Zero-Trust Policies

  • Updated on Oct 12, 2022

Banyan provides a human-readable policy framework so that admins can implement zero-trust access controls in their orgs.

Traditionally, access control policies have relied on powerful but dense policy constructs based on XACML or IP Whitelisting. However, as the population of client entities requiring access to corporate resources grew increasingly diverse, and as more security tools were used to protect enterprise environments, management became increasingly complex. Enterprise IT teams struggled with rule proliferation, attribute maintainability, and management of tools’ nomenclatures.

The Banyan policy framework enables enterprises to deploy zero-trust security, at scale, across modern enterprise environments, enforcing security policies across diverse client types and integrating with teams’ existing security tools. Our framework uses a few core concepts:

  1. Service - corporate resources that you provision secure access to, by using Banyan
  2. Role - a category of client entities
  3. Trust Scoring - a calculation of the level of trust associated with a client entity
  4. Policy - authorization rules that specify which clients and what level of trust can access a corporate resource


A Role is an admin-defined group of users and devices; these groups are made up of those who will need access to a Service.

Roles allow admins to combine user attributes and device attributes into a single construct and then enforce security policies based on those combined attributes. User attributes (such as Group and Email) are obtained from the organization’s Identity Provider, while device attributes (such as Device Ownership and Registration) are obtained either from the organization’s Device Manager or by the Banyan app running on the device. Users on devices that match the specified attributes can assume the specified Role.

The specific access privileges of a Role are determined by the Policies that mention the Role.

For more information on configuring Roles, refer to the section on Roles.


A Trust Level is the result of the Trust Scoring calculation, which can be any of the following: Always Deny, Low, Medium, or High. The meaning of each Trust Level evaluation can be found in our glossary.

The Trust Level is computed in real-time, using machine-learning based on user, device, infrastructure, network, and Trust Factors collected from both our sensors and third-party security tools already deployed in enterprise environments.

The Trust Level is used in zero-trust authorization decisions. Admins can then specify Policies with the minimum-allowed Trust Level needed for an entity to access a Service.

Banyan analyzes raw information about a device (such as its features and settings) and classifies it into Trust Factor categories. Trust Factors typically involve security measures (such as firewall, disk encryption, screen lock, etc.), preferred applications (such as corporate-managed or productivity-related applications), and general performance (minimum allowed OS version).

For more information on configuring Trust Scoring, refer to the section on Device Trust Scoring.


A Policy is a set of authorization rules that specifies which client entities can access a given Service.

Banyan bases Policies on Roles rather than individual client entities, simplifying policy creation by grouping entities with similar access privileges. Admins create Policies that specify the Roles and Trust Level requirements for the user and device accessing a service.

The example below shows an example Policy that only grants access for web services to the Engineering and employee-owned Roles (those which only include members of the engineering team who own their own registered devices). Users with these Roles must have at least Medium or High Trust Levels to access the applicable service(s).

For more information on configuring Policies, refer to the section on Policies.

What’s next

Review the Glossary of terms used in the Banyan product.

Can’t find what you’re looking for?

We’re happy to help. Contact our team .