IronCore SaaS Shield Platform

SaaS Shield is a suite of products designed to enhance per-tenant security in your multi-tenant SaaS app. The two main products in the SaaS Shield platform are the multi-tenant security system (SaaS Shield Kit) and the S3 proxy (SaaS Shield for Amazon S3).

(See product descriptions, use cases, pricing, and other information here).

If most of your multi-tenant data is in S3 and you just want to make sure that it’s secure, you want to check out SaaS Shield for Amazon S3. If your multi-tenant data is in other forms of storage (databases, disk, key value stores, etc.) or your use case is more complex, then you’ll want to use the SaaS Shield Kit directly.

The SaaS Shield Kit provides services and SDKs to enable your customers (or you on their behalf) to easily configure external cloud KMS and logging. It makes it easy to use those cloud options to encrypt multi-tenant data in your service’s code with a high level SDK, and provides benefits like security event audit logging without any additional code. You get the advantage of having each tenant’s data encrypted with a different key, creating additional protections against mixing multiple tenant’s data inadvertently, even if they are all sharing a data store. This kit is made up of a Tenant Security Proxy, a Tenant Security Client SDK, and a Configuration Broker. There is also an optional Vendor Bridge that you can add to allow automation of tenant management tasks.

To make the addition of this level of data security and protection to your applications practical, your apps must continue to provide the needed functionality for users. A key component of this functionality for many apps is searching on the protected data. SaaS Shield provides an option to secure data in such a way that you can continue to search your data store for exact matches even though the data is encrypted. We use deterministic encryption to facilitate this type of search.

If you are using Elasticsearch or OpenSearch to index your tenants’ data and provide additional search features, you can still protect the data in your search index while encrypting it by using Cloaked Search. This is another ready-to-deploy container that can be configured to use SaaS Shield to manage the keys it needs to protect fields in the index and still allow searches on the data. You can secure your search service and still allow you and your customers to manage KMS and logging cloud options.

SaaS Shield for Amazon S3 is a pre-created SaaS Shield Kit based system that deploys directly into your AWS instance using CloudFormation templates. It uses the Configuration Broker to allow you and your customers to manage KMS and logging cloud options, but doesn’t require any code changes to your services. You simply deploy it, configure it, and point your current S3 app to it. SaaS Shield for Amazon S3 can also be purchased directly from the AWS marketplace.

You can also install the S3 proxy in an existing SaaS Shield installation - directions are here.