What is the Banyan Zero-Trust Access Platform?
- Updated on May 11, 2022
- The challenge with traditional controls
- The Banyan solution - zero-trust security
- Deployment Models
With corporate applications and services deployed across hybrid clouds (on-premise, cloud IaaS, cloud SaaS, etc) and clients that have an ever-changing security posture (mobile workers, third-parties, other applications, etc), a platform with secure– and scalable– access controls is critical.
The challenge with traditional controls
Organizations have traditionally relied on network tools, such as VPNs, bastion hosts, and firewalls, to manage access to private applications and servers. These tools were designed to integrate with on-premise directory services, granting users network access to on-premise, static environments. They were not designed for today’s cloud-based, dynamic environments.
The issues with traditional controls typically fall into three categories:
Security – VPNs and bastions, by design, grant broad network access and are often used in conjunction with static credentials. Credential leakage and compromised VPNs have caused innumerable security breaches. VPNs themselves lack granular visibility (or detailed audit logging of user access), meaning malicious actors can make their way into a network and remain undetected for months or even years.
Operations – Access controls need to be managed across multiple tools - typically, an Ops team would need to manually manage IP whitelisting rules for VPNs, static SSH keys in bastions, firewall segmentation rules, application-specific authentication and authorization, and more. The coordination and execution of so many touch points for common actions, including the onboarding of new team members, the changing of roles, or the adding of a new service, can quickly become a major operational burden.
User Experience – Users have to go through multiple redundant steps to access applications and services they need. They need to turn on the VPN, get through the gateway/bastion, and then authenticate with the underlying service. They need to do this multiple times a day for each corporate service they need to use. Even worse, users often have no idea what corporate resources they have/need access to. This results in frustrated users and lost productivity.
The Banyan solution - zero-trust security
Banyan was designed to address issues with traditional network controls, ensuring that access is authenticated and authorized, regardless of which network the request originates from.
Zero Trust Security
The Banyan solution is built on three foundational principles:
TrustScoring - By using the Banyan App (deployed on your macOS, Windows, Linux, iOS, or Android devices) and integrations with your device manager and endpoint security tools, Banyan provides a quantified metric of the user’s and the device’s security posture.
Cloud Command Center – The Command Center is a SaaS platform, connected with your enterprise identity provider, that lets users write granular policies based on user and device entitlements. The Command Center issues short-lived tokens and certificates, offering 1-click access to applications, while also ensuring every access granted is continuously authenticated and authorized.
Distributed Access Tier – These are click-button deployed, cloud-integrated, identity-aware reverse proxies that enable access to private applications and services.
Banyan is then able to address issues with traditional controls, across the three categories:
Security – Users are granted access to the specific services they need to be productive rather than overly broad access to entire network segments. The Command Center also provides administrators detailed audit logs of what services are being accessed. Revoking access is as easy as removing a user from a group, or adjusting a policy. Instead of a single check during authentication, security policies are continuously assessed, and access is terminated in real-time if a user’s device doesn’t meet the minimum security posture threshold.
Operations – Admins need to deploy a lightweight Banyan Server Component in their network in order to securely publish services for their end users. All service and policy definition is managed via the Cloud Command Center, tied to the user’s IDP groups and entitlements. To provision access to all the corporate services for a new user, all that the admin has to do is assign the right groups.
User Experience – Users can access web applications directly from their browser and infrastructure services via the Banyan App. In both cases, users see a well-organized service catalog showing all of the services they need to do their job, and they can connect to each service with a single click. Passwordless, programmatic, and CLI-based access is supported.
Banyan has a flexible architecture that allows for two deployment models, depending on an organization’s needs.
Self-hosted Private Edge
In the Self-hosted Private Edge deployment model, an organization deploys the Banyan Access Tier on a server (with a public IP address that can be reached from the internet) in the data centers or cloud clusters where the corporate resources are hosted.
Deployment - Self-hosted Private Edge
Global Edge Network
In the Global Edge Network deployment model, an organization leverages the Access Tiers Banyan hosts in its global edge. The organization deploys the Banyan Connector on a server (that can dial out to the internet) in the data centers and cloud clusters where the corporate resources are hosted. The Connector then establishes secure tunnels with the Global Edge Network.
Deployment - Global Edge Network
Regardless of deployment model, admins define policies and services via the Cloud Command Center. End user traffic flows through the Access Tier, which enforces zero-trust policies.
Read more about the Banyan Components.