TOSSMA: A tenant-oriented SaaS security management architecture

Mohamed Almorsy, John Grundy, Amani S. Ibrahim

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

30 Citations (Scopus)


Multi-tenancy helps service providers to save costs, improve resource utilization, and reduce service customization and maintenance time by sharing of resources and services. On the other hand, supporting multi-tenancy adds more complexity to the shared application's required capabilities. Security is a key requirement that must be addressed when engineering new SaaS applications or when re-engineering existing applications to support multi-tenancy. Traditional security (re)engineering approaches do not fit with the multi-tenancy application model where tenants and their security requirements emerge after the system was first developed. Enabling, runtime, adaptable and tenant-oriented application security customization on single service instance is a key challenging security goal in multi-tenant application engineering. In this paper we introduce TOSSMA, a Tenant-Oriented SaaS Security Management Architecture. TOSSMA allows service providers to enable their tenants in defining, customizing and enforcing their security requirements without having to go back to application developers for maintenance or security customizations. TOSSMA supports security management for both new and existing systems. Service providers are not required to write security integration code to use a specific security platform or mechanism. In this paper, we describe details of our approach and architecture, our prototype implementation of TOSSMA, give a usage example of securing a multi-tenant SaaS, and discuss our evaluation experiments of TOSSMA.

Original languageEnglish
Title of host publicationProceedings - 2012 IEEE 5th International Conference on Cloud Computing, CLOUD 2012
Number of pages8
Publication statusPublished - 2012
Externally publishedYes
EventIEEE International Conference on Cloud Computing 2012 - Honolulu, United States of America
Duration: 24 Jun 201229 Jun 2012
Conference number: 5th


ConferenceIEEE International Conference on Cloud Computing 2012
Abbreviated titleCLOUD 2012
Country/TerritoryUnited States of America
Internet address


  • Cloud computing
  • cloud computing security
  • multi-tenancy security
  • SaaS application security

Cite this