Many organizations across the globe began implementing Zero Trust capabilities in 2020. With the Solar Winds attack serving as yet another security wake up call, the Zero Trust philosophy is top of mind for most CIOs and CSOs. As they lead their organizations down this path, they are tasked with balancing security posture and user experience. The Zero Trust journey starts with organizations first deploying and then tracking progress along the way. Common questions in the beginning phases of Zero Trust include:
- Which users and devices are connecting to company resources?
- How many and which applications are protected by Zero Trust policies and principles?
- Are my policies working to prevent potentially malicious access?
How “Zero Trust” Am I?
We are excited to introduce new functional and reporting capabilities to accelerate and provide visibility into the Zero Trust journey. We have an onboarding framework that provides assurances along the way and helps obtain security posture with low user impact, ultimately helping build buy-in from employees across your organization.
Getting started with Banyan and ultimately tracking your Zero Trust journey boils down to four steps:
- Identifying a Proof of Concept (PoC) application
- Understanding your devices and their respective trust levels
- Enforcing an access policy
- Securing additional services
Let’s dive deeper!
Identify a PoC Application to Protect
Banyan can cloak your application without having to make network changes or disrupt your end users’ existing access workflow. By doing so, you are able to start understanding the users that are accessing this application. Banyan access policies can run in a ‘Learning’ mode which lets you gain visibility without blocking users.
(New org with no applications protected by Banyan)
For the purposes of this blog, we have picked Jenkins as a PoC application. Once in ‘Learning’ mode, we begin to form a picture of the users that are accessing Jenkins after they authenticate with an integrated Identity Provider. These users are categorized by group: Employees, Contractors, and Third-party vendors.
However, since the user’s devices are “unregistered”, we don’t yet know anything about the types of devices that are being used. Unregistered devices are those that do not have a trusted certificate, placed either by Banyan after device registration or pushed via an existing Device Manager. As such, these devices don’t have a Banyan TrustScore which inherently increases their riskiness.
(Banyan policy for Jenkins in ‘Learning’ mode, allowing unregistered device access)
Understand your Devices and Trust Levels
The next step would be to get a better understanding of the devices being used to access the site. Banyan has multiple ways to seamlessly register devices. Zero Touch Deployment allows for a completely silent installation and registration of the Banyan app. A user can also register their device manually with just a few steps.
(Visibility into device platforms and trust levels accessing Jenkins)
As device registrations progresses, we begin to get insights into the device platforms and their trust levels. As your organizations roll out of the Banyan app progresses, we are able to understand the following:
- Users that are using insecure devices (Low and Unknown trust levels)
- Users that have not registered with the Banyan app and therefore are still accessing the service with an unregistered device
This information is extremely important as we move towards enforcing a Zero Trust policy.
Enforce an Access Policy
The Banyan access policy for Jenkins has been running in ‘Learning’ mode thus far. We have now catalogued the bulk of users and devices accessing Jenkins and know which users will be impacted when the policy goes into ‘Enforcing’ mode. Knowing this impact is crucial for a successful roll out of any Zero Trust product.
In this case, we are enforcing access to Jenkins only from devices with High or Medium trust levels.
For Authorized access events, we no longer see Unregistered or Low trust devices connecting.
(Authorized access for High/Medium trust devices to Jenkins after enforcing Banyan policy)
We now start to see the “Blocked Attempts” chart start to populate. We see the handful of registered devices that have Low trust scores as well as the unregistered devices with no trust score.
(Blocked attempts for Low/Unknown trust devices after enforcing Banyan policy)
For auditing purposes, these access events are downloadable as well as exportable into a third party SIEM or logging tool.
Secure Additional Services
Throughout the process of securing a service, Banyan aims to provide confidence in knowing the impacts of providing stronger security in order to ensure your end users stay productive the whole time. Organizations can now begin to protect additional hosted web, SaaS, and infrastructure access with Banyan.
(Example of a production instance with multiple services)
As you proceed through your Zero Trust Journey, you should notice a few key trends.
- Decrease of Unregistered devices accessing services
- As device trust is enforced via policy, the number of services accessed by unregistered devices will start to drop off. Organizations can still allow unregistered device access for specific use cases.
- Higher device trust levels across the organization
- Organizations who look to ensure their services are accessed by trusted devices will start to see higher overall device trust levels as more services are brought into Banyan.
- Increased visibility into malicious access attempts
- Clearly see blocked attempts to resources by unknown users leveraging unregistered, untrusted devices.
Understanding Top Services
As customers progress towards protecting more services, we have also introduced reports around the access activity and patterns for Top Services. You will be able to gauge how the most popular services are being accessed and ensure the right level of policy is in place.
(Access activity and patterns for Top Services)
Go Hands-on with Reports using Banyan Security Test Drive!
The reporting capabilities to track your Zero Trust journey are available today. The Banyan Security Test Drive is a great way to walk through a pre-configured sandbox experience of how organizations solve critical remote access use cases. If you’d like to get hands-on with some of these reports in this pre-configured environment, sign up now!