Tessell Security Architecture on Azure

The white paper outlines Tessell’s BYOA (Bring Your Own Azure) functionality within its platform, enabling customers to integrate their existing Azure subscriptions seamlessly. Tessell ensures a secure onboarding process and management of these Azure accounts using a turnkey solution.

Key points of the article:

1. Access Management: Tessell uses an Azure Active Directory (AD) application named “Tessell” to manage both Tessell-managed and BYOA Azure subscriptions. Customers authorize this AD application, creating a service principal with custom role assignments that limit permissions to specific resource groups.

2. Automation: The process of creating the service principal and assigning the custom role is automated using Azure ARM templates, simplifying resource deployment and role assignment.

3. Custom Role Permissions: Tessell creates a custom role called “Tessell Operator,” granting it the necessary permissions to perform operations within a defined resource group. However, default permissions limit Tessell’s ability to create or delete networks and encryption keys, requiring customer intervention for those tasks.

The architecture ensures secure management and provisioning of customer Azure subscriptions using Tessell’s platform, with clearly defined roles and automated deployment processes for efficiency.