How Banyan Works
- Updated on Jul 18, 2023
- Banyan Edge
- Banyan App
- Banyan Cloud Command Center
A generalized diagram that depicts all the Banyan components is shown below. The Banyan components work in concert to deliver a zero-trust platform across which access control policies can be centrally managed.
The Banyan Edge mediates access from your users to their corporate resources. Banyan supports a flexible edge deployment model where you can utilize Banyan’s edge infrastructure and/or use your own. For access to private resources, you need to deploy one of Banyan’s Server Components - Access Tier or Connector - in the De-Militarized Zone (DMZ) of your data centers and cloud environments.
The Banyan Access Tier is an identity-aware proxy and gateway that mediates access between entities on the internet and your internal services. Each Banyan Access Tier has a public IP address that is reachable from the internet and accepts inbound connections, typically on ports 443 (web services), 8443 (infrastructure services) and 50482 (Service Tunnels).
The Access Tier is responsible for:
- Mediating access between users and internal resources.
- Enforcing the user’s and the device’s security posture, called a Trust Level, when accessing protected resources.
Global Edge Network & Connector
The Banyan Connector is a dial-out component that establishes a secure tunnel with the Banyan Global Edge Network, which comprises of Access Tiers hosted and managed by Banyan for your organization. We use Google Cloud Platform (GCP) as our edge infrastructure provider, enabling us to use one of GCP’s 25+ global regions to provide fast and reliable connections to users around the world. The Connector can be deployed in any location that has connectivity to your internal services and connects outbound only. Traffic will flow from entities on the internet to a Banyan Access Tier in the Global Edge Network, and then through the Banyan Connector to the internal service.
The Connector is responsible for:
- Maintaining a connection from to Banyan’s Global Edge Network
- Mediating access to internal resources
The Banyan app is responsible for:
- Device Registration for device authentication
- Device Trust Scoring for device posture checks
- Providing a services catalog of internal websites, infrastructure, and service tunnels to connect to
- Enabling Internet Threat Protection policies
Banyan also supports clientless access to resources for scenarios where the desktop or mobile app cannot be installed. This is beneficial for third-party vendors and contractors as well as temporary access use cases.
There are three flavors of clientless Banyan supports:
- User authentication with Layer 7 policies
- Device registration and compliance checks via validating a device certificate deployed by an endpoint manager
- Device posture checks and continuous evaluation to websites with a lightweight browser extension
Banyan Cloud Command Center
The Banyan Cloud Command Center is a central management console for IT Administrators and Security teams to manage the Banyan solution. You can interact with the Command Center via the web portal or the RESTful API, to develop and enforce policies based on user/device, configure alerts for security events and visualize real-time connectivity.
The Command Center includes two subcomponents that we sometimes call out explicitly:
- Banyan Shield is a coordinator, deployed to create logical groups of Access Tiers. Shield manages a Private PKI (Public Key Infrastructure) to distribute cryptographic identities (X.509 Certificates) to clients and services in your organization.
- Banyan TrustProvider is a federated authentication manager that uses OpenID Connect / OAuth-based workflows to authenticate end users and devices. TrustProvider integrates with your enterprise identity provider to deliver short-lived cryptographic credentials to authenticated end users on approved devices.
The Cloud Command Center is delivered as a Software-As-A-Service (SaaS) offering.
Read more about different client-based and client-less options that Banyan provides.