Segmentation

Segmentation is one the core management constructs of the Lumeus platform. A segment represents a group of resources which have similar policies. An endpoint can only be part of one segment.

Lumeus offers the following segment types:

Segment Type

Resource Type

Application

Workloads (e.g., VM, Serverless, etc)

Site

On-Prem WAN Edges

External

Set of IP Addresses or URLs

User

Group of Users

Network

VPC, VNETs

Segment Matching

Segments for resources are evaluated on every inventory pull or whenever a segment policy is updated. The Priority field in a segment is used to break the tie if a resource matches multiple segments. In case of a tie between two matching segments with the same priority, one of the segments is picked randomly.

System Defined Segments

Some segments are automatically created by the system based on the connected vendor configured E.g., Regional Site segments based on Geo IP address of the devices or Application Segments for well-known SaaS applications.

Segmentation Rules

The Lumeus Policy-as-Code engine provides unified abstractions for enterprise access and segmentation rules to control both user-to-application and application-to-application. The system translates these policies to cloud/vendor specific constructs to enforce these rules.

Rule Types

Access Rules

The access rules control user-to-application access. These are enforced at the Lumeus Cloud Gateway. The following are specified as a part of rule definition:

  • Name & Description

  • Source users: List of users or user segments for whom access is granted

  • Destination applications: List of applications or application segments for which access is granted

  • Action: Allow, Deny or Allow+Record

  • Roles: Permissions allowed to the specified users while accessing the applications. If there are multiple roles, the highest permission is used during the authorization.

Segmentation Rules

Segmentation rules specify application-to application access and control east-west micro-segmentation. These are enforced on the security appliance in the customer network. The Lumeus policy controller on the On-prem Gateway translates these rules into vendor-specific APIs.

These are the parameters specified as a part of segmentation rules:

  • Name & Description

  • Source Application Segment

  • Destination Application Segment

  • Action: Allow or Deny

  • Protocol, Port: These can be a list of ports and/or protocol ranges which are allowed between the source and destination application segments.

Last updated