Zero-Trust Policies

Learn about Banyan's human-readable policy framework designed for admins to implement zero-trust access controls

  • Updated on May 10, 2023
  • 3 minutes to read
  • Contributors

Banyan provides a human-readable policy framework so that admins can implement zero-trust access controls in their orgs. Traditionally, access control policies have relied on powerful but dense policy constructs based on XACML or IP Whitelisting. The Banyan policy framework simplies these traditional constructs, enabling enterprises to deploy zero-trust security, at scale, across modern enterprise environments, enforcing security policies across diverse client types and integrating with teams’ existing security tools.

Zero Trust Policy Framework

The Banyan policy framework uses a few core concepts:

  1. Role - a category of client entities
  2. Trust - a calculation of the level of trust associated with a client entity
  3. Resource - a part of an application, server or network that client entities access
  4. Policy - authorization rules that specify which clients and what level of trust can access a given resource

Roles

A Role is an admin-defined set of users and devices; these sets are made up of those who will need access to a Resource.

Roles allow admins to combine user attributes and device attributes into a single construct and then enforce security policies based on those combined attributes. User attributes (such as Group and Email) are obtained from the organization’s Identity Provider, while device attributes (such as Device Ownership and Registration) are obtained either from the organization’s Device Manager or by the Banyan app running on the device. Users on devices that match the specified attributes can assume the specified Role.

The specific access privileges of a Role are determined by the Policies that mention the Role.

For more information on configuring Roles, refer to the section on Roles.

Trust

A Trust Level is the result of the Trust Scoring calculation, which can be any of the following: Always Deny, Low, Medium, or High. The meaning of each Trust Level evaluation can be found in our glossary.

The Trust Level is computed in real-time, using machine-learning based on user, device, infrastructure, network, and Trust Factors collected from both our sensors and third-party security tools already deployed in enterprise environments.

The Trust Level is used in zero-trust authorization decisions. Admins can then specify Policies with the minimum-allowed Trust Level needed for an entity to access a Service.

Banyan analyzes raw information about a device (such as its features and settings) and classifies it into Trust Factor categories. Trust Factors typically involve security measures (such as firewall, disk encryption, screen lock, etc.), preferred applications (such as corporate-managed or productivity-related applications), and general performance (minimum allowed OS version).

For more information on configuring Trust Scoring, refer to the section on Device Trust Scoring.

Resource

A Resource refers to an entity your users need to access.

A Resource in Banyan includes Published Services, SaaS applications as well as Internet websites.

Policy

A Policy is a set of authorization rules that specifies which client entities can access a given Service.

Banyan bases Policies on Roles rather than individual client entities, simplifying policy creation by grouping entities with similar access privileges. Admins create Policies that specify the Roles and Trust Level requirements for the user and device accessing a service.

The example below shows an example Policy that only grants access for web services to the Engineering and employee-owned Roles (those which only include members of the engineering team who own their own registered devices). Users with these Roles must have at least Medium or High Trust Levels to access the applicable service(s).

For more information on configuring Policies, refer to the section on Policies.


What’s next

Review the Glossary of terms used in the Banyan product.