PAM-Lite
Privileged Access Management is complex to implement. IT and Security operators must start with Account Discovery then evolve to Zero standing privileges (ZSP). This can lead to dozens of initiatives and months of manual operations to get from basic Account Discovery to Zero standing privileges across Windows, Linux, Kubernetes, Databases etc.
Our approach to Privilege Access Management is lighter and centered around Session Control to Resource by following the simple steps below:
Make the Resource private, i.e. not exposed to the internet.
Create a proxy layer in-between to integrate with your identity provider for User Authentication.
Define Roles associated with application-specific rights (Kubernetes roles as an example).
Control access leveraging Ingress Access policy to the resource in the Lumeus Cloud.
Record sessions to be audit ready.
The solution is backed by open-source Teleport.
No agents need to be installed on endpoint devices or on applications. Users can access applications remotely from anywhere via various Cloud Gateways without the need for VPN setup or installation.
User sessions are continuously validated using mTLS and short-lived session certificates.
For applications running in private networks, customers can deploy Lumeus On-Prem Gateways in a virtual or containerized environment.
Customers should open port 443 on the firewall for these tunnels to work.
Web
These applications are accessible via URL or IP address using HTTP(s) protocol. Users can login to the Lumeus portal to cross launch the application or use unique public DNS from Lumeus to access the application remotely from any browser. Custom DNS domain is also supported. Please contact Lumeus sales or support if you need Custom DNS.
Kubernetes
An OSH utility needs to be downloaded to access the Kubernetes via console. We offer a modified teleport utility to enable this use case without changing the end-users' workflow for Kubernetes.
SSH
Lumeus' ZTA solution can be used to give SSH access to private servers remotely without the need for a VPN. Lumeus Cloud Edges act as a jump server for SSH access. Customers can use the Lumeus Management Portal to open a browser-based terminal session to the server or use the Lumeus shell utility to login and then use SSH commands to connect to the server.
Database
The following databases are supported:
· AWS Dynamo DB
· AWS ElasticCache & Memory DB
· AWS RDS & Aurora
· AWS RDS Proxy
· AWS Redshift
· AWS Redshift Server less
· AWS Keyspaces
· Azure Cache for Redis
· GCP Cloud SQL MySQL
· GCP Cloud SQL PostgreSQL
· Self-hosted MongoDB
· Self-hosted Elasticsearch
· Self-hosted MySQL & MariaDB
· Self-hosted PostgreSQL
· Self-hosted Redis
Users and Roles
Lumeus integrates with various IDP providers for authenticating and authorizing application access. User sessions are not only authenticated but also validated against permissions granted for access. These are some of the pre-defined system roles:
Role
Description
Administrator
Overall tenant administrator. Can add/delete applications and invite other users
Observer
Has read-only access to the system. Cannot add/delete applications but can cross-launch terminals and web-sessions
K8-administrator
Can only administer Kubernetes applications
K8-application developer
Cannot add/delete K8 clusters, but can exec into the Kubernetes pod
K8-observer
Can execute Kuberentes get/describe commands but cannot exec into the pod
SSH-user
Can only view and launch SSH applications
Web-user
Can only view and launch Web applications
RDP-user
Can only view and launch RDP applications
DB-user
Can only view and launch DB applications
Last updated