The adoption of SaaS (Software as a Service) started as far back as the 1960s, but picked up steam in the late 1990s when Salesforce introduced their CRM that used “cloud computing”. Today, there isn’t an organization that isn’t using many SaaS applications. In fact, newer organizations are completely cloud-based and only use SaaS applications, along with IaaS (Infrastructure as a Service) such as AWS, Microsoft Azure, Google Cloud, Alibaba Elastic Compute Service, and Oracle Cloud Infrastructure.
While SaaS has been around for years, the policies related to access and security vary greatly. This means that the way the user authenticates, how granular an access policy can be, and what security measures an organization can implement typically differ from service-to-service. This isn’t great for organizations since they will not be able to make it as secure and as granular as they would like, which potentially exposes data and permits lateral movement. Since SaaS applications don’t provide ways to verify device identity or check device posture, the applications may be accessed from locations that could compromise the organization, such as from a public kiosk or hotel business data center. SaaS application limitations also aren’t great for end users since they’ll have to figure out how to log into each application, and if source IP is configured, they will have to remember which applications they can use when in the office and which they can use when out of the office. Moreover, when a user is remote and source IP validation is configured, they will need to remember to initiate an enterprise VPN connection prior to accessing the SaaS application. Having users make these decisions and change work processes to fit the technology ultimately leads to decreased productivity and satisfaction.
With Banyan Security, these limits and the poor end user experience they create go away. Banyan provides ways to deploy consistent authentication and device posture policies for all your SaaS applications. To further improve the end user experience, single sign-on (SSO) and even passwordless access can be enabled.
To do what we call Banyan Federated Authentication, all SaaS applications are configured to authenticate and authorize to Banyan. Banyan is then configured to leverage single or multi-factor authentication from the Identity Provider (IdP).
The Banyan Zero Trust Network Access (ZTNA) solution integrates with industry-leading Identity Providers (IdPs) such as Okta, Azure AD, OneLogin, etc., using industry-standard protocols such as Security Assertion Markup Language (SAML) version 2.0 and OpenID Connect (OIDC).
For details on configuring IdPs via SAML, please see https://docs.banyansecurity.io/docs/banyan-components/command-center/sso/generic-saml/
OIDC configuration details are at https://docs.banyansecurity.io/docs/feature-guides/saas-applications/banyan-federated/
With Banyan Federated Authentication, the SaaS application allows access if Banyan trusts the user and device. Granular policies can be configured on Banyan to make sure that only authorized users on known, healthy devices are able to access the SaaS applications. In the possible case where a device is compromised and out of compliance, access is immediately revoked – even mid-session – to all resources on-premises and in SaaS. This enforcement can be done regardless if the SaaS application supports these measures or not.
Source IP validation is a great way to ensure that only users coming from known IP addresses are accessing the SaaS application. While configuring every employee’s home IP address may not be possible, since these IP addresses are not static and there may be hundreds or thousands of them, organizations often configure the IP addresses of headquarters and branch offices. To enable this, Banyan offers granular Service Tunnels which can be configured to tunnel only the traffic for certain SaaS applications. For example, if Source IP validation is configured for Salesforce, the configuration will check the domain that the end user is trying to access and will tunnel the traffic that is going to Salesforce. All other SaaS traffic can directly be sent to the SaaS provider.
With authentication, security, and device policies unified across all SaaS applications, the admin can benefit further from deploying Banyan’s solution. Instead of going to each SaaS application to see who is using what, an administrator can easily see all the access activities that have taken place for a particular user directly from the Banyan admin portal. The admin can also quickly see why access was denied or revoked and can even configure remediation instructions which are automatically presented to the end user, which leads to fewer IT helpdesk calls.