# Tenant Isolation and Cross-Tenant Risks One-sentence definition: Preventing data leakage and privilege bleed between customers in multi-tenant platforms. ## Key Facts - Isolation layers: identity, network, compute, storage, metadata. - Controls: per-tenant keys, RLS, namespaces, strict ACLs, noisy-neighbor throttling. - Validate with pen tests, chaos tests, and isolation proofs. - Monitor cross-tenant API calls and unusual data access. - Document shared responsibility with CSP/SaaS provider. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose controls ensuring customer separation. **Mnemonic:** “Separate by **I-N-C-S-M**” (Identity, Network, Compute, Storage, Metadata). ## Mini Scenario Q: Multi-tenant DB shows other tenant rows—fix? A: Enforce RLS predicates and tenant-scoped keys. ## Revision Checklist - List 4 isolation layers. - Name a validation method. - Tie to shared responsibility. ## Related [[Database Security: Access Models (RBAC, ABAC, RLS)]] · [[Database Security: Encryption Options (TDE, Field-Level)]] · [[Cloud Data Protection (SaaS, PaaS, IaaS)]] · [[SaaS Admin Hygiene and Least Privilege]] · [[Tokenization]] · [[Domain 2 - Index]]