Privileged access management for system to system communications

Thumbnail Image

URL

Journal Title

Journal ISSN

Volume Title

Perustieteiden korkeakoulu | Master's thesis

Authors

Date

2020-08-18

Department

Major/Subject

Security and Cloud Computing

Mcode

SCI3084

Degree programme

Master’s Programme in Security and Cloud Computing (SECCLO)

Language

en

Pages

55+1

Series

Abstract

Privileged accounts can be the entry point for cybersecurity attacks or step stones for further escalations to critical organization resources. Beside privileged accounts for users, there are a large number of credentials for different pair of a system accessing a system. This is one challenge of Privileged Access management on maintaining security and visibility on the usage of confidential resources like system credentials. Two case studies are applied for this problem, one is on the system to system cases in a large organization, and one is on available approaches for a service to not only securely managing credentials but also able to maximize adaptation to most of the system to system cases. This thesis also contributes the procedure to analyze S2S cases based on four steps: (1) identifying the Accessing System (AS), the Target System (TS); (2) identifying the identity model at the TS side and the authentication protocol between AS and TS; (3) identifying the process of initial setup of AS-TS credential; and (4) the process of updating the credential. From these four steps, four criteria for a system to system credential management service are defined including (A) capable to adapt with different the identity model and authentication protocol of target systems; (B) support mechanisms for initial credential setup at different AS; (C) support mechanisms for updating credential automatically following credential policies; (D) capable to managing credentials securely. The study shows S2S cases can be classified into three groups including accessing group, target group, and environment group. The environment group has additional infrastructure supports to automate the step (3) and (4) of deployed systems. Also from the study, the solutions from two cloud providers are only applicable to their owned environment, two self-deployed packages with Hashicorp Vault and Thycotic Secret Server can be deployed on-premises but available to applications and services on different infrastructure environments.

Description

Supervisor

Aura, Tuomas

Thesis advisor

Bui, Tien Thanh

Keywords

privilege access management, system to system, credential management, identity and access management

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202008245171

Collections

[dipl] Perustieteiden korkeakoulu / SCI