Privileged Access Management is complex to implement. IT and Security operators must start with Account Discovery then evolve to Zero standing privileges (ZSP). This can lead to dozens of initiatives and months of manual operations to get from basic Account Discovery to Zero standing privileges across Windows, Linux, Kubernetes, Databases etc.

Our approach to Privilege Access Management is lighter and centered around Session Control to Resource by following the simple steps below:

  • Make the Resource private, i.e. not exposed to the internet.

  • Create a proxy layer in-between to integrate with your identity provider for User Authentication.

  • Define Roles associated with application-specific rights (Kubernetes roles as an example).

  • Control access leveraging Ingress Access policy to the resource in the Lumeus Cloud.

  • Record sessions to be audit ready.

The solution is backed by open-source Teleport.

No agents need to be installed on endpoint devices or on applications. Users can access applications remotely from anywhere via various Cloud Gateways without the need for VPN setup or installation.

User sessions are continuously validated using mTLS and short-lived session certificates.

For applications running in private networks, customers can deploy Lumeus On-Prem Gateways in a virtual or containerized environment.

Customers should open port 443 on the firewall for these tunnels to work.


These applications are accessible via URL or IP address using HTTP(s) protocol. Users can login to the Lumeus portal to cross launch the application or use unique public DNS from Lumeus to access the application remotely from any browser. Custom DNS domain is also supported. Please contact Lumeus sales or support if you need Custom DNS.


An OSH utility needs to be downloaded to access the Kubernetes via console. We offer a modified teleport utility to enable this use case without changing the end-users' workflow for Kubernetes.


Lumeus' ZTA solution can be used to give SSH access to private servers remotely without the need for a VPN. Lumeus Cloud Edges act as a jump server for SSH access. Customers can use the Lumeus Management Portal to open a browser-based terminal session to the server or use the Lumeus shell utility to login and then use SSH commands to connect to the server.


The following databases are supported:

· AWS Dynamo DB

· AWS ElasticCache & Memory DB

· AWS RDS & Aurora

· AWS RDS Proxy

· AWS Redshift

· AWS Redshift Server less

· AWS Keyspaces

· Azure Cache for Redis


· GCP Cloud SQL PostgreSQL

· Self-hosted MongoDB

· Self-hosted Elasticsearch

· Self-hosted MySQL & MariaDB

· Self-hosted PostgreSQL

· Self-hosted Redis

Users and Roles

Lumeus integrates with various IDP providers for authenticating and authorizing application access. User sessions are not only authenticated but also validated against permissions granted for access. These are some of the pre-defined system roles:

Last updated