Summary
As we noted in our recent report on Centrify, the traditional security model – based on a hardened network perimeter, where access to applications or other resources was based on whether you were inside that boundary ('trusted') or outside ('untrusted') – has largely broken down with the rise of cloud and mobile computing. As such, we have seen the rise of a new conceptual framework, variously referred to as 'zero trust,' 'BeyondCorp,' 'conditional access,' 'application-based access control' or, 451 Research's preference, 'conditional access management,' in which the permission to access corporate resources is no longer based mainly on where you are but more on who you are and what you are allowed to do based on your role and other contextual attributes.
Luminate is one of a handful of vendors that have emerged to specifically address the zero-trust concept. Its new offering can provide access to any type of application, from any device, without requiring a VPN, agent software or network proxy – or what the company refers to as 'zero trust delivered as a service.' In a sense, Luminate can be viewed as a logical progression of identity as a service (IDaaS), although rather than gating employee access to primarily web-based SaaS apps, its mission is to securely connect any corporate user, employing any device, to any corporate application or resource, regardless of where it is located – on-premises, in the cloud, or some combination. Luminate can also be considered an extension of a cloud access security broker (CASB) since it can monitor user behavior post-login, but for more than just SaaS apps.
The 451 Take
Historically, VPNs and DMZs have been a staple of most firms' strategies for controlling access to corporate resources by remote employees, contractors and partners. However, VPNs can be operationally complex to maintain, expensive, and inconvenient for users – and adding cloud and BYOD to the mix further complicates matters. Google's BeyondCorp architecture provides many advantages over the old perimeter-based model, but it took even mighty Google several years to design and implement – smaller vendors without Google's resources need not apply. Luminate's attempt to offer the essential elements of the BeyondCorp model as a cloud-based service with little to no capex requirements strikes us as a compelling alternative to other efforts at achieving a zero-trust environment that rely on network gateways or client software.
Context
Palo Alto, California-based Luminate Security was founded in 2016 by CEO Ofer Smadari, CTO Leonid Belkind and chief product officer Eldad Livni. Smadari has extensive CASB experience, having previously worked at Adallom (acquired by Microsoft in 2015 for an estimated $250m, according to 451 Research's M&A KnowledgeBase) and FireLayers (acquired by Proofpoint in 2016 for $55m), while Belkind and Livni spent over a decade at Check Point Software. The company has nearly 50 employees, with offices in Boston and Tel Aviv. Luminate has raised a total of $14m in venture funding, most recently an $ 11m series A round led by U.S. Venture Partners and Aleph, an early-stage Israeli VC firm started by former members of Benchmark Capital.
Technology
Google's BeyondCorp reference architecture was published in a series of papers in 2014, and was recently commercialized as the Identity-Aware Proxy and Context-aware access. Conceptually, the zero-trust model is similar to the positive security model that has been around for years and utilized by proxy firewalls and application whitelisting products – essentially, deny all access by default, and only allow those users and devices that are expressly permitted by policy. It could be argued that zero-trust networking builds on initial work done by the Jericho Forum in the early 2000s.
There are potentially many moving parts to a full zero-trust implementation, but one main benefit is to provide access to applications (and other resources) without exposing them to the public internet, which in turn should help greatly reduce an organization's attack surface. Additionally, such an architecture could allow mobile workers, partners, suppliersand consultants to access applications without the hassle and cost of setting up a VPN.
There are potentially many moving parts to a full zero-trust implementation, but one main benefit is to provide access to applications (and other resources) without exposing them to the public internet, which in turn should help greatly reduce an organization's attack surface. Additionally, such an architecture could allow mobile workers, partners, suppliers
Products
Luminate refers to its offering as Secure Access Cloud, and unlike most zero-trust access products that require the deployment of gateway devices or agent software, the company claims that it can achieve its remote access objectives without any network security appliance (physical or virtual) or agents to install, and also with no need to partition networks into 'internal' and 'external' segments or to open network connections.
In lieu of network proxies or client software, Luminate offers a connector (essentially a Docker container) that lives near the target resource and brokers connectivity between users and those resources. Rather than a client, users access a browser-based application to access web-based apps, type in the URL of the app they are looking to access, and log in with a password or multi-factor authentication (MFA), just like accessing a SaaS app. The vendor also provides an application portal that is similar to a single sign-on (SSO) portal offered by IDaaS specialists for accessing SaaS apps. Additionally, Luminate can gate access to legacy resources via an RDP client or secure TCP tunnel.
One of the advantages of the company's approach is that corporate resources can be completely isolated from inbound network access, with no public IP addresses or ports exposed to the internet, thus reducing an organization's attack surface. Another benefit is that since it doesn't rely on a network connection, Luminate can observe users' behavior after they have logged in, and apply behavioral analytics to look for anomalous usage, as well as provide a full audit trail of application and resource usage for compliance purposes. In terms of architecture, Secure Access Cloud is a distributed network of elastic datacenters that run on top of either AWS or Microsoft Azure, and Luminate claims that new points of presence in different regions can be turned on in minutes based on customer demand, and are fully compliant with regulations such as PCI, HIPAA, GDPR, etc.
In lieu of network proxies or client software, Luminate offers a connector (essentially a Docker container) that lives near the target resource and brokers connectivity between users and those resources. Rather than a client, users access a browser-based application to access web-based apps, type in the URL of the app they are looking to access, and log in with a password or multi-factor authentication (MFA), just like accessing a SaaS app. The vendor also provides an application portal that is similar to a single sign-on (SSO) portal offered by IDaaS specialists for accessing SaaS apps. Additionally, Luminate can gate access to legacy resources via an RDP client or secure TCP tunnel.
One of the advantages of the company's approach is that corporate resources can be completely isolated from inbound network access, with no public IP addresses or ports exposed to the internet, thus reducing an organization's attack surface. Another benefit is that since it doesn't rely on a network connection, Luminate can observe users' behavior after they have logged in, and apply behavioral analytics to look for anomalous usage, as well as provide a full audit trail of application and resource usage for compliance purposes. In terms of architecture, Secure Access Cloud is a distributed network of elastic datacenters that run on top of either AWS or Microsoft Azure, and Luminate claims that new points of presence in different regions can be turned on in minutes based on customer demand, and are fully compliant with regulations such as PCI, HIPAA, GDPR, etc.
Strategy
For its go-to-market strategy, Luminate has a mix of both channel and direct sales, with technology and financial services as key verticals. Pricing includes two components: a per-user, per-month subscription fee, and a platform fee based on the size of the customer's IT estate.A key part of the company's strategy is to offer a 'pluggable' platform that allows organizations to leverage existing security investments so they can work with MFA offerings from the likes of Google, Duo Security (soon to be part of Cisco), Symantec, etc. Luminate can also provide an extra layer on top of existing IDaaS offerings, enabling access to a broad range of corporate resources in addition to just SaaS applications. Finally, Luminate can integrate with existing endpoint detection and response, enterprise mobility management, or device security posture verification services to validate mobile devices before granting access.
Competition
Luminate will potentially compete with DIY efforts by enterprises looking to cobble together a zero-trust architecture using pieces from various vendors offering PKI, MFA, VPN, SSO, CDNs and other tools. Identity management providers specifically addressing the zero-trust concept include Duo Security (recently acquired by Cisco for $2.4bn) with its DuoBeyond offering, Microsoft (Conditional Access) and Centrify (recently acquired by Thoma Bravo for an estimated $500m, according to the M&A KnowledgeBase).
There is also an emerging cottage industry of vendors specifically addressing zero-trust – or what has come to be known as software-defined perimeter (SDP) – offerings. This list includes but is not limited to Vidder, whose PrecisionAccess enables secure remote access to applications using lightweight client software that works at the TCP layer to 'shrink' the perimeter around a single app. Others with offerings that touch on the zero-trust/SDP concept include Cryptzone, Cyxtera, Edgewise Networks, Meta Networks, FortyCloud, Safe-T, Zscaler, Pertino and Hamachi (LogMeIn), all of which are designed to allow employees to access corporate resources and applications without exposing them to the internet, although Pertino and FortyCloud are more focused on accessing devices as opposed to apps.
Given their highly distributed networks, CDN providers are also logical players in this space. In 2016, Akamai bought Soha Systems, which had built a multi-tenant application access control service aimed at cloud-hosted enterprise (employee-facing) apps being accessed by employees or partners. Cloudflare developed Cloudflare Access, which was built to allow mobile employees to access applications without a VPN, and later offered the service to its customers. ScaleFT (recently acquired by Okta) was inspired by the BeyondCorp model and uses a CDN-like architecture to allow employees and partners to access internal applications without a VPN. Google is arguably the 'grandfather' of the zero-trust concept with its BeyondCorp reference architecture built for the company's internal networks, parts of which are publicly available from Google under the Identity-Aware Proxy and Context-aware access monikers.
There is also an emerging cottage industry of vendors specifically addressing zero-trust – or what has come to be known as software-defined perimeter (SDP) – offerings. This list includes but is not limited to Vidder, whose PrecisionAccess enables secure remote access to applications using lightweight client software that works at the TCP layer to 'shrink' the perimeter around a single app. Others with offerings that touch on the zero-trust/SDP concept include Cryptzone, Cyxtera, Edgewise Networks, Meta Networks, FortyCloud, Safe-T, Zscaler, Pertino and Hamachi (LogMeIn), all of which are designed to allow employees to access corporate resources and applications without exposing them to the internet, although Pertino and FortyCloud are more focused on accessing devices as opposed to apps.
Given their highly distributed networks, CDN providers are also logical players in this space. In 2016, Akamai bought Soha Systems, which had built a multi-tenant application access control service aimed at cloud-hosted enterprise (employee-facing) apps being accessed by employees or partners. Cloudflare developed Cloudflare Access, which was built to allow mobile employees to access applications without a VPN, and later offered the service to its customers. ScaleFT (recently acquired by Okta) was inspired by the BeyondCorp model and uses a CDN-like architecture to allow employees and partners to access internal applications without a VPN. Google is arguably the 'grandfather' of the zero-trust concept with its BeyondCorp reference architecture built for the company's internal networks, parts of which are publicly available from Google under the Identity-Aware Proxy and Context-aware access monikers.
Garrett Bekker
Principal Security Analyst
Garrett Bekker is a Principal Analyst in the Information Security Practice at 451 Research. He brings a unique and diverse background, having viewed enterprise security from a variety of perspectives over the past 16 years.
Jeremy Korn
Research Associate
Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received
Aaron Sherrill
Senior Analyst
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation