| Popis: |
The use of VPN remote access services, especially in companies, has grown significantly in recent years as remote work has become more common. Users who log in to the service must be authenticated and access to the network must be authorized according to their identity rights. The thesis introduces the implementation of identity and access management from the perspective of a VPN remote access service provider. The service operates in a multitenant environment that sets its own requirements for access management. For multitenancy, an essential feature is the logical separation of customers from each other. The separation is also needed for user account managers on a customer-by-customer basis. A remote VPN sets its own requirements, such as storing and managing account-specific network properties. The paper presents the shared VPN service of the IT service provider company and its current access management solution, which is intended to be replaced. To this end, the system is examined and based on it, problem areas and recommendations for the new system are listed. The study finds that the architecture of the system is very complex and causes additional manual work for administrators. This is exacerbated by the shortcomings of the tool used to manage VPN user accounts. A more secure replacement for the current solution is planned through practices and standards of identity and access management. The research method utilized is design science, which is used to iterate through solution options. It has the advantage of identifying the strengths and weaknesses of the solution at an early stage. This saves time and resources. The result is an access management implementation proposal for the company's VPN service, which can replace the current solution. The proposal introduces the selected tools and processes and the options between which a choice was made. Selecting authentication protocol is a key decision that affects options in other access management parts. The choice was made between the LDAP, RADIUS and SAML protocols, of which LDAP proved to be the only suitable option due to the strict requirements of the environment. Based on the findings of the study, the Microsoft Active Directory (AD) service was chosen as identity store. This is influenced by the AD expertise found in the company's personnel, which guarantees maintenance and development competence. In addition, there is existing support for integrating AD into the company's privileged account management. Challenges are posed by some of the account life cycle management tasks and reporting constraints. The work proposes a solution to these with a company's automation system to which the directory service can be connected. The proposed solution enables more flexible customization of VPN access control while simplifying the management of user accounts. By evaluating the implementation proposal against a set of criteria and the requirements created on the basis of the current system, it is considered to be the recommended solution for the deployment. The work brings added value by presenting solutions that will be taken to further development. New two-factor authentication methods and role-based access control (RBAC) are the most important. These cannot be implemented for current customers during system migration but are recommended to be implemented in the future. |
