Questions Regarding Security Measures and Distribution of Luminate Connectors
What is Luminate Connector?
Luminate Connector is a lightweight software agent that is deployed inside datacenters (self-hosted or cloud) and is facilitating brokerage of access to resources deployed in these locations by authorized users.
How is Luminate Connector Distributed?
Luminate Connector is distributed as a Docker Container via Docker Hub service. Container orchestration software, such as, but not limited to Kubernetes, Docker, AWS Elastic Container Service, pulls the image of the Docker Container from the Docker Hub and then deploys services (Containers) based on this image. Docker Hub is a secure repository of software "images" posted by Docker Inc. and its partners (such as Luminate Security). Authenticity of these "images" is verified by the Docker Content Trust (DCT) system.
How can I make sure that my Luminate Connector software is up-to-date?
Luminate Secure Access Cloud (TM) provides built-in central monitoring and software update capabilities for all Luminate Connectors.
From the Administrator Web UI, the notification about connectors requiring update begins with the dashboard view:
Additional information provided points at connectors with outdated software, as well as the ability to update them:
In environments where multiple connectors are deployed for each site, update of a connector does not cause any interruption in connectivity to any resources.
What if I ever Forget to Update my Connector Software?
Luminate Security Operations and Customer Success team is constantly monitoring all connector versions deployed for all users of Luminate Secure Access Cloud (TM). Whenever certain environments are approaching an end-of-life-cycle for the software version they are running, our team is issuing proactive warnings suggesting upgrading the connectors software for the customer:
My Host Security Scan Says that Connector binary is Distributed without RPM (or other) Package
Certain host vulnerability scanning systems, such as, but not limited to Nessus (as in this concrete example) will verify that all processes running as daemon/service on a Linux/Windows machine were distributed using some kind of packaging system, rather than installed manually. The rationale behind raising a warning (when, indeed, software is being installed manually) is a lack of sufficient periodic updates process.
Some of such tools (in their versions/generations that do not support Docker Containers) fail to recognize that certain OS Processes are based on fully verified and managed Docker Images retrieved from Docker Hub. Our recommendation is to treat this as "false alarm", as the Docker Distribution System, paired with Luminate Secure Access Cloud Built-in version management and central update capabilities for Luminate Connectors are fully compliant with industry best practices on version/patch management of software components.
How Secure is the Communication Between Luminate Connectors and Luminate Secure Access Cloud (TM)
Security measures taken in communications between the connectors and the Luminate Secure Access Cloud (TM) PoDs are described in a dedicated Knowledge Base article.
How Secure / Hardened is the Docker Container Containing Luminate Connector?
Docker Image containing Luminate Connector is hardened according to the industry best practices. The image is based on Alpine Linux, a Linux distribution based on musl and BusyBox, primarily designed for security, simplicity, and resource efficiency. It uses a hardened kernel and compiles all user space binaries as position-independent executables with stack-smashing protection.