主权项 |
1. A computing system implemented method for managing secrets of tenants of a multi-tenant computing environment, comprising:
identifying one or more data security jurisdiction zones containing one or more multi-tenant assets to which secrets policies of tenants may be applied; maintaining, by a service provider computing system, service provider secrets policy data representing one or more data security policies for the identified one or more data security jurisdiction zones and security requirements associated with the secrets of tenants within the multi-tenant computing environment; receiving, by the service provider computing system from a first tenant computing system, first tenant secrets policy data representing a first tenant secrets policy of a first tenant of the multi-tenant computing environment and including data indicating secrets of the first tenant secrets policy; receiving a request to apply the first tenant secrets policy data to a first multi-tenant asset of the multi-tenant computing environment; in response to receiving the request, comparing the first tenant secrets policy data with the service provider secrets policy data to determine whether the secrets of the first tenant secrets policy are in compliance with requirements of the service provider secrets policy data; further in response to receiving the request, comparing the service provider secrets policy data with the first tenant secrets policy to determine whether the first tenant secrets policy is at least as restrictive as the service provider secrets policy and further determining whether secrets sharing is allowed between the first tenant and the first multi-tenant asset; if the secrets of the first tenant secrets policy are in compliance with requirements of the service provider secrets policy data and if the first tenant secrets policy is at least as restrictive as the service provider secrets policy, and if secrets sharing is allowed between the first tenant and the first multi-tenant asset, authorizing, with the service provider computing system, the request from the first tenant computing system to apply the first tenant secrets policy data to the multi-tenant asset; if the secrets of the first tenant secrets policy are not in compliance with the requirements of the service provider secrets policy data, or if the first tenant secrets policy is not at least as restrictive as the service provider secrets policy, or if secrets sharing is not allowed between the first tenant and the first multi-tenant asset, rejecting the request to apply the first tenant secrets policy data to the multi-tenant asset; and applying the first tenant secrets policy data to the multi-tenant asset if the request from the first tenant computing system is authorized. |