Abstract

Privileged accounts can be the entry point for cybersecurity attacks or step stones for further escalations to critical organization resources. Beside privileged accounts for users, there are a large number of credentials for different pair of a system accessing a system. This is one challenge of Privileged Access management on maintaining security and visibility on the usage of confidential resources like system credentials. Two case studies are applied for this problem, one is on the system to system cases in a large organization, and one is on available approaches for a service to not only securely managing credentials but also able to maximize adaptation to most of the system to system cases. This thesis also contributes the procedure to analyze S2S cases based on four steps: (1) identifying the Accessing System (AS), the Target System (TS); (2) identifying the identity model at the TS side and the authentication protocol between AS and TS; (3) identifying the process of initial setup of AS-TS credential; and (4) the process of updating the credential. From these four steps, four criteria for a system to system credential management service are defined including (A) capable to adapt with different the identity model and authentication protocol of target systems; (B) support mechanisms for initial credential setup at different AS; (C) support mechanisms for updating credential automatically following credential policies; (D) capable to managing credentials securely.
The study shows S2S cases can be classified into three groups including accessing group, target group, and environment group. The environment group has additional infrastructures supports to automate the step (3) and (4) of deployed systems. Also from the study, the solutions from two cloud providers are only applicable to their owned environment, two self-deployed packages with Hashicorp Vault and Thycotic Secret Server can be deployed on-premises but available to applications and services on different infrastructure environments.