I'd like to spend a minute on what makes a multi-tenant application tick and why it's the most likely model to dominate the future, including the enterprise application's future.
Multi-tenancy is different from multi-instance, where multiple copies of one application are launched, each to serve a particular set of end users. And multi-tenancy differs from subdividing a host server with multiple virtual machine guests, each with its own operating system. A multi-tenant server only needs one copy of the operating system: the one that it's working with.
Instead, a multi-tenant application aims to serve as many ad hoc, unrelated individual users -- they may come from competing companies, as Ellison said -- as possible, while running one copy of the application. Initially, that meant hundreds of users at the same time; in Internet time, it means thousands or hundreds of thousands. It does this by having all its application logic resident in memory so that operations may be executed at the speed of light. It either does so already or will soon rely strictly on solid-state memory for retrieving data not already pre-fetched in cache; at every turn it seeks to increase speed and reduce latency.
The multi-tenant application is a completely different breed from the monolithic enterprise application which could scale up only by being moved up to a larger server. The multi-tenant application scales out across more servers. To do so it has to command the collective CPUs of a cluster as its central processing unit. It has to combine their memories into a shared caching pool. And most of all, it has to identify, determine ownership of, tag, classify, and, at all times, restrict access to data to its rightful owners. It's this latter characteristic that makes the multi-tenant app controversial.
Customer data has to flow through the same physical memory space, whether on one server or a cluster, so in a traditional sense, the data of one customer is passing in close proximity to the data of many others. What if someone stumbled upon another customer's password or guessed a name or identifier meant to be unique to another customer? Would the data then be exposed? In a shared-memory architecture, the fact of two different owners' data inhabiting the same physical memory is sufficient to brand the approach "a weak security model," as Ellison said.
But the real question is whether this new model has been made safe and can be made more safe in the future. To me, Salesforce.com and other SaaS vendors have established the legitimacy of the multi-tenant model. If it didn't work, we'd be hearing constant complaints about compromises of data and loss of business. The question of whether it can be made safer than it is, however, I would answer at face value, of course it can.