Securing Public Applications with Banyan

Protect SaaS applications via Banyan's Cloud Access Security Broker (CASB) solution

Updated on Jul 19, 2023
5 minutes to read
Contributors

This article describes features that are only available in the Banyan Enterprise edition and Banyan Unlimited edition.

Overview

Public applications, also known as Software-as-a-Service (SaaS) applications, are cloud-based software hosted and delivered by software vendors. Because these applications are public resources hosted on your vendor’s servers and accessed over the internet (unlike private resources which are hosted on your servers in your private networks) they often bypass key enterprise security controls.

Most organizations enable Single Sign On (SSO) and Multi-factor Authentication (MFA) for strong user authentication to public applications, but are unable to enforce zero-trust security controls such as device trust requirements for device posture validation, continuous authorization to revoke user access mid-session, data loss protection, etc.

Enforcing zero-trust security for SaaS applications is particularly challenging because of the variety of applications an organization uses and the different levels of risk they pose. Furthermore, a one-size-fits-all approach to zero-trust security seldom works because SaaS applications are central to myriad critical workflows, such as access from native apps, access from employee-owned mobile devices, third-party access from unmanaged devices, cloud-based integrations with other products, etc.

Banyan offers two techniques to provide zero-trust security for public applications - IP Allowlisting and Authentication Federation. Both techniques are designed to provide seamless access to users and devices while enforcing security controls the enterprise need. Both techniques can be applied at your Identity Provider or at the SaaS Application itself, and leverage Banyan’s trust scoring and access policy frameworks. Most organizations utilize both techniques in concert to secure their public applications.

Technique	Banyan Service Type	Description
IP Allowlisting	Service Tunnel	Configure network access rules with IP ranges that are allowed to connect
Authentication Federation	Federated SaaS App	Configure authentication flow to federate to Banyan to validate device trust

Use Cases

You may use just one or both techniques to secure public applications used by your organization. Some common scenarios for each technique are listed below, along with the request flow diagram that describes how the zero-trust security mechanism works.

IP Allowlisted SaaS Applications

You can define a Service Tunnel in Banyan and configure IP allowlisting when you need to enable:

Restricted access to public applications that are not integrated with your IDP
Device trust for a specific SaaS application(s) without changing authentication settings in IDP or the application
A migration of IP allowlisting from the corporate VPN to a modern VPNaaS

Federated SaaS Applications

You can define a Federated SaaS App in Banyan and configure authentication federation when you need to enable:

Device trust checks without running a VPN client or intercept network traffic on the device
Device trust checks and certificate authentication before users can establish a single sign-on session with your IDP
Device trust checks and certificate authentication before users can access SaaS applications integrated with your IDP
SAML/OIDC authentication and device trust policy enforcement for custom SaaS applications

FAQs

Do you provide a Proxy-based CASB?

Yes! You can use Banyan for proxy-based controls to SaaS applications. The configuration steps are similar to the IP Allowlisting steps described above. Instead of defining a Service Tunnel for your SaaS application, you can define a Hosted Website.

Applying proxy-based controls to SaaS applications is often fragile - APIs change constantly, native apps use certificate-pinning that breaks proxies, etc - so Banyan doesn’t typically recommend a proxy-based approach for zero-trust access to SaaS applications.

Do you provide an API-based CASB?

Providing API-based controls for SaaS applications in on our roadmap. Please contact your account team for details on our approach and timelines.

Do you provide Data Loss Prevention (DLP)?

Banyan’s DLP capability is in early preview. Please review the DLP section for details on how Banyan’s DLP prevents users from unintentionally exposing organizational data.

What’s next

Read about how to configure IP Allowlisting and Authentication Federation in Banyan.