Security for Embedded Applications: Authorization for SaaS Companies
Watch this video to learn how the two models of SaaS multi-tenancy affect the deployment of embedded platforms.
Multi-tenancy models typically fall within one of two approaches: isolated and shared. The isolated model is arguably safer, but the shared model is more efficient for the SaaS company. An embedded analytics platform needs to support both. Moreover, to support the co-mingled or shared model, the embedded platform needs to support row-level security. Row-level security ensures that tenants only see the data relevant to that customer. Row-level security can be implemented via the embedded platform or it can be enforced by the data source.
My name is Olivier Meyer. I'm a Director of Product Management at Zoomdata, and my focus area is on embedding and integration with other applications.
So, building on authorization, there's a special category of authorization we want to look at, especially for multi-tenant or SaaS companies.
Embedded Applications: Two Models for SaaS Companies
What we see in the marketplace is really two models that SaaS companies leverage for enforcing security at a data level and the way they model multi-tenancy.
One is what we call isolation or sharding where each of their tenants, each of their customers effectively gets their own database for the data. That's probably arguably the safest model because there's no way that another tenant can see the data because it's all partitioned. The other model is co-mingled or shared data, which is more efficient for a SaaS company. They don't have to duplicate all that environment. And in that case, all the data for all their tenants are in one database, and they leverage row-level security to ensure that one tenant doesn't see the data for another tenant.
Embedded Platforms Should Support Both Models
So, it's important for your BI platform, depending on the type of SaaS or multi-tenant model that you're going after, to support both those models, the isolated sharded model or the co-mingled model. And that means for the second one that your BI platform has to support row-level security.
Two Ways to Support Row-Level Security
And what we find is there's two ways to do row-level security. You can have the BI platform itself do the enforcement, meaning it will automatically add filtering for every request to ensure that only tenant A's data or user A's data is being shown. Another model is where the underlying data store itself is responsible for doing that row-level enforcement, or we call that delegation or impersonation where the identity of the user flows through the parent application through to the BI platform all the way down to the underlying data store, and the data store is what's enforcing those security rules. So, you have to look at a BI platform that supports both models when you look to embed, especially if you're a SaaS company or if you're a large enterprise that has adopted running like a SaaS even though you're an enterprise.