English 中文(简体)
安保需求高的多功能网站——可能的配置?
原标题:Multi-tenant website with high security requirements - possible configurations?

我们正在为数以百计而不是数千个独立租户建立一个多功能系统,数据安全要求很高。 目前,计划将:

  • Isolated databases (one per tenant)
  • Website and application pool (one per tenant), running under a unique identity, which is the only identity with access to the corresponding database.
  • Separate physical directory structure per tenant

明显推出最新信息需要完全自动化,以保持顶点,可能利用MS Deploy + Power 壳牌,有时部署一名租户。

难道我们是在这条路上制造一条夜马吗? 在这种情形下,我们是否应当评估其他可能的配置,这样可以尽量减少我们的行政管理费用,而不牺牲安全方面?

感谢!

最佳回答

你所描述的确实是一种非常安全的工作方式,但似乎还有大量的间接费用。 需要考虑的一个问题是如何处理标识。 是否要求每个用户具体说明租户、用户名称和密码? 或者,你能否指定每个租户一个独特的子主?

As far as maintenance is concerned, the best way to handle things is to cram as many teneants into a single web server / web farm and shove all of their data into a single relational db / db cluster. That way, when you upgrade one customer, everybody gets upgraded. At some point, you will have to buy another web farm / db cluster to put more tenants on, but you would be suprised how far 1 instance can go.

当然,这一规则的例外是谷歌和Facebook等网站,它们拥有太多的用户和太多的传统关系数据。 但是,在95%以上的地点,我是这一模式能够发挥作用的。

就安全而言,您可在every query上填入每张桌子和每个桌子。 是的,这是非属人性的,但你所描述的维修习惯都没有。

问题回答

有几个办法使租户A的手掌握在租户B的数据中。

  1. Siloing as you ve described -- the machines that service tenant B refuse all network connections from machines dedicated to other tenants, and have separate physical drives, logs, etc. Here the kinds of zero days you worry about are those dealing with network messages and trojans that try to infect your code updates, and any device that can eavesdrop on network messages between machines in a silo.
  2. Encrypting all stored data -- instead of separate machines, you encrypt all data. Typically this still requires siloing databases, but not file-systems or logs. The zero days you worry about are those for 1, plus anything dealing with process boundaries, memory caches, file system jailing, and anything affecting communication with the tenant key store. I don t have much experience with it, but I m skeptical that it is an administrative win.
  3. Information flow analysis -- make sure that each piece of data is labelled. All requests from a program that is servicing a request for tenant A is marked as A, and all programs that service requests for tenant A accept only messages marked with A and not with B. This can be used for defense in depth on top of other schemes since it does not, by itself protect storage systems.




相关问题
Anyone feel like passing it forward?

I m the only developer in my company, and am getting along well as an autodidact, but I know I m missing out on the education one gets from working with and having code reviewed by more senior devs. ...

How to Add script codes before the </body> tag ASP.NET

Heres the problem, In Masterpage, the google analytics code were pasted before the end of body tag. In ASPX page, I need to generate a script (google addItem tracker) using codebehind ClientScript ...

Transaction handling with TransactionScope

I am implementing Transaction using TransactionScope with the help this MSDN article http://msdn.microsoft.com/en-us/library/system.transactions.transactionscope.aspx I just want to confirm that is ...

System.Web.Mvc.Controller Initialize

i have the following base controller... public class BaseController : Controller { protected override void Initialize(System.Web.Routing.RequestContext requestContext) { if (...

Microsoft.Contracts namespace

For what it is necessary Microsoft.Contracts namespace in asp.net? I mean, in what cases I could write using Microsoft.Contracts;?

Separator line in ASP.NET

I d like to add a simple separator line in an aspx web form. Does anyone know how? It sounds easy enough, but still I can t manage to find how to do it.. 10x!

热门标签