This paper presents a novel approach to security for applications that are run on a central server and supplied to multiple consuming organizations (tenants) as a service. The issues associated with the separation of data and security profiles of each tenant from all others are described clearly. These are complicated by the fact that the security requirements apply to a finished product, not one under development. The software system under discussion appears to address all of the issues very well.

The idea is to externalize the security as far as possible. Privileged access to the controlled application is still required, so that hooks can be inserted for the external security processing.

The paper is recommended reading for those with an interest in the area, including those hosting software as a service to multiple tenants, and those who access such software.