Zero Trust as Code blog header

 

If you’re a modern organization leveraging cloud computing, you’re probably regularly releasing applications and continuously spinning up ephemeral infrastructure components. Such environments are typically cookie-cutter, deploying infrastructure using Continuous Integration/Continuous Delivery (CI/CD). A critical part of this process is deploying Infrastructure as Code (IaC), using modern tools like HashiCorp Terraform, AWS CloudFormation, Pulumi, etc. These tools reduce the inefficiencies present when deploying infrastructure services manually. They provide faster speeds and consistent deployments. Overall they reduce management overhead and errors that arise from manual deployments.

Infrastructure as Code
IaC greatly simplifies the management of cloud infrastructure, using scripts similar to how software code is developed, including version control. Versioning is important as it allows you to revert back to previous versions in case there are issues with deployments. IaC also provides simplified deployment automation as the infrastructure components can be modularized and different modules can be selected for deployment in different environments (i.e., staging versus production environments). DevOps teams are usually in charge of these deployments, and they tend to use code formats like JSON to create these modules. Then, using CI/CD, the release pipelines execute the IaC scripts and automate the setup of different environments.

Zero Trust Access as Code
A critical module in IaC is security, and enterprises want to ensure least privilege access to infrastructure to prevent lateral movement and decrease attack surface, making attacks more difficult. With services constantly being added and torn down, it’s critical that the right level of security is provided while users access these services. Zero Trust as Code allows you to add zero trust security policies in the CI/CD process, thus ensuring least privilege access security controls are applied across the different infrastructure environments.

Previously, using tools like legacy VPNs, you would have to either provide broad access to all the services or go through the complex management nightmare (and possible config errors) of providing least privilege access to those services.

Zero Trust as Code Benefits:

  • Zero trust security policies in the CI/CD process
  • Enhanced security in deployments
  • Reduced manual security policy errors
  • Consistent, repeatable security and configuration across infrastructure environments
  • Security controls under version control

Here’s how IaC and Zero Trust as Code come together. As shown below, developers write the infrastructure specification in a domain-specific language like Terraform which is kept under version control. The files are sent to an automation master server, a management API, or a code repository. The API/Server then performs all of the CRUD (Create/Read/Update/Delete) management to the infrastructure.

Infrastructure as Code diagram

Traditional Infrastructure as Code

 

Zero Trust as Code diagram

Zero Trust as Code

An Example of Zero Trust as Code

Banyan customers can enable Zero Trust as Code while deploying Banyan Security components and policies. The Banyan Access Tiers (Identity-Aware Proxy) can be deployed as code using a Terraform module, for example. This module can be downloaded from: https://registry.terraform.io/modules/banyansecurity/banyan-accesstier/aws/latest.

The Banyan AWS Access Tier module helps create an autoscaling Access Tier. This module creates an AWS auto-scaling group and a network load balancer (NLB) for a Banyan Access Tier. Only the NLB is exposed to the public internet. The Access Tier and your applications live in private subnets with no ingress from the internet.

In order to provision the Banyan Access Tiers, copy and paste the text below into your Terraform configuration, insert the variables, and run terraform init:

module "banyan-accesstier" {
   source = "banyansecurity/banyan-accesstier/aws"
   version = "1.4.1"
   # insert the 15 required variables here
}

The Banyan policy framework enables enterprises to deploy Zero Trust security at scale across modern enterprise environments, while enforcing security policies across diverse client types and integrating with existing security tools. We use a few core concepts:

  • Service – corporate resources that you provision secure access to (using Banyan)
  • Role – a collection of client entities
  • TrustScore – quantification of the level of trust and risk associated with a given client entity
  • Policy – authorization rules that specify which clients and what level of trust is required to access a corporate resource

The Banyan Terraform provider provides the necessary zero trust code that can be used for lifecycle management of Banyan resources including roles, policies, and services. Here is an example of the steps to adding Banyan to Terraform:

  • Add the Banyan Provider Configuration:
terraform {
     required_providers {
          banyan = {
                source = "banyansecurity/banyan"
                version = "0.6.3"
                }
          } 
}
  • Create a Banyan API token exclusive to Terraform. This will ensure that all actions taken by Terraform automation will appear in the console logs with the API key as the actor. For production use cases, ensure that the API token is stored in an environment variable and inject it into Terraform as below:
provider "banyan" {
api_token = "banyan-api-token-here-exclusive-to-terraform"
}
  • Add the necessary services, roles, policies and policy attachments. For example, below we add an example HTTPS web service that we want to provide zero trust access.
resource "banyan_service_web" "example-web-service" {
     name = "example web service"
     cluster = "us-west"
     access_tier = "us-west1"
     domain = "web-service.corp.com"
     port = 443
     backend_domain = "web-service.internal"
     backend_port = 8443
     backend_tls = true
}
  • Now we configure a Banyan Role called “everyone” as defined in the group “Everyone” at the Identity Provider
resource "banyan_role" "everyone" {
     name = "everyone"
     description = "all users"
     user_group = ["Everyone"]
}
  • Configure a Banyan Policy called “high-trust-any” for devices with a high trust score and a user role of “everyone”
resource "banyan_policy" "high-trust-any" {
     name = "high-trust-any"
     description = "Allows web access to anyone with a high trust level"
     access {
           roles = [banyan_role.everyone.name]
           trust_level = "High"
            }
}
  • Finally, configure a Policy attachment resource that attaches the above service with the policy, so access is allowed only from high trust devices for users in the “everyone” role
resource "banyan_policy_attachment" "example-high-trust-any" {
     policy_id = banyan_policy.high-trust-any.id
     attached_to_type = "service"
     attached_to_id = banyan_service.example-web-service.id
}

Now, as infrastructure is deployed dynamically, trust-based access control policies can be added in the CI/CD process. New applications can be deployed via IaC, and Zero Trust as Code enforces Banyan policies during application deployment. Banyan Services, Roles, and Policies can be consistently deployed, ensuring that least privilege access is enforced.

While deploying zero trust access can seem daunting, Banyan makes it accessible to enterprises with automation tools. If you would like to learn more or try it out, request an Enterprise Edition trial account.

author avatar
Vijay Pawar