Segmentation
Segmentation is one the core management constructs of the Lumeus platform. A segment represents a group of resources which have similar policies. An endpoint can only be part of one segment.
Lumeus offers the following segment types:
Segment Type
Resource Type
Application
Workloads (e.g., VM, Serverless, etc)
Site
On-Prem WAN Edges
External
Set of IP Addresses or URLs
User
Group of Users
Network
VPC, VNETs
Segment Matching
Segments for resources are evaluated on every inventory pull or whenever a segment policy is updated. The Priority field in a segment is used to break the tie if a resource matches multiple segments. In case of a tie between two matching segments with the same priority, one of the segments is picked randomly.
System Defined Segments
Some segments are automatically created by the system based on the connected vendor configured E.g., Regional Site segments based on Geo IP address of the devices or Application Segments for well-known SaaS applications.
Segmentation Rules
The Lumeus Policy-as-Code engine provides unified abstractions for enterprise access and segmentation rules to control both user-to-application and application-to-application. The system translates these policies to cloud/vendor specific constructs to enforce these rules.
Rule Types
Access Rules
The access rules control user-to-application access. These are enforced at the Lumeus Cloud Gateway. The following are specified as a part of rule definition:
Name & Description
Source users: List of users or user segments for whom access is granted
Destination applications: List of applications or application segments for which access is granted
Action: Allow, Deny or Allow+Record
Roles: Permissions allowed to the specified users while accessing the applications. If there are multiple roles, the highest permission is used during the authorization.
Segmentation Rules
Segmentation rules specify application-to application access and control east-west micro-segmentation. These are enforced on the security appliance in the customer network. The Lumeus policy controller on the On-prem Gateway translates these rules into vendor-specific APIs.
These are the parameters specified as a part of segmentation rules:
Name & Description
Source Application Segment
Destination Application Segment
Action: Allow or Deny
Protocol, Port: These can be a list of ports and/or protocol ranges which are allowed between the source and destination application segments.
Last updated