Banyan Zero Trust Security

From Application Access to Zero Trust, our glossary has your network and information security terms covered from A to Z.


Banyan App

The Banyan app is a cross-platform endpoint client, installed on end user desktop and mobile devices. The app is used to register and authenticate end user devices with the Banyan Cloud Command Center. Once installed, users enjoy one-click access to a personalized catalog of corporate resources (websites, applications, services, infrastructure, etc.). Note that the Banyan app is optional on MDM-managed devices on which you can install a device certificate via your device manager.

Banyan Cloud Command Center

It is the central administrative console for the Banyan Security Platform. The Banyan Cloud Command Center is a SaaS platform, connected with your enterprise identity provider, that lets admins write granular policies based on user and device entitlements. The Command Center issues short-lived tokens and certificates, offering one-click access to applications and resources, while also ensuring every access granted is continuously authenticated and authorized.

Banyan Discover & Publish

A feature of the Banyan Security Platform, Discover & Publish automatically discovers resources running in Infrastructure As A Service (IaaS) environments such as AWS, Microsoft Azure, Google Cloud Platform (GCP), etc., enabling subsequent publishing as Banyan Services.

Banyan Security

A leader in the Zero Trust Network Access (ZTNA) category, Banyan Security provides users simple, secure, one-click access to corporate applications, resources, and infrastructure from anywhere – without VPNs.

Banyan Security Platform

A Security Service Edge (SSE) solution, the Banyan Security Platform securely connects users to applications, resources, and infrastructure while protecting them from internet threats. The Banyan solution provides:

  • ZTNA – application and infrastructure access – simple, least privilege access to applications and services across hybrid- and multi-cloud infrastructure, leveraging your existing enterprise identity and security tool investments.
  • VPNaaS – network access – modern, high-performance, tunnel-based access to networks, incorporating zero trust enhancements like continuous authorization and device trust.
  • CASB – SaaS application access security – layered security that provides easily managed controls for who, using what specific devices, can access your SaaS applications.
  • SWG – internet threat protection – protects users from being phished, straying onto malicious web sites, or being exposed to ransomware. Optional controls enable organizations to block specific categories of web sites, like gambling and pornography.


Banyan Security Team Edition

This no-cost (free, no credit card needed) edition of the company’s powerful Banyan Security Platform provides teams with one-click, zero trust access to hosted applications and infrastructure services without the need for VPNs, opening inbound firewall ports, or managing DNS. With Banyan Security Team Edition, teams can onboard new services and entitle users in minutes, providing one-click access to it all from an intuitive Service Catalog. Try it now.

Banyan Security Test Drive

Test Drive is a web-based demo that lets you take the Banyan Security Platform for a spin with nothing more than a desktop web browser and a few minutes of time. We’ll take you on a tour of the cloud-based administrative console and the end user experience. You’ll get a feel for the admin dashboard and key reports, and see firsthand how trust-based policies are set up and enforced. Take a Test Drive now!

Banyan Service Tunnel

A feature of the Banyan Security Platform, the Service Tunnel provides encrypted network connectivity to network segments – VLANs, VPCs, subnets, etc. with zero trust enhancements, including continuous authorization and device trust. Service Tunnel makes for easy migration from legacy VPNs into a modern, high-performance zero trust architecture, complete with Trust-Based Access Control policies.

Banyan Trust Level

This is a scoring system to quantify the level of trust to attribute to accessing principals, whether they are users, devices, or client applications. Like financial industry credit scores indicate a consumer’s credit trustworthiness so that financial institutions can approve loans, issue credit cards, etc., the Banyan Trust Level indicates the trustworthiness of a user and their device for consideration in evaluating resource access requests.

Bastion Host

A special-purpose internet-accessible server that accepts SSH connections for the purpose of accessing internal machines and resources. Specifically designed and configured to withstand attacks, the server generally hosts a single application or process, for example, a proxy server or load balancer, and all other services are removed or limited to reduce the threat to the server. Typically, a user connects to the bastion first, then makes another SSH connection to the final destination, often called a “jump”. Bastion servers are sometimes called “jump hosts” or “jump servers.”


Secure Sockets Layer (SSL) Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it allows the use of the secure HTTPS protocol for connections from a web server to a browser. Typically, web browsers indicate HTTPS sessions by a padlock icon.

Continuous Authorization

As one of the core principles of zero trust, continuous authorization leverages real-time device posture and trust, user trust, and resource sensitivity as defined in granular policy controls.

In this scenario, trust is not only verified at the beginning of each request, it continuously verifies that the request remains trustworthy throughout the entirety of the session. In order for continuous authorization to work in practice, two things are required:

  1. Continuous Quantified Trust – Constant, thorough analysis of the trustworthiness of the user and their device.
  2. Instant Access Control – The ability to instantly revoke access if trustworthiness falls below a specified threshold, re-granting access for future requests if trustworthiness rises sufficiently.


A Connector is a dial-out connector that runs in a private network segment within which you run corporate applications and services. A Banyan Connector establishes a secure tunnel with one or more Banyan Access Tiers.

Data Plane

  • The data plane is a part of a network through which user packets are transmitted. It is a theoretical term used to conceptualize the flow of data packets through a network infrastructure. It is often included in diagrams and illustrations to give a visual representation of user traffic.
  • The data plane is also known as the user plane, the forwarding plane, or the carrier plane.

Device Identity

Device Identity refers to the ability to uniquely identify a specific device, much as you would identify a user. Ideally, only users with verified identity, using devices with verified identity should be allowed to access applications and resources. In this way, attacks can be dramatically reduced even when an attacker has stolen credentials, as they are not able to establish a trusted device identity. Device Identity is also used to distinguish between corporate-issued and personal devices and apply policies accordingly.

Device Security Posture

Device Posture helps protect applications and reduce security risks. It lets security admins establish trust in devices that comply with security policies. It does not improve the security of a device; it does, however, use the collected information to help administrators improve the security of applications.

Device Trust

A core component of zero trust access, device trust requires certified unique identification of the user’s device and real-time assessment of its risk posture. In conjunction with Continuous Authorization, Device Trust enforces access policy requirements, immediately disconnecting when a user’s device is no longer compliant.

Distributed Access Tier

An Identity-aware proxy that mediates access into a private network segment within which you run corporate applications and services.

Endpoint Detection and Response (EDR)

EDR is endpoint security technology that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware. Originally coined by Gartner Research analyst Anton Chuvakin, EDR solutions “record and store endpoint-system-level behaviors, use various data analytics techniques to detect suspicious system behavior, provide contextual information, block malicious activity, and provide remediation suggestions to restore affected systems.”

Federated Security

This allows for clean separation between the service a client is accessing and the associated authentication and authorization procedures. Federated security also enables collaboration across multiple systems, networks, and organizations in different trust realms.

Hybrid Cloud

Refers to a mixed computing, storage, and services environment made up of on-premises infrastructure, private cloud services, and a public cloud – such as Amazon Web Services (AWS) or Microsoft Azure – with orchestration among the various platforms.

Identity Provider (IdP)

An identity provider (IdP) is tasked with verifying users’ identities and communicating with the service provider to log them in so they can access more resources with fewer logins. There are several IdPs in today’s market: Okta, OneLogin, Microsoft Active Directory Federation Services, Duo Access Gateway, and Ping Identity are a few popular ones. IdPs use the SAML protocol to express that the IdP authenticated a user.

Infrastructure as Code (IaC)

Infrastructure as Code (IaC) is the process of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. The IT infrastructure managed by this process comprises both physical equipment, such as servers, as well as virtual machines, and associated configuration resources.

Infrastructure as a Service (IaaS)

This is a type of cloud computing service, also known as public cloud, that offers essential compute, storage, and networking resources on demand, on a pay-as-you-go basis. In this scenario, an organization retains control of their applications, data, runtime environments, middleware, and operating systems.

Lateral Movement

The techniques that a cyberattacker uses after gaining initial access to move deeper into a network, mapping out its structure, searching for sensitive data and other high-value assets. By moving from the initial machine that was first breached, attackers are often able to prolong their access, even if the original attack site is discovered. Attackers will typically try to obtain additional credentials and elevate their access privileges as they go.

Least Privilege Access

A core principle of zero trust, which refers to the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, authorized activities.

Man in the Middle (MitM) Attack

A type of cyber attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties. One example of a MitM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make it appear that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.


Micro-segmentation is a security practice that splits networks into definable zones and then uses granular policies to dictate how data and applications within those zones can be accessed and controlled. Doing so provides enhanced visibility while reducing the attack surface to a minimum, helping prevent unauthorized lateral movement.

Microsoft Azure

This is a public cloud computing platform—with solutions including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) that can be used for services such as analytics, virtual computing, storage, networking, and much more. It can be used to replace or supplement on-premise servers.

Microsoft Azure Active Directory (AD)

Microsoft Azure Active Directory (Azure AD) is a cloud-based identity and access management service. It provides single sign-on, multi-factor authentication (MFA), and conditional access helping guard against cybersecurity attacks. Learn more.

National Institute of Standards and Technology (NIST) SP 800-207 Zero Trust Architecture

This is a series of cybersecurity measures and guidelines highlighting the core components of Zero Trust principles. Download here.


Okta is an enterprise-grade identity management service that connects any person with any application on any device. While built for the cloud, it’s compatible with many on-premises applications. With Okta, IT can manage any employee’s access to any application or device.

Platform as a Service (PaaS)

Platform as a service (PaaS) is a complete development and deployment environment in the cloud, with resources that enable the delivery of everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications.


A policy is a set of authorization rules that specify which users can access a given service or application. Typically, policies are written using roles to simplify policy creation by grouping of users with similar access privileges.

Privilege Access management (PAM)

Privileged Access Management (PAM) is a cybersecurity strategy to control, monitor, audit and safeguard all identities across an IT environment.

Privilege Escalation

Privilege escalation is a type of network attack used to gain unauthorized access to systems within a security perimeter. Attackers start by finding weak points in an organization’s defenses and gaining access to a system.


Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom payment is then demanded (typically in anonymous cryptocurrency) in exchange for the decryption key.

REST Application Programming Interface (also known as RESTful API)

A REST API (Representational State Transfer) is an API that conforms to the constraints of REST architectural style and allows for interaction with RESTful web services and is designed to take advantage of existing protocols. While REST can be used over nearly any protocol, it usually takes advantage of HTTP when used for web APIs. This means that developers do not need to install libraries or additional software in order to take advantage of RESTful APIs.

One of the key advantages of REST APIs is that they provide a great deal of flexibility. Data is not tied to resources or methods, so REST can handle multiple types of calls, return different data formats and even change structurally with the correct implementation of hypermedia.

Security Assertion Markup Language (SAML)

SAML is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider (IdP) and a service provider. SAML is an XML-based markup language for security assertions.

Security Information and Event Management (SIEM)

Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis of near and real time and historical security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities such as incident management, dashboards and reporting.

Secure Access Service Edge (SASE)

An architectural model first articulated by Gartner Research that combines comprehensive WAN capabilities (such as routing and path selection WAN optimization) with comprehensive network security functions (such as secure web gateways (SWG), cloud access security brokers (CASB), firewall as a service, and zero trust network access (ZTNA)) to deliver secure zero trust access to applications for users and between applications and the services they consume.

Secure Web Gateway (SWG)

A secure web gateway (SWG) protects users from web-based threats in addition to applying and enforcing corporate acceptable use policies.

Security Service Edge (SSE)

An integrated, cloud-centric offering, SSE facilitates safe access to websites, SaaS, and private applications. Capabilities focus on the security service part of overall SASE strategy, combining access control, threat protection, data security, security monitoring and acceptable use control, and are typically connected with partner-delivered SD-WAN services. Monitoring and policy enforcement use network controls and application APIs augmented by endpoint-based controls.

Software as a Service (SaaS)

Software as a service (SaaS) allows users to connect to and use cloud-based apps over the Internet. Common examples are email, calendaring, and office tools such as Microsoft Office 365, Salesforce, Workday, Box, and Dropbox. It is a complete software solution that is typically purchased on a subscription basis from a cloud service provider. In this scenario, all elements of the IT landscape are available on a public cloud without any resources under the organization’s direct responsibility.

SaaS Application

A SaaS application is a special type of Service that is NOT hosted in the customer environment. Instead, SaaS applications are hosted by the SaaS vendor in the vendor’s data centers, typically made available through public and private cloud environments.


Terraform is an open-source infrastructure as code (IaC) software tool that provides a consistent CLI workflow to manage cloud services at scale. Terraform codifies cloud APIs into declarative configuration files, making it easy to programmatically set up, tear down, and manage ephemeral infrastructure. See Terraform for more information.


A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something.

User Trust

A core component of zero trust access, user authentication is dynamic and strictly enforced before access is allowed; further access authorization is continuously re-evaluated – a constant cycle of access, scanning and assessing threats, adapting, and if necessary, revoking access in real-time.

Virtual Private Network (VPN)

A VPN provides online privacy and anonymity by creating a private network from a public internet connection. VPNs mask users’ internet protocol (IP) address so your actions are virtually untraceable. Most importantly, VPN services establish secure and encrypted connections to provide greater privacy than even a secured Wi-Fi hotspot.


WireGuard is a communication protocol and free and open-source software that implements encrypted VPNs and was designed with the goals of ease of use, high-speed performance that uses state-of-the art cryptography. Banyan Service Tunnel makes use of WireGuard. See for more information.

Zero Trust

Zero Trust is a security architecture, framework and mindset, sometimes known as perimeterless security, and describes an approach to the design and implementation of IT systems. The main concept behind the zero trust security model is “never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified.

Zero Trust as Code (ZTaC)

Zero Trust as Code enables the ability to add zero trust security policies in the CI/CD process, thus ensuring least privilege access security controls are applied across the different infrastructure environments.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is a category of technologies that provides secure access to applications and services. ZTNA allows “least privilege” access to specific applications and resources, and not the entire underlying network to any user with valid login keys, thus reducing the attack surface and preventing lateral movement of attacks from compromised accounts or devices. ZTNA builds upon the concept of “Zero Trust,” that asserts that organizations shouldn’t implicitly trust any entity, whether inside or outside the security perimeters, and instead must verify every user or device before granting them access to sensitive resources, ensuring data safety and integrity.