PAM-Lite

Privileged Access Management is complex to implement. IT and Security operators must start with Account Discovery then evolve to Zero standing privileges (ZSP). This can lead to dozens of initiatives and months of manual operations to get from basic Account Discovery to Zero standing privileges across Windows, Linux, Kubernetes, Databases etc.

Our approach to Privilege Access Management is lighter and centered around Session Control to Resource by following the simple steps below:

  • Make the Resource private, i.e. not exposed to the internet.

  • Create a proxy layer in-between to integrate with your identity provider for User Authentication.

  • Define Roles associated with application-specific rights (Kubernetes roles as an example).

  • Control access leveraging Ingress Access policy to the resource in the Lumeus Cloud.

  • Record sessions to be audit ready.

The solution is backed by open-source Teleport.

No agents need to be installed on endpoint devices or on applications. Users can access applications remotely from anywhere via various Cloud Gateways without the need for VPN setup or installation.

User sessions are continuously validated using mTLS and short-lived session certificates.

For applications running in private networks, customers can deploy Lumeus On-Prem Gateways in a virtual or containerized environment.

Customers should open port 443 on the firewall for these tunnels to work.

Web

These applications are accessible via URL or IP address using HTTP(s) protocol. Users can login to the Lumeus portal to cross launch the application or use unique public DNS from Lumeus to access the application remotely from any browser. Custom DNS domain is also supported. Please contact Lumeus sales or support if you need Custom DNS.

Kubernetes

An OSH utility needs to be downloaded to access the Kubernetes via console. We offer a modified teleport utility to enable this use case without changing the end-users' workflow for Kubernetes.

SSH

Lumeus' ZTA solution can be used to give SSH access to private servers remotely without the need for a VPN. Lumeus Cloud Edges act as a jump server for SSH access. Customers can use the Lumeus Management Portal to open a browser-based terminal session to the server or use the Lumeus shell utility to login and then use SSH commands to connect to the server.

Database

The following databases are supported:

· AWS Dynamo DB

· AWS ElasticCache & Memory DB

· AWS RDS & Aurora

· AWS RDS Proxy

· AWS Redshift

· AWS Redshift Server less

· AWS Keyspaces

· Azure Cache for Redis

· GCP Cloud SQL MySQL

· GCP Cloud SQL PostgreSQL

· Self-hosted MongoDB

· Self-hosted Elasticsearch

· Self-hosted MySQL & MariaDB

· Self-hosted PostgreSQL

· Self-hosted Redis

Users and Roles

Lumeus integrates with various IDP providers for authenticating and authorizing application access. User sessions are not only authenticated but also validated against permissions granted for access. These are some of the pre-defined system roles:

Role

Description

Administrator

Overall tenant administrator. Can add/delete applications and invite other users

Observer

Has read-only access to the system. Cannot add/delete applications but can cross-launch terminals and web-sessions

K8-administrator

Can only administer Kubernetes applications

K8-application developer

Cannot add/delete K8 clusters, but can exec into the Kubernetes pod

K8-observer

Can execute Kuberentes get/describe commands but cannot exec into the pod

SSH-user

Can only view and launch SSH applications

Web-user

Can only view and launch Web applications

RDP-user

Can only view and launch RDP applications

DB-user

Can only view and launch DB applications

Last updated