This article describes the architecture of Zero Trust Access to corporate applications, resources and workloads with Luminate Secure Access Cloud (TM). To understand more about the platform and its operation, please refer to Frequently Asked Questions.
The diagram below defines the layers of the solution that are explained in detail in this article:
1. Identity / Access Management
Existing enterprise solutions, deployed either as a service (IDaaS) or on corporate premises. Luminate Secure Access Cloud (TM) can integrate with any SAML, OpenID Connect/OAuth2 provider, as well as with dedicated on-premises deployments of Microsoft Active Directory and other LDAP-based identity solutions.
For details on supported authentication providers, please see this Knowledge Base article.
2. Endpoint Devices
Luminate Secure Access Cloud (TM) is a client-less solution, capable of providing secure access from any PC platform (Windows, Mac OS X or Linux) or any mobile platform (iOS, Android, etc...), as well as from dedicated embedded or thin-client platforms (Chromebook, etc...).
The secure connectivity is delivered using the standard applications, such as (but not limited to) Web Browsers, SSH Clients, RDP Clients, as well as dedicated applications for accessing Databases, Data warehouses and other special repositories.
To ensure that access to sensitive corporate resources is performed only from compliant devices, Luminate Secure Access Cloud (TM) can integrate with Endpoint Threat Detection and Response (EDR), Mobile Device Management and Device Security Posture management solutions. For an example of such integration, please see the integration with OPSWAT MetaAccess.
3. Endpoint connectivity to Luminate Secure Access Cloud PoDs
The connectivity between applications running on users' endpoints and Luminate Secure Access Cloud (TM) PoDs is done over point-to-point secure connections using TLS 1.2.
Below table summarizes various connectivity scenarios, as well as authentication schemes supported by the solution:
4. Luminate Secure Access Cloud (TM) PoDs
Luminate Secure Access Cloud (TM) Points of Delivery are deployed in resilient and scalable Infrastructure-as-a-Service datacenters managed by Amazon Web Services and Microsoft Azure. Each Point of Delivery is deployed as immutable infrastructure, isolated from all other networks managed by Luminate.
The PoDs and the service operations are subject to continuous internal and external audits and reports and certifications, such as, but not limited to:
- AICPA SSAE 18 SOC 2 Type II Report
- ISO 27001 Certificate
- Amazon Web Services Well Architected Review/Report
- Penetration Tests performed by 3rd party organizations
Luminate Security deploys numerous management, monitoring and security solutions to ensure uninterrupted service for our customers, including protection from advanced attacks, including Distributed Denial of Service.
For more details on the subject of security and compliance of Luminate Secure Access Cloud (TM) service, please see: How Luminate Security Protects Customer Data
5. Luminate Connectors connectivity to Luminate Secure Access Cloud PoDs
The connectivity between Luminate Connectors and the Luminate Secure Access Cloud (TM) PoDs is performed via outgoing (from the Connectors, deployed in the customer datacentes) connections over TCP Port 443 to the PoD.
Each Connector opens a number of persistent communication channels. This KB article describes the communications, including authentication scheme, in details.
6. Luminate Connectors
Luminate Connectors are lightweight software agents that are deployed in the customer datacenters (physical and virtual). Connectors help implementing network access isolation, required by the Zero Trust Access model, by opening outbound communication channels to Luminate Secure Access Cloud PoDs and brokering the requests from accessing parties to the corporate applications, services and workloads.
Connectors are cloud-native resilient and scalable components, distributed as Docker Containers. They can be deployed on any physical or virtual server, as well as inside Container Orchestration environments, such as Kubernetes, Amazon Elastic Container Service, Azure Container Instances, e.t.c.
Connectors support full high-availability and load-balancing and can scale horizontally to support growing amount of connections. Upon its creation, each connector is initiated with a unique One-Time Token
7. Luminate Connectors connectivity to corporate applications, services and workloads
Connectivity between Luminate Connectors and the corporate applications, resources and workloads that are accessed via Luminate Secure Access Cloud (TM) takes place inside the customers' datacenters.
The amount of Luminate Sites / Connectors in each datacenter depends on the network segmentation strategy adopted by the company using Luminate Secure Access Cloud (TM). The only requirement is that the Connectors must be able to access the internal address of the configured resource via TCP/IP. It is our firm recommendation to adopt internal network segmentation strategies targeted at preventing lateral movements resulting from potential application vulnerabilities. There is no limitation on amount of Luminate Connectors that can be deployed in a single environment.
It is our firm recommendation to use encrypted communications inside the datacenter. This means, that, when defining internal addresses for (for example) Web Applications or REST/SOAP API Endpoints, it is preferable to use HTTPS over HTTP. If an Enterprise CA is used for internal HTTPS communications, please refer to this procedure to configure trust between the Enterprise CA and Luminate Connectors.