Private Access Security
Private Access security enables you to implement zero-trust security for your application and network service access. Use Private Access security to tailor the verification process for specific users and applications, hosts, subnets, or domains. Private Access security takes the place of a traditional VPN, providing for secure connections between your organizations applications, resources, and users.
How it Works
To implement Private Access security, you deploy connectors for the assets you want to protect. Connectors serve as the bridge between Lacework Edge and those assets, and routes traffic between your users and those resources.
You should deploy a connector in any network that can access private applications or services that you want to secure. You can also deploy connectors for SaaS applications used in your organization, such as GitHub and Atlassian Cloud. Lacework Edge lets you apply workflows to access those applications and improve your visibility. For example, you can apply a custom authentication workflow for a user connecting to Jira from an unusual geographic location.
As a best practice, you should deploy connectors as a cluster or pair for load balancing and fault tolerance. When deploying a connector, you give the connector a token. To create a cluster of connectors, simply assign each connector the same token. See Lacework Edge Connectors for more information.
Once you deploy connectors, you can assign the applications you want to protect to these connectors. You can then build workflows to define how users access those resources.
Before Starting
If you are setting up Lacework Edge, there are some basic tasks you may wish to address first. These include setting up users in Lacework Edge, which you would typically do by integrating an existing identity provider. You may also set up the look and feel of Lacework Edge as appropriate for your organization's brand. See Set up integrations with your SSO/SAML and Identity Providers for more information.
Implementing Private Access security involves a few high level steps, including defining and deploying connectors in the Lacework Edge admin console, then defining the applications that you want to make available to your users through those connectors, and then adding policies pertaining to those applications, which may include custom workflows, as follows.
Step 1: Deploy Connectors
Lacework Edge provides several ways to deploy connectors. Deploying by AWS CloudFormation or Helm (for Kubernetes) enables you to deploy multiple connectors at once. You can also deploy a connector individually, using a machine image or Linux/Windows package.
For details, see Lacework Edge Connectors and Connector Deployment.
Step 2: Create Applications and Networks
Applications and networks in the Lacework Edge configuration represent individual services and networks you want to make available to users through connectors. Applications specify a host and connector through which to route user traffic.
For details, see Lacework Edge Applications.
Step 3: Create Security Policies
A security policy defines access conditions for one or more applications. It also specifies the action to be taken when the conditions set forth in the policy are met. The action could be to block traffic, allow traffic,or apply a workflow. For example, a policy can block user traffic to a known phishing site or permit all user traffic directly to Zoom, bypassing a connector.
For details, see Security Policies.
Step 4: Create Workflows
When users attempt to access a protected resource, a workflow can be triggered that adds a custom experience. For example, a workflow may consist of detecting that a user's device is active from a new location and subsequently requiring confirmation via Okta MFA. As another example, when someone outside of an engineering organization attempts to access an engineering application (such as Jira or Github), the workflow can require an admin's approval.
For details, see Workflows.