Robert RonanOriginally published by Robert Ronan, Oracle Principal Product Manager.

What is zero trust access?

As more organizations migrate infrastructure to the cloud and rethink software development and deployment, they are also modernizing their approach to security. One such approach is Zero Trust – instead of relying on traditional network perimeter-based security tools such as VPNs and bastions that connect you directly to a network, access (authentication as well as authorization) is granted based on user and device attributes as well as the sensitivity of specific applications and services within that network.

Zero trust access is particularly well suited to Infrastructure as a Service (IaaS) environments such as Oracle Cloud because traditional network security tools were not designed to handle the automation-oriented ephemeral nature of these environments.

Zero Trust Access Traditional VPNs and Bastions
Connect user to applications & services Connect user to networks
Rules using cryptography tied to user & device attributes Rules based on IP address
Automated credential issuance & rotation Manual interaction

 

Install Access Tier

To get started with Banyan Zero Trust Access, register for a Banyan account. You can use the Banyan Team Edition for free.

On a Linux VM in your Oracle Cloud Infrastructure (OCI) compartment with a public IP address, install the Banyan Access Tier component. This will serve as the gateway to your OCI infrastructure.

# add the Banyan RPM repo
$> yum-config-manager --add-repo https://www.banyanops.com/onramp/repo/
$> rpm --import https://www.banyanops.com/onramp/repo/RPM-GPG-KEY-banyan
# install it
$> yum install banyan-netagent

Other install methods – Docker, DEB, Tarball, Terraform, etc. – are available in our documentation. Once installed and configured, you will see the Access Tier reporting in Banyan’s Cloud Command Center console.

Banyan Access Tier image

(Note: If you’re using the Banyan Team Edition, you will install an outbound Connector instead of the Access Tier; the Banyan global edge network of fully-managed Access Tiers will serve as the gateway into your OCI infrastructure.)

 

Auto-discover OCI resources

The next step is to synchronize your OCI resources into Banyan. You can use OCI tags to tell Banyan to discover only specific categories of resources in your environment.

$> banyan cloud-resource sync-oci all {oci-compartment} --tag_name banyan:discovery

--> Getting list of OCI VM resources:

type    name              public_dns_name    public_ip    private_dns_name    private_ip    ports    provider    region      tags
------  ----------------  -----------------  -----------  ------------------  ------------  -------  ----------  --------  ------
vm      oke-cqqhk6ivu2q-                                                      10.1.85.35    []       oci         phx            2
vm      oke-cko3n7f326q-                                                      10.0.93.236   []       oci         phx            2
vm      oke-cko3n7f326q-                                                      10.0.80.84    []       oci         phx            2


--> Filtering for new OCI resources:

type    name              public_dns_name    public_ip    private_dns_name    private_ip    ports    provider    region      tags
------  ----------------  -----------------  -----------  ------------------  ------------  -------  ----------  --------  ------
vm      oke-cqqhk6ivu2q-                                                      10.1.85.35    []       oci         phx            2


--> Syncing into Banyan Cloud Resource inventory:

--> Added OCIresource id(name): ocid1.instance.oc1.phx.anyhqljreqfgs5acfank3k2codj2srj4cnns3naalfttpmqjwk24digsi6qq(oke-cqqhk6ivu2q-nvp2thc5biq-
svjai5qusbq-2)

--> Sync with Oracle Cloud successful.

You can configure this sync to run at regular intervals so Banyan always has the latest snapshot of your OCI resources. In the Banyan Cloud Command Center console, you will see all your discovered OCI resources. You can now publish the individual resources your users need to access.

Banyan Inventory image

 

Publish a Service Catalog for your users

To publish an OCI resource as a Banyan service for your end users, simply select the resource, click Publish and follow the steps in the wizard.

Banyan Publish image

Banyan provides native support for all the common services and protocols you can deploy in OCI:

  • Web Applications (HTTPS)
  • Linux Servers (SSH)
  • Windows Servers (RDP)
  • Kubernetes Clusters (K8s API)
  • Databases (TCP)

Banyan also provides a WireGuard-powered Service Tunnel for use cases and protocols that cannot be handled by an identity-aware proxy.

Authenticated end users can now access these published services via the Banyan app – a cross-platform endpoint client that runs on Windows, macOS, Linux, iOS, and Android devices. The Banyan app also establishes the device identity and device posture checks needed for zero trust security.

Banyan Autorun image

Try Banyan on OCI Today

You can further organize your published Banyan services into bundles, create security policies to allow only specific sets of users to access certain applications, and more. Best of all, you can use Banyan Zero Trust Remote Access on OCI today! Sign up for the free Banyan Team Edition or request an Enterprise Edition trial account.

Original blog published at the Oracle Cloud Infrastructure Developers Blog.

author avatar
Tarun Desikan