Zero Trust Policies
- Updated on Jun 16, 2021
Banyan provides a simple, human-readable policy framework to implement Zero Trust access controls.
Traditionally access control policies rely on powerful but dense policy constructs based on XACML or IP Whitelisting. However, as the population of client entities that require access to sensitive corporate resources grows increasingly diverse, and as more security tools are operationalized to protect enterprise environments, these tools grow increasingly complex and hard to maintain. Enterprise IT teams struggle with rule proliferation, attribute maintainability, and rationalizing different tools’ nomenclatures.
The Banyan policy framework enables enterprises to deploy Zero Trust security at scale across modern enterprise environments, enforce security policies across diverse client types and integrate with existing security tools. We use a few core concepts:
- Service - corporate resources that you provision secure access to by using Banyan
- Role - a collection of client entities
- TrustScore - quantification of the level of trust and risk associated with a given every client entity
- Policy - authorization rules that specify which clients and what level of trust can access a corporate resource
A Role is an abstraction that is mapped to a collection of client entities (typically, your users and devices) that will need access to a Service.
Roles allow you to combine user attributes and device attributes into a single construct and then enforce security policies based on those combined attributes. User attributes (such as Group and Email) are obtained from the organization’s Identity Provider, while device attributes (such as Device Ownership and Registration) are obtained either from the organization’s Device Manager or by the Banyan App running on the device. Users on devices that match the specified attributes can assume the specified Role.
The specific access privileges of a Role are determined by the Policies that mention the Role.
For more information on configuring Roles, refer to the section on Roles.
A TrustScore is number from 0 to 100, computed in real-time using machine-learning based on user, device, infrastructure, network, and application factors collected from both our sensors and third-party security tools already deployed in enterprise environments.
A TrustScoring algorithm then assigns a simplified Trust Level of High/Medium/Low to every entity, for use in Zero Trust authorization decisions. Administrators can then specify Policies with the minimum allowed Trust Level needed for an entity to access a Service.
The Banyan platform today primarily applies TrustScoring to devices. For device TrustScores, Banyan analyzes raw information about a device (such as its features and settings) and converts it into TrustScore Factors that can be processed by machine-learning algorithms. TrustScore Factors typically involve security measures (such as firewall, disk encryption, screen lock, etc.), preferred applications (such as corporate-managed or productivity-related applications), general performance (minimum allowed OS version), and more.
For more information on configuring TrustScoring, refer to the section on Device TrustScoring.
A Policy is a set of authorization rules that specifies which client entities can access a given Service.
Banyan bases Policies on Roles rather than individual client entities, simplifing policy creation by grouping entities with similar access privileges. Admins create Policies that specify the Roles and Trust Level requirement for the user and device accessing a service.
The example below shows an example policy that only grants access for Web services to the
employee-owned Roles, which only include members of the engineering team who own their own registered devices. Furthermore, users having these roles must have at least Medium or High Trust Levels to access the applicable service(s).
For more information on configuring Policies, refer to the section on Policies.
Review the Glossary of terms used in the Banyan product.