polito.it
Politecnico di Torino (logo)

ZERO TRUST ARCHITECTURES IN A MULTI-CLOUD ENVIRONMENT

Andrea Martiradonna

ZERO TRUST ARCHITECTURES IN A MULTI-CLOUD ENVIRONMENT.

Rel. Riccardo Sisto. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2023

[img]
Preview
PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (2MB) | Preview
Abstract:

Over the past two decades, the migration of workloads to the cloud has been dominating the landscape and is now evolving towards solutions that encompass more than just a single cloud instance. Organizations are increasingly more interested in defining valid multi-cloud strategies, and with that the need for robust and secure architectures arises. This elevates the intrinsic challenges that come with cloud infrastructures to a whole new level and introduces new challenges tied to the clusters' distribution on different cloud providers like automatic service discovery in different networks, consistent identity and access management throughout the entire architecture, secure channels for communication across clusters and a way of monitoring/logging the whole workload's interactions. This thesis' goal is to tackle those challenges by exploring a possible solution and presenting proof of it achieving the set objective. As an alternative to the traditional approach of assuming trust within a network perimeter, deemed insufficient for the discussed genre of environments, the concept of Zero Trust is explored, emphasizing the necessity to regard every network and communication as untrusted. To implement this principle, the use of a service mesh is proposed as a means of ensuring secure and reliable communication. This is, in fact, a powerful technology consisting of a swarm of proxies, piloted by a single controller, that attach to the various different application microservices and oversee their traffic behaviour. The distributed nature of this approach is perfect for environments spanning multiple clusters, regardless of the locations of their microservices, including deployments across different clouds. As long as a connection is possible with the control plane, the proxies will allow the management of the workloads' traffic behaviour. This enables seamless coordination and control across geographically dispersed clusters, ensuring a scalable and resilient framework to monitor and manage both traffic routing and access control between and within cloud environments. Specifically, Istio is first discussed and then employed as the key technology for implementing the proposed solution in the proof of concept documented in the second half of the paper. The PoC demonstrates how security can be achieved, using a mock-app deployed over two different clusters emulating a multi-cloud environment, through the enforcement of different kinds of policies, resources and the use of both an external authenticator and a JWT-based fine-grained route permission check. The Istio's mesh is the keystone of the architecture, allowing the clusters, not only to communicate in the first place, but also me to orchestrate the architecture's services' behaviour and gate the application behind an architectural-integrated custom authentication flow. A considerate amount of effort has also been devoted to ensuring the PoC's reproducibility through thoughtful design and implementation choices, with the aim of providing any interested party with the necessary resources to establish a laboratory for additional research. Ultimately, the thesis contributes to the growing body of knowledge on the matter both theoretically and practically, providing a clear overview of the potential of this approach and venturing in the still quasi unexplored territory of cross-cluster service meshes.

Relators: Riccardo Sisto
Academic year: 2022/23
Publication type: Electronic
Number of Pages: 76
Subjects:
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: Blue Reply Srl
URI: http://webthesis.biblio.polito.it/id/eprint/27725
Modify record (reserved for operators) Modify record (reserved for operators)