Segmentation

Segmentation is one the core management constructs of the Lumeus platform. A segment represents a group of resources which have similar policies. An endpoint can only be part of one segment.

Lumeus offers the following segment types:

Segment Matching

Segments for resources are evaluated on every inventory pull or whenever a segment policy is updated. The Priority field in a segment is used to break the tie if a resource matches multiple segments. In case of a tie between two matching segments with the same priority, one of the segments is picked randomly.

System Defined Segments

Some segments are automatically created by the system based on the connected vendor configured E.g., Regional Site segments based on Geo IP address of the devices or Application Segments for well-known SaaS applications.

Segmentation Rules

The Lumeus Policy-as-Code engine provides unified abstractions for enterprise access and segmentation rules to control both user-to-application and application-to-application. The system translates these policies to cloud/vendor specific constructs to enforce these rules.

Rule Types

Access Rules

The access rules control user-to-application access. These are enforced at the Lumeus Cloud Gateway. The following are specified as a part of rule definition:

Name & Description
Source users: List of users or user segments for whom access is granted
Destination applications: List of applications or application segments for which access is granted
Action: Allow, Deny or Allow+Record
Roles: Permissions allowed to the specified users while accessing the applications. If there are multiple roles, the highest permission is used during the authorization.

Segmentation Rules

Segmentation rules specify application-to application access and control east-west micro-segmentation. These are enforced on the security appliance in the customer network. The Lumeus policy controller on the On-prem Gateway translates these rules into vendor-specific APIs.

These are the parameters specified as a part of segmentation rules:

Name & Description
Source Application Segment
Destination Application Segment
Action: Allow or Deny
Protocol, Port: These can be a list of ports and/or protocol ranges which are allowed between the source and destination application segments.

PreviousManaged Data Plane NextPolicy-as-Code

Last updated 1 year ago

Segment Matching

Rule Types

Access Rules

The access rules control user-to-application access. These are enforced at the Lumeus Cloud Gateway. The following are specified as a part of rule definition:

Name & Description

Source users: List of users or user segments for whom access is granted

Destination applications: List of applications or application segments for which access is granted

Action: Allow, Deny or Allow+Record

Roles: Permissions allowed to the specified users while accessing the applications. If there are multiple roles, the highest permission is used during the authorization.

Segmentation Rules

These are the parameters specified as a part of segmentation rules:

Name & Description

Source Application Segment

Destination Application Segment

Action: Allow or Deny

Protocol, Port: These can be a list of ports and/or protocol ranges which are allowed between the source and destination application segments.