Privileged Access Management for System to System communications

No Thumbnail Available
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu | Master's thesis
Security and Cloud Computing
Degree programme
Master’s Programme in Security and Cloud Computing (SECCLO)
Privileged accounts can be the entry point for cybersecurity attacks or step stones for further escalations to critical organization resources. Beside privileged accounts for users, there are a large number of credentials for different pair of a system accessing a system. This is one challenge of Privileged Access management on maintaining security and visibility on the usage of confidential resources like system credentials. Two case studies are applied for this problem, one is on the system to system cases in a large organization, and one is on available approaches for a service to not only securely managing credentials but also able to maximize adaptation to most of the system to system cases. This thesis also contributes the procedure to analyze S2S cases based on four steps: (1) identifying the Accessing System (AS), the Target System (TS); (2) identifying the identity model at the TS side and the authentication protocol between AS and TS; (3) identifying the process of initial setup of AS-TS credential; and (4) the process of updating the credential. From these four steps, four criteria for a system to system credential management service are defined including (A) capable to adapt with different the identity model and authentication protocol of target systems; (B) support mechanisms for initial credential setup at different AS; (C) support mechanisms for updating credential automatically following credential policies; (D) capable to managing credentials securely. The study shows S2S cases can be classified into three groups including accessing group, target group, and environment group. The environment group has additional infrastructure supports to automate the step (3) and (4) of deployed systems. Also from the study, the solutions from two cloud providers are only applicable to their owned environment, two self-deployed packages with Hashicorp Vault and Thycotic Secret Server can be deployed on-premises but available to applications and services on different infrastructure environments.
Aura, Tuomas
Thesis advisor
Bui, Tien Thanh
privilege access management, system to system, credential management, identity and access management
Other note