BoxLite

Multi-Tenant Isolation

Hardware-level boundaries between customer workloads

TL;DR

Multi-tenant applications need strong isolation between customers. A vulnerability in one tenant's workload shouldn't compromise others. BoxLite's micro-VMs provide hardware-level isolation—each tenant runs in their own VM with a separate kernel, making cross-tenant attacks extremely difficult.

The Multi-Tenant Challenge

When multiple customers share infrastructure, isolation is critical:

  • Data leakage: One tenant accessing another's data
  • Resource exhaustion: One tenant consuming all resources
  • Noisy neighbor: One tenant's workload affecting others
  • Lateral movement: Compromised tenant attacking others

Who Needs Multi-Tenant Isolation?

SaaS Platforms

Customer workloads, plugins, and custom code execution

Hosting Providers

VPS, serverless functions, and managed services

Enterprise Applications

Department or team-level isolation requirements

Compliance-Heavy Industries

Healthcare, finance, government requiring strong isolation

Container vs VM Isolation

Containers (Docker, Kubernetes) provide process-level isolation but share the host kernel. Container escapes have occurred (CVE-2024-21626, CVE-2020-15257, etc.), allowing attackers to break out and access other tenants or the host.

BoxLite's micro-VMs run a separate kernel per tenant. Even if a tenant achieves a kernel exploit, they're still contained within their own VM.

Isolation Level Containers BoxLite VMs
Kernel Shared Separate per tenant
Escape attack surface Kernel syscalls Hypervisor (minimal)
Noisy neighbor risk Higher Lower (VM scheduling)
Compliance readiness May require extra controls Strong isolation by default

How to Use BoxLite for Multi-Tenancy

import boxlite

async def run_tenant_workload(tenant_id: str, code: str):
    # Each tenant gets their own isolated micro-VM
    async with boxlite.SimpleBox(
        image="python:3.12-slim",
        memory_mb=512,
        cpus=1,
        labels={"tenant_id": tenant_id}
    ) as box:
        result = await box.exec("python", "-c", code)
        return {
            "tenant_id": tenant_id,
            "output": result.stdout,
            "exit_code": result.exit_code
        }

Resource Limits

BoxLite enforces resource limits at the VM level:

  • Memory: Hard limit on RAM per tenant VM
  • CPU: CPU core and time limits
  • Disk: Storage limits and I/O throttling
  • Network: Bandwidth limits and isolation

These limits are enforced by the hypervisor, not inside the guest OS, so a malicious tenant cannot bypass them.

Compliance Benefits

Hardware-level isolation helps with compliance requirements:

  • SOC 2: Strong logical separation of customer data
  • HIPAA: Protected health information isolation
  • PCI DSS: Cardholder data environment separation
  • FedRAMP: Government workload isolation

Need stronger tenant isolation?

Learn how BoxLite can help secure your multi-tenant platform.

BoxLite vs Docker Read FAQ