Welcome!

@CloudExpo Authors: Liz McMillan, Dalibor Siroky, James Carlini, John Walsh, APM Blog

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Recurring Revenue

@CloudExpo: Article

Multi Tenancy and the Oracle VPD

Improve time-to-market for SaaS applications

Multi Tenancy Database Design and Security
We have seen that there are multiple ways a multi-tenant database can be designed. The important options being:

  1. Separate Database: Each of the tenants is allocated a separate physical database for storing their data.
  2. Separate Schema: Each of the tenants is allocated a separate logical unit called Schema, within a single physical database.
  3. Separate Rows: Each of the tenants is allocated same physical database and schema, but their information is separated using primary keys which are allocated as part of the data base design and all the information is kept within the same physical tables.

A diagram of these types of database designs can viewed here: MSDN article on Multi-Tenant Data Architecture.

As evident in some of these architectures, we store data from multiple clients in the same database and securing each client's data from others is of utmost important. While we could code these as part of our application code such kind of custom coded security is subject to breach if the developers miss a point or two and the verification is not done properly. Also custom coded security has the drawback of not enforcing it, if the database is accessed outside of the application like using another reporting tool or interactive SQL query studios like Sql*Plus, iSQL etc...

So Security for the Multi Tenancy Databases are best implemented if the underlying database platform itself is aware of Multi Tenancy Rules and prevent unauthorized access to data whatever the client tool that is accessing the data.

One such built-in feature built inside the Oracle 11g database is called as Fine-Grained Access Security, which is also known as Virtual Private Database, which provides   transparent security cover for Multi-Tenant databases.

Virtual Private Database
An Oracle Virtual Private Database (VPD) is an aggregation of server-enforced, application-defined fine-grained access control, combined with a secure application context in the Oracle database server.

Much of security on a multi-tenant SaaS application is based on one simple principle: Users have to be identified and distinguished from each other. This is true for applications and for databases. This security tenet is exemplified in our world every day. Email applications show only the emails for the user who has logged in. Financial reports are delivered only to those authorized to receive them. For these applications to work effectively, you have to know who the person is before you can know if they are supposed to access an email or financial report.

A Virtual Private Database (VPD) allows you to build the security policies based on User's identity that can be applied to tables are views. One important factor about VPD is that, user's identify is not restricted to the ‘Database User' but the application user, which in a multi-tenant scenario is the actual tenant of the application.

The following are the typical steps in implementing the VPD for your multi-tenant databases, the detailed implementation is available on the Oracle manuals.

  • Design the Multi-Tenant database with appropriate database columns to store the Tenant identity
  • Create a function to apply the FILTERING conditions based on the multi tenant inquiry of data
  • Create a policy to use the function so that the policy can be applied to different database objects
  • Use the DBMS_RLS function to apply the policy to the multi-tenant database tables
  • Use the Oracle client functions to set the Tenant identify from the application, so that the policy is applied transparently such each tenant views only the data owned by the tenant

Fine-Grained Auditing
In spite of having VPD on the multi-tenant database, most times Auditors would like to see the reports on database access patterns , especially access to the sensitive information. FGA (Fine Grained Auditing) provides the most granular level of auditing in a multi-tenant database.

This method creates audit records based on the exact query, condition, and data retrieved or  manipulated by the statement. It provides a facility to audit only those statements (including actual values of possible bind-variables) that reference a particular column. DBMS_FGA package facilitates creation of FGA policies.

The salient features of FGA can be segregated as following:

Column Referencing: We can define policy such that audit is triggered only if the specified columns are referenced in query statement. For example in a multi-tenant application for e-Commerce, this can setup for columns like credit card number.

Conditional auditing: As explained in previous example also, auditing can be condition driven using FGA. For example, in a multi-tenant database if any one tried to query information of a specific client or across clients.

Oracle on the Cloud
While we see many new players in Analytical databases , ‘NO SQL' databases on cloud, Oracle continues to be a leading database in data centers for OLTP and - many high performance applications. There are several possibilities of implementing Oracle database on Cloud for your multi tenant application.

Summary
Success of SaaS applications will be measured by the time-to-market, which means that faster we roll out our application we capture the market better. This can be achieved only if the best of the out-of-the-box features available in the product vendors are utilized, so that the much needed, Security, auditing and performance of the application are maintained. Oracle's VPD / FGA are one such feature which needs to be analyzed , if you plan to deploy your multi tenant application on Oracle platform.

More Stories By Srinivasan Sundara Rajan

Highly passionate about utilizing Digital Technologies to enable next generation enterprise. Believes in enterprise transformation through the Natives (Cloud Native & Mobile Native).

@CloudExpo Stories
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Vulnerability management is vital for large companies that need to secure containers across thousands of hosts, but many struggle to understand how exposed they are when they discover a new high security vulnerability. In his session at 21st Cloud Expo, John Morello, CTO of Twistlock, addressed this pressing concern by introducing the concept of the “Vulnerability Risk Tree API,” which brings all the data together in a simple REST endpoint, allowing companies to easily grasp the severity of the ...
Agile has finally jumped the technology shark, expanding outside the software world. Enterprises are now increasingly adopting Agile practices across their organizations in order to successfully navigate the disruptive waters that threaten to drown them. In our quest for establishing change as a core competency in our organizations, this business-centric notion of Agile is an essential component of Agile Digital Transformation. In the years since the publication of the Agile Manifesto, the conn...
In his session at 21st Cloud Expo, James Henry, Co-CEO/CTO of Calgary Scientific Inc., introduced you to the challenges, solutions and benefits of training AI systems to solve visual problems with an emphasis on improving AIs with continuous training in the field. He explored applications in several industries and discussed technologies that allow the deployment of advanced visualization solutions to the cloud.
Enterprises are adopting Kubernetes to accelerate the development and the delivery of cloud-native applications. However, sharing a Kubernetes cluster between members of the same team can be challenging. And, sharing clusters across multiple teams is even harder. Kubernetes offers several constructs to help implement segmentation and isolation. However, these primitives can be complex to understand and apply. As a result, it’s becoming common for enterprises to end up with several clusters. Thi...
While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 brings the mainstream adoption of containers for production workloads. In his session at 21st Cloud Expo, Ben McCormack, VP of Operations at Evernote, discussed how data centers of the future will be managed, how the p...
"NetApp is known as a data management leader but we do a lot more than just data management on-prem with the data centers of our customers. We're also big in the hybrid cloud," explained Wes Talbert, Principal Architect at NetApp, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
The question before companies today is not whether to become intelligent, it’s a question of how and how fast. The key is to adopt and deploy an intelligent application strategy while simultaneously preparing to scale that intelligence. In her session at 21st Cloud Expo, Sangeeta Chakraborty, Chief Customer Officer at Ayasdi, provided a tactical framework to become a truly intelligent enterprise, including how to identify the right applications for AI, how to build a Center of Excellence to oper...
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
"Infoblox does DNS, DHCP and IP address management for not only enterprise networks but cloud networks as well. Customers are looking for a single platform that can extend not only in their private enterprise environment but private cloud, public cloud, tracking all the IP space and everything that is going on in that environment," explained Steve Salo, Principal Systems Engineer at Infoblox, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventio...
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
"ZeroStack is a startup in Silicon Valley. We're solving a very interesting problem around bringing public cloud convenience with private cloud control for enterprises and mid-size companies," explained Kamesh Pemmaraju, VP of Product Management at ZeroStack, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"We're focused on how to get some of the attributes that you would expect from an Amazon, Azure, Google, and doing that on-prem. We believe today that you can actually get those types of things done with certain architectures available in the market today," explained Steve Conner, VP of Sales at Cloudistics, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Codigm is based on the cloud and we are here to explore marketing opportunities in America. Our mission is to make an ecosystem of the SW environment that anyone can understand, learn, teach, and develop the SW on the cloud," explained Sung Tae Ryu, CEO of Codigm, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Data scientists must access high-performance computing resources across a wide-area network. To achieve cloud-based HPC visualization, researchers must transfer datasets and visualization results efficiently. HPC clusters now compute GPU-accelerated visualization in the cloud cluster. To efficiently display results remotely, a high-performance, low-latency protocol transfers the display from the cluster to a remote desktop. Further, tools to easily mount remote datasets and efficiently transfer...
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, discussed how by using ne...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...