SEQUOIA

A common way to solve this problem today is for the SaaS providers to set up separate installations per customer and to program the security logic in the application, a solution that is most often not efficient, error-prone, difficult to audit and expensive to adapt.

With SEQUOIA, we aimed to develop a generic solution for SaaS providers. A solution that allows them to set up one multitenant database while giving each of their customers the possibility to define fine-grained, attribute-based security rules. In the invoice example, the corporation using SaaS would then be able to set restrictions on viewing and modifying invoices based on e.g. region, responsibility, or account management.

Koen Handekyn, project lead and CEO of UP-nxt, says: “The solution we came up with in a real innovation compared to the state-of-the-art. In essence, it tailors the queries before they are executed, instead of having the application filter the results after a database search. This rewriting and compacting of queries is done by an add-on module, at the level of the data access middleware, and thus separated from the database or customer applications. This allows SaaS providers like us to add value to our service without having to install new databases or middleware, or reprogram the applications. And each of our customers can add its own rules, in a declarative language that is easy to use and to audit.”

Project outcomes

• A security solution to enforce complex, custom authorization rules in search queries, with guarantees for safety, correctness and performance
• Security middleware for SaaS, generic and application-independent
• Validated in multiple storage and query architectures, with proof-of-concept in state-of-the-art data access middleware
• Demonstrators in the three application domains of the partners

SEQUOIA Leaflet