WithPCI Logo
WithPCI.com

Multi-Tenant Service Provider Security Policy Template

Document Information Details
Company Name [Company Name] (as Service Provider)
Effective Date [Date]
Version [Version Number, e.g., 1.0]
Policy Owner [CISO / Head of Cloud Operations]
Document Classification Confidential / Internal Use Only
Parent Policy Information Security Policy

Purpose

This policy establishes the framework for designing, deploying, operating, and securing [Company Name]'s multi-tenant services and platforms. Its purpose is to ensure robust separation and protection of customer environments and data within shared infrastructure, applications, or systems, thereby safeguarding confidentiality, integrity, and availability. This policy mandates controls to mitigate risks inherent in multi-tenancy, meet contractual obligations, and ensure compliance with relevant regulations and standards, including the specific requirements outlined in PCI DSS Req 4.0.1 Appendix Appendix A1 for Multi-Tenant Service Providers.

Scope

This policy applies to all multi-tenant services offered by [Company Name] where customers share system resources (such as physical or virtual servers), infrastructure, applications (including SaaS), databases, or network services, excluding pure co-location services. It covers the entire lifecycle of these services, from design and development through deployment, ongoing operations, monitoring, maintenance, and decommissioning. All [Company Name] employees, contractors, consultants, and third parties involved in the architecture, development, management, or security of these multi-tenant environments are subject to this policy. This policy specifically addresses requirements for protecting customer data, including but not limited to Cardholder Data (CHD), within the shared environment.

Roles and Responsibilities

Role/Group Key Responsibilities
Executive Management Provide oversight for the secure operation of multi-tenant services; Set risk tolerance related to multi-tenancy; Ensure adequate resources for implementing and maintaining required security controls.
CISO / Head of Cloud Operations Own and approve this policy; Oversee the design, implementation, and operational security of multi-tenant platforms; Ensure compliance with PCI DSS Appendix Appendix A1 and other relevant standards; Report on multi-tenant security posture.
Information Security Team Define security standards for multi-tenant architectures; Assess and approve designs; Conduct/oversee segmentation testing; Monitor shared infrastructure for security events; Manage security tools protecting the platform; Advise on tenant isolation.
Cloud/Platform Engineering Team Design, build, configure, and maintain the multi-tenant infrastructure and platform components according to security standards; Implement and manage segmentation controls; Ensure secure deployment pipelines.
Network Engineering Team Implement and manage network segmentation, firewalls, and other network controls supporting tenant isolation.
Application Development Team (for SaaS) Develop multi-tenant applications with secure coding practices ensuring data segregation and tenant isolation at the application layer; Remediate application vulnerabilities impacting multi-tenancy.
IT Operations / System Administrators Manage shared operating systems and infrastructure components securely; Apply patches; Manage access controls for provider personnel; Implement monitoring and logging for shared resources.
Customer Support / Success Team Act as a point of contact for customer-reported security incidents or vulnerabilities related to the shared service; Follow procedures for escalating reports internally (per A1.2.3).
Legal & Compliance Team Ensure customer agreements accurately reflect security responsibilities (shared responsibility matrix); Advise on legal/regulatory aspects of providing multi-tenant services; Oversee PCI DSS assessments including Appendix Appendix A1 scope.

Policy Requirements

1. Secure Multi-Tenant Architecture and Design

  • Multi-tenant services must be designed and architected with security and tenant isolation as fundamental principles from the outset.
  • Employ robust mechanisms (logical and/or physical) to enforce strict separation between tenant environments, data, configurations, and network traffic.
  • Implement secure default configurations for all platform components and tenant environments (where applicable), adhering to hardening standards defined in the System & Configuration Management Policy.
  • Minimize shared components where feasible and apply stricter controls to those components essential for multi-tenant operation.

2. Tenant Environment Segmentation and Isolation (PCI DSS Req A1.1)

  • Implement strong technical controls (e.g., firewalls, VLANs, virtualization controls, application-layer logic, secure API gateways) to prevent any unauthorized access or visibility between different tenant environments.
  • Prevent tenant access to the underlying shared infrastructure components or management interfaces unless explicitly required and securely controlled.
  • Prevent tenant access to resources not specifically allocated to them.
  • Segmentation Testing (PCI DSS Req AReq 1.1.4): Perform penetration testing specifically focused on validating the effectiveness of segmentation controls between tenant environments at least every six months. This testing must be performed by qualified internal resources (organizationally independent) or qualified external third parties. Results must be documented, and failures remediated promptly.

3. Access Control Management

  • Provider Access: [Company Name] personnel access to the shared infrastructure and platform components, as well as any necessary administrative access into tenant environments for support or maintenance, must be strictly controlled based on least privilege, require Multi-Factor Authentication (MFA), be uniquely identifiable, and be logged and monitored. Justification for access into tenant environments must be documented.
  • Tenant Access: Provide mechanisms for customers to manage access within their own allocated environment securely, adhering to principles of least privilege and strong authentication as defined by overarching security policies.
  • Resource Allocation: Implement controls to ensure tenants can only access the system resources (CPU, memory, storage, network bandwidth) allocated to them.

4. Data Protection and Isolation within Shared Environments

  • Implement technical and procedural controls to ensure the confidentiality and integrity of each tenant's data within the shared environment. This includes logical data segregation at storage and application layers.
  • Apply encryption controls (at rest and in transit) for sensitive tenant data (including CHD) according to the Data Protection & Encryption Policy, using strong cryptography and secure key management practices, potentially employing tenant-specific keys where appropriate and feasible.
  • Ensure provider processes (e.g., backups, monitoring, analytics) do not expose one tenant's sensitive data to another tenant or unauthorized personnel.

5. Logging, Monitoring, and Incident Response Facilitation (PCI DSS Req A1.2)

  • Tenant Log Access (PCI DSS Req AReq 1.2.1): Implement logging mechanisms on shared system components (e.g., firewalls, OS, databases, applications) such that logs relevant to individual tenant activity can be isolated and made available to the respective tenant upon request, meeting PCI DSS Requirement Req 10 standards.
  • Forensic Support (PCI DSS Req AReq 1.2.2): Establish and maintain procedures to support customer forensic investigations in the event of a suspected or confirmed security incident impacting their environment within the shared service. This includes providing relevant logs and potentially other necessary evidence, while maintaining the isolation and confidentiality of other tenants.
  • Customer Reporting Mechanism (PCI DSS Req AReq 1.2.3): Implement and clearly communicate a formal process or mechanism for customers to report suspected security incidents and vulnerabilities they identify within the service.
  • Provider Response Process (PCI DSS Req AReq 1.2.3): Establish and maintain documented procedures for [Company Name] to respond to customer-reported incidents and vulnerabilities. This includes timely investigation, communication with the reporting customer, and remediation of confirmed issues impacting the shared service or customer environments.
  • Platform Monitoring: Continuously monitor the health and security of the underlying shared infrastructure and platform components for anomalies, security events, and potential breaches.

6. Vulnerability and Patch Management (Shared Platform)

  • Maintain a rigorous vulnerability and patch management program (as defined in the Vulnerability Management Policy) for all components of the shared infrastructure and platform managed by [Company Name].
  • Conduct regular vulnerability assessments and remediate findings based on risk, with special priority for vulnerabilities that could impact tenant isolation or cross-tenant security.
  • Address identified vulnerabilities, especially those impacting tenant isolation or platform security, according to defined risk ratings and remediation timelines.
  • Communicate relevant vulnerability information or required actions to customers if tenant action is necessary (e.g., patching software within their instance).

7. Change Management (Shared Platform)

  • All changes to the shared multi-tenant platform, infrastructure, or core applications must follow the [Company Name] Change Management Policy.
  • Change requests must include an assessment of the potential impact on tenant environments, isolation controls, and overall platform security.
  • Implement changes in a way that minimizes disruption and risk to tenants. Provide advance notification to customers for changes that may impact their service usage.

8. Customer Communication and Shared Responsibilities

  • Clearly document and communicate the division of security responsibilities between [Company Name] (as the MTSP) and its customers, particularly regarding PCI DSS compliance (Shared Responsibility Matrix) (PCI DSS Req 12.8.5).
  • Provide customers with clear documentation regarding the security controls implemented by the provider and any security configurations required on the customer's side.
  • Ensure that the company's PCI DSS Attestation of Compliance (AOC) explicitly includes the Appendix Appendix A1 scope if providing services relevant to customer CDEs. Make compliance documentation available to customers upon request, subject to confidentiality agreements.

9. Personnel Security and Training

  • Ensure personnel involved in managing or operating the multi-tenant environment receive appropriate background checks (where applicable) and specialized security training focused on multi-tenancy risks, tenant isolation techniques, secure configuration, and incident handling in shared environments.

Enforcement

  • Failure by [Company Name] personnel to comply with this policy may result in disciplinary action, up to and including termination of employment, in accordance with established HR policies.
  • Non-compliance may lead to security incidents impacting customers, contractual liabilities, regulatory penalties, loss of certifications (e.g., PCI DSS compliance), and significant reputational damage.
  • Deviations from security standards required by this policy must undergo a formal risk assessment and be approved via the Risk Acceptance process defined in the Governance & Compliance Policy. Such exceptions must include compensating controls and be time-bound.

Revision History

Version Date Author Change Details
1.0 [Date] [Author Name] Initial policy release based on PCI DSS Req 4.0 App A1
[Ver #] [Date] [Author Name] [Summary of changes]

Approval

Name Title Signature Date
[Exec Name] [Executive Title, e.g., CTO] [Date]
[CISO Name] [CISO / Head of Cloud Ops] [Date]

Appendix A: Segmentation Testing Requirements (PCI DSS A1.1.4)

  • Frequency: At least every six months and after any significant changes to segmentation controls or methods.
  • Scope: Testing must specifically target the controls separating different tenant environments and separating tenant environments from the provider's shared infrastructure/management plane.
  • Methodology: Utilize penetration testing techniques attempting to:
    • Access, view, or modify data belonging to another tenant.
    • Access another tenant's environment or resources.
    • Gain unauthorized access to the underlying shared infrastructure from a tenant environment.
    • Bypass authentication or authorization controls between tenants or between tenant and provider systems.
  • Personnel: Performed by qualified personnel (internal team organizationally separate from platform management/development, or qualified third party).
  • Documentation: Maintain detailed reports of testing methodology, scope, findings, and remediation actions. Remediation must be verified by re-testing.

Appendix B: Customer Incident/Vulnerability Reporting Process Flow (PCI DSS A1.2.3)

graph TD
    A[Customer Identifies Suspected Incident/Vulnerability] --> B{"Customer Reports via Designated Channel (Portal, Email, Hotline)"};
    B --> C[Provider Support/Security Team Receives Report];
    C --> D["Acknowledge Receipt to Customer (within SLA)"];
    D --> E{Initial Triage & Validation};
    E -- Validated --> F[Log Issue & Assign Severity];
    E -- Not Validated / More Info Needed --> G[Communicate Back to Customer];
    F --> H{"Investigate Impact (Specific Tenant / Shared Platform?)"};
    H -- Shared Platform Impact --> I[Initiate Provider Incident Response / Vulnerability Management Process];
    H -- Specific Tenant Impact Only --> J["Coordinate Remediation with Customer (if applicable)"];
    I --> K[Develop & Implement Remediation];
    J --> K;
    K --> L[Verify Remediation];
    L --> M["Communicate Resolution Status to Reporting Customer(s)"];
    M --> N[Document Incident/Vulnerability & Resolution];

    subgraph Reporting & Triage
        A
        B
        C
        D
        E
        G
    end
    subgraph Investigation & Response
        F
        H
        I
        J
        K
        L
    end
    subgraph Closure
        M
        N
    end

Appendix C: PCI DSS Appendix A1 Requirements Matrix

PCI DSS Requirement Relevant Policy Section(s) Key Controls Covered
A1.1 (Overall) Policy Req 1 (Architecture), Req 2 (Segmentation) Protect environments and data of hosted merchants and service providers.
A1.1.1 Policy Req 2 (Segmentation), Req 3 (Access Control) Implement logical/physical controls to segment each tenant environment; Prevent cross-tenant access.
A1.1.2 Policy Req 3 (Provider Access) Securely manage provider administrative access into tenant environments (authorized, monitored, MFA, least privilege).
A1.1.3 Policy Req 2 (Segmentation), Req 3 (Access Control) Ensure tenants only access their allocated resources; Prevent tenant access to provider infrastructure.
A1.1.4 Policy Req 2 (Segmentation Testing), Appendix Appendix Appendix A Perform penetration testing of segmentation controls at least every six months and after significant changes.
A1.2 (Overall) Policy Req 5 (Logging, Monitoring, IR Facilitation) Support customer compliance and incident response activities.
A1.2.1 Policy Req 5 (Tenant Log Access) Ensure logs on shared components relevant to customers are available to them upon request (meeting Req 10 standards).
A1.2.2 Policy Req 5 (Forensic Support) Maintain processes to support customer forensic investigations impacting shared systems.
A1.2.3 Policy Req 5 (Customer Reporting, Provider Response), Appendix Appendix B Maintain mechanism for customers to report incidents/vulnerabilities; Maintain process for provider to respond and remediate.

Appendix D: Example Shared Responsibility Matrix Snippet (Illustrative)

Control Area PCI DSS Requirement Example Provider ([Company Name]) Responsibility Customer Responsibility
Network Security Req 1.2, Req 1.3, Req 1.5 Manage shared firewalls, network infrastructure, segmentation between tenants Configure security groups/firewalls within their allocated virtual network; Manage OS-level firewalls within instances
Data Protection Req 3.5, Req 3.6 Provide options for encryption at rest (e.g., encrypted storage); Securely manage platform-level keys/HSMs Configure and enable encryption for data stored within their instances/databases; Manage customer-specific encryption keys
Vulnerability Mgmt Req 6.3, Req 11.3 Patch shared infrastructure/platform OS & hypervisor; Scan shared infra Patch OS and applications deployed within customer instances; Scan customer instances and applications
Access Control Req 7, 8 Secure provider administrative access; Manage IAM for shared platform services Manage user accounts, passwords, MFA, and permissions within customer instances and applications
Logging & Monitoring Req 10 Log provider actions & platform events; Provide mechanisms for customer log access Configure application/OS logging within instances; Monitor customer-specific logs; Report incidents to provider

Note: This is highly simplified. A detailed matrix specific to the services offered must be provided to customers.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy