Skip to content

STRIDE Analysis for SaaS Multi-Tenancy

STRIDE is a threat modeling methodology developed by Microsoft that categorizes different types of threats. When analyzing a SaaS application, especially one that is multi-tenant, STRIDE provides a structured framework to identify potential vulnerabilities in how data and processes flow through the system.

1. Spoofing Identity

Definition: An attacker assumes the identity of a legitimate user or system. SaaS Context: In a multi-tenant SaaS, tenant isolation relies heavily on identity context. If an attacker can spoof a tenant admin or service account, they can bypass tenant boundaries.

  • Threat Vectors:
    • Cookie theft or session hijacking (e.g., via XSS) leading to impersonation of another tenant's user.
    • Forging JSON Web Tokens (JWTs) if the signing key is weak or leaked.
    • API calls that lack strict identity validation, allowing a user from Tenant A to pass the Tenant ID of Tenant B in the header.

2. Tampering with Data

Definition: Malicious modification of data. SaaS Context: Attackers modify data at rest, in transit, or in memory, potentially affecting the integrity of the SaaS platform or specific tenants.

  • Threat Vectors:
    • Intercepting and altering API requests (MitM) if TLS is improperly configured.
    • Modifying multi-tenant database records (e.g., changing the tenant_id field on a sensitive record from someone else's tenant to their own).
    • Tampering with application configuration files to degrade the service.

3. Repudiation

Definition: An attacker performs an action but denies doing it, and the system lacks the ability to prove otherwise. SaaS Context: Without robust, tamper-proof audit logs, malicious actions (like a tenant deleting critical shared resources or an insider altering data) cannot be traced.

  • Threat Vectors:
    • Lack of centralized logging for critical API mutations (POST/PUT/DELETE).
    • Insufficient log detail (e.g., logging an action without recording the associated tenant_id or user_id).
    • Attackers deleting local log files before they are shipped to the central SIEM.

4. Information Disclosure

Definition: Exposing information to unauthorized individuals. SaaS Context: This is the most critical threat in multi-tenant SaaS environments. Cross-tenant data leakage can destroy customer trust and result in severe regulatory fines.

  • Threat Vectors:
    • Insecure Direct Object Reference (IDOR), where a user from Tenant A queries /api/v1/invoices/123 and accesses Tenant B's invoice because the backend didn't validate the tenant_id.
    • Database misconfigurations allowing SQL injection to dump the entire shared database.
    • Leaking stack traces or verbose error messages containing sensitive connection strings.

5. Denial of Service (DoS)

Definition: Denying or degrading service to legitimate users. SaaS Context: In a multi-tenant environment, the "Noisy Neighbor" problem is a significant DoS threat. If one tenant consumes too many resources, it degrades the experience for all other tenants.

  • Threat Vectors:
    • A malicious or compromised tenant sends massive amounts of heavy database queries, exhausting connection pools.
    • Volumetric network DDoS attacks targeting the application's load balancer.
    • Algorithmic complexity attacks (e.g., sending massive JSON payloads that consume CPU during parsing).

6. Elevation of Privilege

Definition: An unprivileged user gains privileged access. SaaS Context: A standard user escalating to a Tenant Admin, or worse, a Tenant Admin escalating to a System/Platform Admin (gaining control over the entire SaaS infrastructure).

  • Threat Vectors:
    • Exploiting authorization flaws in the API (Broken Function Level Authorization) to access administrative endpoints.
    • Horizontal escalation (Tenant A User $\rightarrow$ Tenant B User) or Vertical escalation (Tenant User $\rightarrow$ SaaS Global Admin).
    • Bypassing role-based access controls (RBAC) by tampering with the role claims inside a JWT.