As we noted in our recent report on Centrify, the traditional security model – based on a hardened network perimeter, where access to applications or other resources was based on whether you were inside that boundary ('trusted') or outside ('untrusted') – has largely broken down with the rise of cloud and mobile computing. As such, we have seen the rise of a new conceptual framework, variously referred to as 'zero trust,' 'BeyondCorp,' 'conditional access,' 'application-based access control' or, 451 Research's preference, 'conditional access management,' in which the permission to access corporate resources is no longer based mainly on where you are but more on who you are and what you are allowed to do based on your role and other contextual attributes.
The 451 Take
There are potentially many moving parts to a full zero-trust implementation, but one main benefit is to provide access to applications (and other resources) without exposing them to the public internet, which in turn should help greatly reduce an organization's attack surface. Additionally, such an architecture could allow mobile workers, partners, suppliers
In lieu of network proxies or client software, Luminate offers a connector (essentially a Docker container) that lives near the target resource and brokers connectivity between users and those resources. Rather than a client, users access a browser-based application to access web-based apps, type in the URL of the app they are looking to access, and log in with a password or multi-factor authentication (MFA), just like accessing a SaaS app. The vendor also provides an application portal that is similar to a single sign-on (SSO) portal offered by IDaaS specialists for accessing SaaS apps. Additionally, Luminate can gate access to legacy resources via an RDP client or secure TCP tunnel.
One of the advantages of the company's approach is that corporate resources can be completely isolated from inbound network access, with no public IP addresses or ports exposed to the internet, thus reducing an organization's attack surface. Another benefit is that since it doesn't rely on a network connection, Luminate can observe users' behavior after they have logged in, and apply behavioral analytics to look for anomalous usage, as well as provide a full audit trail of application and resource usage for compliance purposes. In terms of architecture, Secure Access Cloud is a distributed network of elastic datacenters that run on top of either AWS or Microsoft Azure, and Luminate claims that new points of presence in different regions can be turned on in minutes based on customer demand, and are fully compliant with regulations such as PCI, HIPAA, GDPR, etc.
StrategyFor its go-to-market strategy, Luminate has a mix of both channel and direct sales, with technology and financial services as key verticals. Pricing includes two components: a per-user, per-month subscription fee, and a platform fee based on the size of the customer's IT estate.
A key part of the company's strategy is to offer a 'pluggable' platform that allows organizations to leverage existing security investments so they can work with MFA offerings from the likes of Google, Duo Security (soon to be part of Cisco), Symantec, etc. Luminate can also provide an extra layer on top of existing IDaaS offerings, enabling access to a broad range of corporate resources in addition to just SaaS applications. Finally, Luminate can integrate with existing endpoint detection and response, enterprise mobility management, or device security posture verification services to validate mobile devices before granting access.
There is also an emerging cottage industry of vendors specifically addressing zero-trust – or what has come to be known as software-defined perimeter (SDP) – offerings. This list includes but is not limited to Vidder, whose PrecisionAccess enables secure remote access to applications using lightweight client software that works at the TCP layer to 'shrink' the perimeter around a single app. Others with offerings that touch on the zero-trust/SDP concept include Cryptzone, Cyxtera, Edgewise Networks, Meta Networks, FortyCloud, Safe-T, Zscaler, Pertino and Hamachi (LogMeIn), all of which are designed to allow employees to access corporate resources and applications without exposing them to the internet, although Pertino and FortyCloud are more focused on accessing devices as opposed to apps.
Given their highly distributed networks, CDN providers are also logical players in this space. In 2016, Akamai bought Soha Systems, which had built a multi-tenant application access control service aimed at cloud-hosted enterprise (employee-facing) apps being accessed by employees or partners. Cloudflare developed Cloudflare Access, which was built to allow mobile employees to access applications without a VPN, and later offered the service to its customers. ScaleFT (recently acquired by Okta) was inspired by the BeyondCorp model and uses a CDN-like architecture to allow employees and partners to access internal applications without a VPN. Google is arguably the 'grandfather' of the zero-trust concept with its BeyondCorp reference architecture built for the company's internal networks, parts of which are publicly available from Google under the Identity-Aware Proxy and Context-aware access monikers.
Garrett Bekker is a Principal Analyst in the Information Security Practice at 451 Research. He brings a unique and diverse background, having viewed enterprise security from a variety of perspectives over the past 16 years.
Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation