. samrajesh.md@gmail.com; npgopalan@nitt.edu Abstract. A multi-tenant application in Software as a Service (SaaS) is accessed by multiple organizations called tenants who have several users attached to them. Multi-tendency enhances resource utilization by effectively sharing resources and reducing cost, increasing productivity and online collaboration. However, providing a secure multi-tenant access to various tenants is still a challenge. Traditional security methods of applications are not effective in a multi-tenant application model due to multiple tenants access on a single application instance at runtime. This paper focuses on providing an integrated security model for SaaS application. The tenant specific security specifications are defined using a pluggable component that can be easily integrated to the SaaS application. It works effectively in enforcing security controls, and monitoring SaaS application security. The pluggable security definitions can be easily interlaced with the application at runtime without any interference from the provider. Thereby the multitenant SaaS provider focuses more on the application functionality rather on application security. The proposed Secure Multi-tenant Application (SMA) model provides security isolation among tenants at various levels during runtime, reduces security risks and protects sensitive tenant data. Our evaluation and discussions show the effectiveness of the proposed model in securing SaaS multitenant application. Keywords: Application security, Cloud computing, Encryption, Multi-tenancy, SaaS. 1. Introduction Cloud Computing based Software as a Service (SaaS) multi-tenant application allow SaaS providers offer a single application that runs on top of shared hardware resources as shown in figure 1 to several users from multiple organizations called tenants [9]. In a SaaS multitenant environment operational overheads and maintenance is considerably low due to the sharing of hardware and software resources among multiple tenants. Moreover, upgrades need to be applied only to the shared application instance giving all tenants access the most recent version of the application. Maximum resource utilization and efficiency is achieved by application-level multi-tenancy where the infrastructure, data storage, operating system, and the application are shared among multiple tenants [2]. SaaS offers tremendous benefits, however concerns of security is one of the primary obstacle that makes organizations avoid its adoption [1]. Traditional model of application security that is fixed and hard coded by service providers are not well suited for multitenant applications that run on single shared instance. Moreover, earlier models of security are system based rather than tenant based. Additional, various commercial cloud platforms have limited security solutions [17]. The proposed secure multi-tenant application model is an integrated security model that defines a flexible pluggable component which is tenant specific and that can be easily integrated to the SaaS application. It works effectively in enforcing security controls and monitoring SaaS application security. The pluggable component s tenant security specifications can be easily interlaced with the application at runtime without any interference from the provider. Thereby the multitenant SaaS provider focuses more on the application functionality rather on application security. The proposed SMA provides effective tenant isolation at the database level, application level, and during runtime. We evaluated our proposed method by Monte Carlo method using Arena [15] and our customized tool [12]. Our evaluation and discussions based on parameters in [6] shows the effectiveness of the proposed model in securing SaaS multitenant application. Corresponding author Elsevier Publications 2013.

2 Figure 1. General multi-tenant application architecture. The paper is structured as follows: Motivation & problem definition is presented in Section 2; Section 3 discusses related work, background information on multitenant architecture is presented in Section 4. Our proposed secure multitenant application model is presented in Section 5, the evaluation and discussions on the proposed model are presented in Section 6 and finally, the conclusion and future work are in Section Motivation and Problem Definition Data security is another important area of research in cloud computing [3]. In SaaS model, the tenants depend on the SaaS application providers for their application security. The provider has to ensure that no tenant can view each other s data; it is often complex for the provider to ensure the presence of right security measures [9]. Moreover the provider might replicate tenant s data to multiple locations for maintaining high availability, the security measures should not be compromised during the process. Clients of cloud computing services currently have no means of verifying the condentiality and integrity of their data and computation [5]. SaaS offers various features that can significantly reduce IT costs by placing data and computation onto cloud platform. However, many organizations are reluctant move to cloud, primarily due to the security concerns [5]. The dynamic nature of multi-tenant application model further intensifies the application complexity and makes security more challenging [14]. Auditability can be generally achieved using remote verification methods. Remote verification requires a Trusted Platform Module (TPM). However, in a cloud where resources are virtualized, and virtual machines (VMs) dynamically migrate from one location to another, the above verification is not sufficient [5]. Enterprises are still not confident with the SaaS model due to lack of visibility about the means their data is stored and secured. Moreover, there is a huge anxiety over the lack of control and knowledge about tenant s data in SaaS [8]. 3. Related Work Current multi-tenant cloud security solutions take an inert stand to permissions as systems are functioning around a simple concept relating to the access rights of the user [18], for example the user is granted entry or denied entry based on a key. All subsequent actions are carried out based on the outcome of the initial attempt to access. Not much research has been done in the area of security of multi-tenant SaaS applications [16]. Different commercial cloud platforms have limited security solutions [17]. An approach that transforms existing web applications into multi-tenant SaaS applications is proposed in [19,20]. It focused on isolation problem by investigating application to identify the potential isolation points that should be handled by the application developers. A framework that supports a set of common services that provide security isolation, performance isolation is presented in [21]. The security isolation pattern considers the case of different security requirements while still using a predefined, built-in, security controls. Moreover security policies depend on Elsevier Publications

3 M. D. Samrajesh and N. P. Gopalan Figure 2. Block diagram of secure multi-tenant application. the tenant s administration personnel configuration that is done manually which maps users and their roles in the application. A model-driven platform that creates SaaS applications as a set of services is presented in [22]. The approach focuses on enabling cloud customers to create their system instances and specify their security requirements. However, tenants instances need to be deployed on separate VMs. Moreover, it lacks facility to update or reconfigure the defined security. A hierarchical based access control model is presented in [23]. The model increases the number of levels to the access control policy hierarchy; it includes new roles such as service providers administrators and tenants administrators. Service provider administrators delegate the authorization to the tenant s administrators to grant access rights to their predefined resources. Secure load distribution SaaS architecture is presented in [13]. The architecture is based on a set of services that provide routing, logging, and security. Their proposed security service delivers predefined authentication and authorization mechanisms. However, no isolation is provided between the authentication and authorization data of different tenants. Our proposed method considers tenant specific custom security implementations which are integrated with the SaaS application provider s security model thereby providing an integrated pluggable security model as shown in figure Multitenant Architecture Multi-tenancy is an application architecture where multiple clients or organizations (tenants) are served by a single application as illustrated in figure 1. A Multi-Tenant Application (MTA) is highly scalable and shared among multiple tenants hence it reduces cost, reduces software development time and brings down maintenance cost [7]. All tenants accessing the multi-tenant application run on the same source code, however certain tenant specific requirements are generated at run-time. Having a shared code benefits all tenants as updates can be applied centrally, moreover this enhances productivity and online collaboration. To accomplish large scale scalability, a multi-tenant application is designed to be stateless. Tenant-specific data are kept either at the tenant side or at the database. Moreover, unlike traditionally systems, tenant-specific implementations of application logic are created during run-time for each tenant. The MTA queries the database for necessary tenantspecific business logic and creates a customized implementation at run-time. Multitenant application is multifarious in nature and accomplishes individual tenant s requirements [10]. Tenants are offered with a well customized application that makes them experience as if the application is exclusively designed for them [7]. 5. Proposed Secure Multi-tenant Application (SMA) Model 5.1 Assumptions One single multitenant application is used simultaneously by multiple tenants. Each tenant has n number of users attached to them. The multitenant application consists of components that are modules of the application which is designed based on the business processes. Tenant s users by default access the core application components, all add-on components including the security component are accessed based on tenant specific needs. 828 Elsevier Publications 2013.

4 Figure 3. Intersection of security entities. Figure 4. Proposed secure multi-tenant application (SMA) model 5.2 Secure multi-tenant application (SMA) The proposed Secure Multi-tenant Application (SMA) model as shown in figure 4 consists of a Tenant Security Specification (TSS) which consists of custom security specification, securely stored either at the tenant side or the provider side; it is used to generate the pluggable secure component that secures the application. As shown is figure 3 the framework consists of a tenant pluggable security component that is integrated with the application of the tenant at run-time. The Tenant pluggable components consists of the following core entities Digital Signature with IdM for Authentication and Authorization. Relevant tenant information is securely replicated to the SaaS providers. Authorization using XACML (extensible Access Control Markup Language) delegation method is used to provide decentralized administration of access policy. The custom TenantSecurity Specification (TSS) is configuredby the tenants with their location MAC address or using directory lookup LDAP. Network security is provided with the pluggable custom security options configured by the tenant s predefined Application Programming Interface (APIs) signatures using Secure Socket Layer (SSL) and the Transport Layer Security (TLS) with an encrypted connection between a customer s data and application. Data Security is implemented for all tenants data by encryption using the key of tenant and the provider; hence it is neither accessible nor tampered by unauthorized person. Elsevier Publications

5 M. D. Samrajesh and N. P. Gopalan Figure 5. Application security risk factor, SMA- Secure multi-tenant application, GM- General Model Data integrity is provided by data segregation and confidentiality by allowing fine-grained authorization controlled access to application and data. Accountability is effectively implemented by comprehensive logging. All actions on tenant specific data and application component access are monitored, correlated and alerts are sent to tenants and the provider. The pluggable custom TSS is configured by the tenant with their location Media Access control (MAC) address or by using directory lookup Lightweight Directory Access Protocol (LDAP). This along with digital signatures, secure network access, data encryption ensures enforcing security at runtime based on the tenants configuration, moreover the proposed framework monitors the potential security breaches on the tenant data, manages data isolation between tenants services. These integrated measures ensure elevated application security by enforcing varied sets of custom security measures in application. 6. Evaluation and Discussions 6.1 Simulation setup The application security risk analysis is done by Monte Carlo method [4] using automation software Arena [15] and our customized tool [12]. We simulate risk factors with inputs generated according to probability distribution model; this allows us to make optimal choices against composite cyber-attack models that otherwise cannot be easily identified. A risk level is defined as the probability of some defencelessness or weakness within a specific timeframe. Undesirable risks that occur either at the tenant or SaaS application provider side impact the system and reduces the availability, integrity, confidentiality of the MTA. Each risk is quantitatively measured using a scale that ranges between 1 and Parameters for evaluation We use multi-variable defensive criterion (X i ) to evaluate the proposed model. X 1 -Unsafe Identify Management, X 2 -Absence of Tenant application monitoring X 3 -Absence of finer Granularity of application and data access, X 4 -Absence of Tenant data isolation, X 5 -Absence of Secure Network access, X 6 -Insecure Backups storage, X 7 -Absence of High availability, X 8 -Absence of Data recovery mechanism Risk classification We consider 2 scenarios based on [11], scenario-i uses 3 categories of risks labeled a) Low b) Medium, and c) High; and in scenario-ii we use of 6 categories of risks labeled as a) Not possible, b) Most unlikely c) Unlikely d) Likely e) Most Likely and f) Surely; for each of the variable, the defensive criterion (Xi) is expressed by probability distributions. 830 Elsevier Publications 2013.

6 6.1.3 Discussions The proposed SMA provides security isolation among tenants at various levels during runtime and for data offline. Our assessment of the proposed system in terms of probability of adversary risk factor shows that, the security risk associated in SaaS application is based upon multidimensional aspects. It can be expressed numerically as the product of the probability of occurrence and expected risk associated with one or many undesirable event that is defined in defensive criterion. Our evaluation is based on parameters in [6]. Our evaluation outcome in Fig.5 shows that the security risks of General Model (GM) and SMA using the 6, 3 risk factors respectively, the risk factor fluctuates in GM when compared to SMA. Moreover, the average risk factor of SMA is less than GM. This shows the effectiveness of the proposed solution in securing SaaS multitenant applications. Application security risks can be reduced by incorporating the pluggable SMA based security framework in SaaS application. Implementation the proposed SaaS security model increases the SaaS providers and tenants confidence and enables its speedy and wider adoption. 7. Conclusion and Future Work Today, SaaS tenants demand transparency from the provider on how their data is secured at the datacenter. The challenge is to have a customizable tenant based approach that securely provide access to the tenant s data and monitors any illegal access of both application and tenant data. We proposed an integrated Secure Multi-tenant Application (SMA) model that is custom defined and pluggable to multi-tenant application. Our evaluation based on the multivariable defensive criterion and our discussions show that the proposed SMA framework is effective in reducing the security risk associated with multi-tenant application and alleviate the security concerns of the tenants. Our future work is to integrate the security framework with the overall architecture of multi-tenant SaaS application. References [1] M. Armbrust, A. Fox, R. Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica and M. Zaharia, Above the Clouds: A Berkeley View of Cloud Computing. Technical Report No. UCB/EECS , University of California at Berkley, USA, Feb. 10, [2] F. Chong and G. Carraro, Architecture Strategies for Catching the Long Tail. Microsoft Corporation, April [3] Zhang, Qi, Lu Cheng and Raouf Boutaba, Cloud computing: state-of-the-art and research challenges. Journal of Internet Services and Applications vol. 1.1, pp. 7 18, (2010). [4] Sahinoglu and Mehmet, Security meter: A practical decision-tree model to quantify risk. Security & Privacy, IEEE,vol. 3.3, pp , (2005). [5] Santos, Nuno, Krishna P. Gummadi and Rodrigo Rodrigues, Towards trusted cloud computing. Proceedings of the 2009 conference on Hot topics in cloud computing, [6] S. Subashini and V. Kavitha, A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications, vol. 34.1, pp. 1 11, (2011). [7] Bezemer, Cor-Paul and Andy Zaidman, Multi-tenant SaaS applications: maintenance dream or nightmare?. Proceedings of the Joint ERCIM Workshop on Software Evolution (EVOL) and International Workshop on Principles of Software Evolution (IWPSE). ACM, [8] Popovic, Kresimir and Zeljko Hocenski. Cloud computing security issues and challenges. MIPRO, 2010 proceedings of the 33rd international convention. IEEE, [9] Choudhary and Vidyanand, Software as a service: Implications for investment in software development. System Sciences, HICSS th Annual Hawaii International Conference on. IEEE, [10] Weissman, D. Craig and Steve Bobrowski, The design of the force. com multitenant internet application development platform. Proceedings of the 35th SIGMOD international conference on Management of data. ACM, [11] Kaplan, Stanley and B. John Garrick, On the quantitative definition of risk. Risk analysis, vol. 1.1, pp , (1981). [12] M. D. Samrajesh and N. P. Gopalan, AppSIM: An Application Simulator for Software as a Service (SaaS), Proceedings of the International Conference on Computational Techniques and Mobile Computing (ICCTMC 2012), Dec , Singapore, pp , ISBN: , [13] Z. Pervez, S. Lee, et al, Multi-tenant, secure, load disseminated SaaS architecture, In Proc. 12th Int. Conf. on Advanced Communication Technology, South Korea, pp , [14] Ren, Kui, Cong Wang and Qian Wang, Security challenges for the public cloud. Internet Computing, IEEE, vol. 16.1, pp , (2012). [15] Kelton, W. David, Randall P. Sadowski and Deborah A. Sadowski, Simulation with ARENA, vol. 2. New York: McGraw-Hill, [16] Almorsy, Mohamed, John Grundy and Amani S. Ibrahim, TOSSMA: A Tenant-Oriented SaaS Security Management Architecture. Cloud Computing (CLOUD), 2012 IEEE 5th International Conference on. IEEE, Elsevier Publications

7 M. D. Samrajesh and N. P. Gopalan [17] M. Brock and A. Goscinski, Toward a Framework for Cloud Security, Algorithms and Architectures for Parallel Processing. vol. 6082, C.-H. Hsu, L. Yang, J. Park and S.-S. Yeo, Eds., ed: Springer Berlin / Heidelberg, pp , [18] Flood, Jason and Anthony Keane, A Proposed Framework for the Active Detection of Security Vulnerabilities in Multitenancy Cloud Systems. Emerging Intelligent Data and Web Technologies (EIDWT), 2012 Third International Conference on. IEEE, [19] H. Cai, N. Wang, et al., A Transparent Approach of Enabling SaaS Multi-tenancy in the Cloud, in Proc th IEEE World Congress on Services, pp , [20] H. Cai, K. Zhang, et al., An End-to-End Methodology and Toolkit for Fine Granularity SaaS-ization, in Proc IEEE Int. Conf. on Cloud Computing, pp , [21] C. Guo, W. Sun, et al., A Framework for Native Multi-Tenancy Application Development and Management, in Proc. 9th IEEE Int. Conf. on E-Commerce Technology, pp [22] M. Menzel, R. Warschofsky, et al., The Service Security Lab: A Model-Driven Platform to Compose and Explore Service Security in the Cloud, in Proc. World Congress on Services, pp , [23] T. J. Jing Xu, H. Dongjian, et al., Research and implementation on access control of management-type SaaS, in Proc. IEEE Int. Conf. on Information Management and Engineering, pp , Elsevier Publications 2013.