Transparent IO access control for application-level tenant isolation.

The economy-of-scale benefits of multi-tenancy are most compelling at the application level, as this deployment model allows optimally sharing a single application instance and its runtime resources between multiple customer organizations. However, this requires, among other things, controlling and isolating access of tenants to IO resources (e.g. storage/network) at the application level. In this paper, we present an application-level middleware which transparently enforces tenant isolation vis-à-vis access to IO resources. The solution is useful for preventing unauthorized access to IO resources especially when access to IO resources is parameterized by overly complex user inputs and occur in numerous places of a large and complex code-base, e.g. in legacy applications. The transparent nature of isolation enforcement is achieved by extending and customizing the platform security capabilities of modern programming languages. The alternative approach, i.e. requiring application developers to implement tenant isolation explicitly, is concomitant to inevitable human errors and oversight. Our implementation is evaluated using a prototype application that is representative of realistic requirements of an industry-level SaaS provider. In order to show the reduced risk of human error, we deliver an assessment of the required development effort for enabling multi-tenancy and compare it to the baseline of implementing tenant isolation manually. In addition, our in-depth performance evaluation yields an average relative runtime overhead of 4.47% which demonstrates the suitability of the middleware for real-world use-cases.