Multi-tenancy is a software architecture pattern where a single instance of an application serves multiple customers, known as tenants. Each tenant's data and configuration are logically isolated, even though they share the same underlying infrastructure, application code, and often the same database.
How It Works
Multi-tenant systems implement isolation at various levels. In shared-database architectures, all tenants' data resides in the same tables, distinguished by a tenant identifier column. Every database query must include a tenant filter to prevent data leakage between customers. In schema-per-tenant architectures, each tenant gets their own database schema within a shared database server. Database-per-tenant provides the strongest isolation by giving each customer a completely separate database.
The application layer enforces tenant boundaries through middleware or context objects that determine the current tenant from the request — typically from the subdomain, a header, or the authenticated user's tenant association. This context propagates through every layer of the application, ensuring that data access, file storage, background job processing, and caching all respect tenant boundaries.
Configuration isolation allows each tenant to customize their experience — branding, feature flags, integration settings — without affecting other tenants. Resource isolation prevents one tenant's heavy usage from degrading performance for others, often through rate limiting, resource quotas, and queue prioritization.
Security Challenges
Multi-tenant architectures concentrate risk. A single vulnerability in the tenant isolation logic can expose every customer's data simultaneously. Common failures include missing tenant filters on database queries (leading to cross-tenant data access), insecure direct object references where one tenant can access another's resources by guessing or enumerating identifiers, and shared caches that return another tenant's data.
Background jobs and scheduled tasks that process data across tenants must maintain strict context separation. Administrative endpoints that operate outside tenant context require extra scrutiny, as they can inadvertently bypass isolation controls.
Why It Matters
Most modern SaaS applications are multi-tenant. A tenant isolation failure is not just a single-user data breach — it potentially exposes every customer on the platform. Security testing of multi-tenant applications must specifically verify isolation boundaries across every feature and data access path.
Need your application tested? Get in touch.