When using a public cloud provider and a Software as a Service (SaaS) solution with multiple tenants, data flow needs to be secure. As the cloud provider and the consumer share responsibility for security, consumers must take care not to use public-cloud services in a way that undermines data segregation or otherwise reduces our overall security.
Taking Amazon Web Services (AWS) and the Darktrace for Endpoint product as an example, each tenant receives its own container (hosted in ECS Fargate) to ensure absolute separation of data. The container has a DNS entry that is aliased to an AWS Application Load Balancer, which allows data to flow directly to an isolated, customer-specific container and service for processing. Using ECS Fargate decreases costs (as customers pay for a small fraction of container runtime) but ensures that a system breach would be isolated to a single tenant.
This technology has two important benefits:
Of course, there are many other security measures in place to prevent the compromise of an instance (container in this case) in the first place, and this technology is just one measure that Darktrace takes to protect customers from this unlikely but very serious situation.