Managing Multi-tenancy

Working at an MSP (managed service provider) presents an interesting set of challenges for those who are maintaining infrastructure. I work in Identity & Lifecycle Management but specifically on Okta. I've been in this line of work for 8+ years.

Dealing with multi-tenancy in an environment where you own the infrastructure is quite simple. You can enforce what you want to enforce across all your infra, have all the same policies running and maintain a degree of repeatability. In a world where the clients own the infrastructure your issues start to merge with inter organizational differences. What I mean by this is the no two companies operate the same way. They have different missions, goals and clients which also means they have different security standards, tech stacks and operational requirements. 

Why does that matter? Because Alice from company A doesn't want to ask her employees to download Google Authenticator while Bob from company B requires a 32bit alphanumeric password and only allows YubiKey for a second factor. Meanwhile we are trying to enforce a 'standard' that falls somewhere in the middle. How do we make sure people are 'safe' in their corporate identities while not ruffling too many feathers?

My plan? Infrastructure as Code (IaC) specifically of the Terraform variety.