Question

我们正在为数以百计而不是数千个独立租户建立一个多功能系统,数据安全要求很高。目前,计划将:

Isolated databases (one per tenant)
Website and application pool (one per tenant), running under a unique identity, which is the only identity with access to the corresponding database.
Separate physical directory structure per tenant

明显推出最新信息需要完全自动化,以保持顶点,可能利用MS Deploy + Power 壳牌,有时部署一名租户。

难道我们是在这条路上制造一条夜马吗? 在这种情形下,我们是否应当评估其他可能的配置,这样可以尽量减少我们的行政管理费用,而不牺牲安全方面?

感谢!

Answer 1

你所描述的确实是一种非常安全的工作方式,但似乎还有大量的间接费用。需要考虑的一个问题是如何处理标识。是否要求每个用户具体说明租户、用户名称和密码? 或者,你能否指定每个租户一个独特的子主?

As far as maintenance is concerned, the best way to handle things is to cram as many teneants into a single web server / web farm and shove all of their data into a single relational db / db cluster. That way, when you upgrade one customer, everybody gets upgraded. At some point, you will have to buy another web farm / db cluster to put more tenants on, but you would be suprised how far 1 instance can go.

当然,这一规则的例外是谷歌和Facebook等网站,它们拥有太多的用户和太多的传统关系数据。但是,在95%以上的地点,我是这一模式能够发挥作用的。

就安全而言,您可在every query上填入每张桌子和每个桌子。是的,这是非属人性的,但你所描述的维修习惯都没有。

Answer 2

你所描述的确实是多租户的出路,但如上所述,与多租户相同。见IBM开发商第,供考虑的因素。

Please consider how many tenants you will have and how many users each tenant will have on average.
If you are going to have a large number of tenants, then your model might become too expensive to maintain. Ten Thousand Tenants, each with its own database, filesystem structures, etc. well good luck.
True Multi-Tenancy like Success Factors, SalesForce.com, NetSuite, etc. are successful primarily because they are Multi-Tenant, one code base, one database model, etc. All Tenants access one large scale system and see isolated data.
An alternative to True Multi-Tenancy is virtualization, and with Virtualization such as VMWare you can have your cake and eat it too. Each vmware image has all you need and can be instantiated on demand. You can make one update to the code and deploy it when the image is instantiated. It is going to be much more cost effective than the silos you envision now, but less so than True Multi-Tenancy.

Answer 3

有几个办法使租户A的手掌握在租户B的数据中。

Siloing as you ve described -- the machines that service tenant B refuse all network connections from machines dedicated to other tenants, and have separate physical drives, logs, etc. Here the kinds of zero days you worry about are those dealing with network messages and trojans that try to infect your code updates, and any device that can eavesdrop on network messages between machines in a silo.
Encrypting all stored data -- instead of separate machines, you encrypt all data. Typically this still requires siloing databases, but not file-systems or logs. The zero days you worry about are those for 1, plus anything dealing with process boundaries, memory caches, file system jailing, and anything affecting communication with the tenant key store. I don t have much experience with it, but I m skeptical that it is an administrative win.
Information flow analysis -- make sure that each piece of data is labelled. All requests from a program that is servicing a request for tenant A is marked as A, and all programs that service requests for tenant A accept only messages marked with A and not with B. This can be used for defense in depth on top of other schemes since it does not, by itself protect storage systems.

友情链接