Hybrid Active Directory Integration
Banstola, Bijay (2021)
2021
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202104074383
https://urn.fi/URN:NBN:fi:amk-202104074383
Tiivistelmä
Along with the enormous benefits provided by cloud, finding the optimal solution or process that works for both cloud and an on-premises environment is challenging due to the difference in the operating model. One of the challenges organizations face while moving to cloud providers is user and permission management. Mostly authentication, authorization and identity governance on on-premises are centrally managed with Microsoft Active Directory (AD). While each cloud provider offers a tool or way to manage Identity and Access Management (IAM) on their platform, organizations seek central management of users and permissions across all their environment to achieve maximum governance over the identities and to reduce the security vulnerability imposed by multiple identities, also utilizing the current architecture.
This thesis introduces an effective way to solve central IAM challenges while organizations move to a multi-cloud or multi-account environment, specifically Amazon Web Services (AWS) for Company A’s study case. Currently, AWS users are not synced with on-premises AD nor Azure AD which is an issue regarding identities governance and also requires additional effort provisioning and managing separate identities in AWS IAM. Various differences, risks and controls of IAM in the cloud computing environment were researched. Among different approaches proposed, Azure AD to AWS Single Sign-On (SSO) at AWS Organization level was selected as the most adequate taking into consideration to be the cloud only organization over time.
The proposed solution for managing AWS multi-account access for internal and external identities was to provision all the identities in the Azure AD and then synchronize specific users and groups automatically to AWS SSO. The case study Company A’s all on-premises identities were already synced with Azure AD which makes it quite convenient for giving access to internal users for the AWS environment. Furthermore, it provides possible supported Infrastructure as a Code (IaaC) approach for permission management in the AWS environment at the time of writing, and also shares knowledge on effective solution selection for the problem on diverse circumstances. In-depth configuration of Azure AD and theoretical knowledge on AWS services are out of scope of the present study.
The thesis shows how organizations moving to a multi-vendor cloud platform can achieve central identities management and governance by utilizing the services offered by different vendors and at the same time continue utilizing their current processes and procedures. It also sheds light on the eventual process of evolving as a cloud native organization.
This thesis introduces an effective way to solve central IAM challenges while organizations move to a multi-cloud or multi-account environment, specifically Amazon Web Services (AWS) for Company A’s study case. Currently, AWS users are not synced with on-premises AD nor Azure AD which is an issue regarding identities governance and also requires additional effort provisioning and managing separate identities in AWS IAM. Various differences, risks and controls of IAM in the cloud computing environment were researched. Among different approaches proposed, Azure AD to AWS Single Sign-On (SSO) at AWS Organization level was selected as the most adequate taking into consideration to be the cloud only organization over time.
The proposed solution for managing AWS multi-account access for internal and external identities was to provision all the identities in the Azure AD and then synchronize specific users and groups automatically to AWS SSO. The case study Company A’s all on-premises identities were already synced with Azure AD which makes it quite convenient for giving access to internal users for the AWS environment. Furthermore, it provides possible supported Infrastructure as a Code (IaaC) approach for permission management in the AWS environment at the time of writing, and also shares knowledge on effective solution selection for the problem on diverse circumstances. In-depth configuration of Azure AD and theoretical knowledge on AWS services are out of scope of the present study.
The thesis shows how organizations moving to a multi-vendor cloud platform can achieve central identities management and governance by utilizing the services offered by different vendors and at the same time continue utilizing their current processes and procedures. It also sheds light on the eventual process of evolving as a cloud native organization.