What would be the least expensive and PaaS-agnostic way to protect and share sensitive data in a multi-tenant application using a common database?
Some background information and more specific questions:
We are a small startup company. We have successfully launched an intranet web application project for a client, and now we are ready to offer a cloud solution for similar clients.
Like Microsoft BizSpark, we are learning Azure App Services. We can move on to cloud services later, but for now it seems that App Services will be enough. However, we don’t want to get too attached to Azure if we want to switch to another SaaS provider later.
Our application will store confidential information that must be protected. Separate encrypted (Azure provides transparent encryption) databases for each tenant will provide maximum security, but we do not have a budget for such a solution, and it would be difficult to manage automatically.
Our current plan is to offer our customers to register a subdomain under our wildcard domain, and then internally compare the subdomain with the tenant ID that will be used in each table.
This is, apparently, the most economical solution for a start-up company, since there is no additional management for each additional tenant, and registration can be fully automatic. I understand that we must be very careful to ensure that the tenant ID is used in every SQL query (using SQL views and stored procedures with the built-in ID identifier will help), but this is clearly not enough. We need some kind of mechanism to protect each tenant-sensitive data with some encryption key.
And then the following questions will appear:
Should I use one encryption key for all sensitive data for all tenants? or do we have a separate key for each tenant?
if we are looking for individual keys (randomly generated at the time of registration, so the key will not be known even to us), then who and how should store and protect the tenant's encryption key? Should we provide a key to the tenant, and then ask our employees to provide a key in addition to each name and password of each employee at every login through a web browser?
Which approach is best, given that later we may need to scale or “resiliently” scale the database, as some PaaS providers call it, and that we can move from Azure and Microsoft SQL Server to something else?
If someone has experience with multi-user protection and database protection, I would really appreciate some advice, some of them do and do not, and can be negotiated. I read several articles on the topic, but they are often too specific for PaaS platforms or do not explain the possible consequences and difficulties, but this knowledge comes only from everyday experience and trials and errors.