Federico Barbero
ENTERPRISE SCALE CLOUD IDENTITY MANAGEMENT SYSTEM.
Rel. Edoardo Patti. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2022
Abstract: |
Storm Reply is trying to enhance its Cloud Landing Zone, a secure and automated playground to deploy cloud infrastructure to host applications and workloads for its customers. One of the building blocks of the new Landing Zone is the Identity Management solution, which should integrate with the corporate identity system and provide a user directory for customer identities as well. The new solution needs to provide a Single Sign-On experience for the Landing Zone alongside managing access and permissions on the infrastructure assets managed by the team. The solution will also help the unit to maintain compliance with ISO/IEC 27001 standard, which certifies the unit operations in terms of Information Security. The work of this thesis was to review the current solution in place, understand its weaknesses, then design the evolution of the Identity Management System, comparing the existing available products in the commercial and open source world, focusing on integration with the AWS Cloud platform, scalability and improvement of the security posture. The final architecture was chosen based on the capability of the different proposals to satisfy requirements and meet cost expectations as well as following technology preferences from the company. The final solution revolves around three main components: AWS Single Sign-On service - essentially an SSO broker AWS Directory Service for Microsoft Active Directory - user directory federated with Reply Active Directory system Hashicorp Vault - pluggable secret management system that integrates with Active Directory and is able to provide advanced authorization backends for multiple systems (databases, applications, etc.) leveraging key concepts like dynamic secrets, lease and revocation mechanism that remove the need to manage long-lived credentials Leveraging AWS services and deployment of server components on modern scalable and high available platforms like Kubernetes, High Availability is guaranteed by the new design, improving on the pre-existing solution. From a functional point of view the new system extends the pool of applications and services that can be integrated (which could be expanded further more in the future through plugins) and improves the security posture through usage of Multi Factor Authentication, One Time Passwords, lease and revoke mechanism, dynamic secrets. A proof of concept of the solution has been implemented and validated, using Infrastructure as Code paradigm, then production implementation has started and an on-boarding plan of the different assets, accounts and project has been proposed. The plan will be validated in terms of impacts and timings by the various project responsibles in the company. |
---|---|
Relatori: | Edoardo Patti |
Anno accademico: | 2021/22 |
Tipo di pubblicazione: | Elettronica |
Numero di pagine: | 74 |
Informazioni aggiuntive: | Tesi secretata. Fulltext non presente |
Soggetti: | |
Corso di laurea: | Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering) |
Classe di laurea: | Nuovo ordinamento > Laurea magistrale > LM-32 - INGEGNERIA INFORMATICA |
Ente in cotutela: | TELECOM ParisTech - EURECOM (FRANCIA) |
Aziende collaboratrici: | STORM REPLY S.R.L. con unico socio |
URI: | http://webthesis.biblio.polito.it/id/eprint/22744 |
Modifica (riservato agli operatori) |