Luminate Secure Access Cloud (TM) for Amazon Web Services

More and more enterprises are adopting Amazon Web Services as a part of their IT strategy and are transitioning their corporate IT resources from self-hosted datacenters to Infastructure-as-a-Service and Platform-as-a-Service components in Amazon Web Services.

While managing the above processes, many organizations face the hurdle of managing security for multiple AWS VPCs, as well as managing access to resources deployed there, both for technical teams and for organizational information "consumers". Trying to apply the "traditional datacenter" thinking - partitioning the network into public and private segments, setting up Site-to-Site and Remote Access VPN connections and managing access policies based on network topology will require too much work, delaying the time time-to-market of solutions and resulting in poor security architecture and bad end-user experience.

Luminate Secure Access Cloud (TM) for AWS is a service that provides a seamless enterprise-grade secure access to corporate applications and resources hosted in Amazon Web Services. The access can be done from any device located anywhere in the world and does not require deployment of any endpoint agents on the accessing devices.

Secure Access Cloud (TM) allows implementing a BeyondCorp / Zero Trust Access to AWS resources, based on the identity of the accessing party and the security posture of their device, providing a uniform access policy across all applications and IT resources, detached from the network topology. This can be achieved without deploying any VPN gateways or agents, partitioning networks into private and DMZ segments and managing complex Firewall policies.

 

Secure Access Scenarios

Luminate Secure Access Cloud (TM) is addressing the following secure access scenarios:

  • Corporate employees accessing internal applications deployed in AWS (Web applications, mobile applications, etc...)
  • Developers / DevOps / Support engineers accessing EC2 Instances (SSH, RDP) and PaaS Services (S3, RDS,  Storage  ...) with granular access and full audit of every operation on the application layer
  • Authorized 3rd parties (Consultants, Contractors, Business Line Partners, Customers) accessing applications and resources in corporate AWS VPCs without getting any privileges or network connectivity
  • Applications / Services accessing REST/SOAP API backends hosted in AWS

 

Zero Trust Access / BeyondCorp Principles

  1. Corporate IT resources are cloaked from the network - they do not have a public IP address, no open ports for inbound traffic
  2. Prior to getting any kind of access to the resource, the accessing party needs to be authenticated, its device's security posture should be inspected, and only then will it undergo multi-dimensional authorization 
  3. After being authorized, the accessing party gets only application-level access to the requested resource, never a network access

Unique to Luminate: every operation performed by the accessing party gets audited and governed by a flexible multi-dimensional policy, allowing complete visibility into the user activity and automatic responses to various scenarios.

Zero_Trust_Principles.PNG

Architecture

Luminate Secure Access Cloud (TM) serves as a connectivity broker between the "consumers" of corporate IT resources and the actual resources hosted in the AWS. The connectivity is delivered from a highly-distributed fabric, providing points of delivery (PoDs) located in every AWS Region, close to the resources that are being served.

AWS_Architecture.PNG

The ability to access corporate resources deployed in AWS VPCs via the Secure Access Cloud is obtained by deploying Luminate Connectors depicted by Rectangular-90x90.png in the diagram above. This cloud-native component is delivered as self-managing containerized service that doesn't require any inbound connectivity. Instead, it requires a standard outbound connectivity over TCP Port 443 to the Luminate Secure Access Cloud services, as well as an ability to connect over TCP to the applications and services it is serving.

The Luminate Connectors can be deployed inside AWS VPCs in any of the following ways:

  1. As a container on EC2 Instances
  2. As a task/service in EC2 Elastic Container Service (or Elastic Kubernetes Service)
  3. On EC2 Spot Instances managed by Spotinst (for availability)

While deploying Connectors on EC2 Instances is the simplest, the latter two methods offer a real cloud-native scalability and resilience, without the need to manage costly infrastructures.

 

Benefits

  • Simplicity
    • No need to deploy physical or virtual appliances
    • No need to partition networks
    • No need to deploy endpoint/mobile agents
    • Instantly available in all AWS Regions
  • Security
    • Cloaking of corporate IT infrastructure
    • No network access
    • Complete visibility and governance of user activity
  • Cost-efficiency
    • Elastic Software-as-a-Service with pay-as-you-grow model
    • Huge savings in CAPEX and OPEX when compared to the traditional access model
    • 100% Software-Defined, integrated into Configuration Automation and Infrastructure as Code