Banyan Security Demo – SaaS Application Access

Tarun Desikan:

Welcome to the second demo for Banyan Security at the Zero Trust Demo Forum. We’re going to focus on demoing Banyan capabilities to secure SaaS applications. We have a representative, but fictional environment, we call MedSoft. It’s a medical software company. And MedSoft like most enterprises has applications running in multiple clouds, multiple data centers, software as a service and so on. And they have different types of users from IT to sales, to developers. In this particular scenario, we’re dealing with SaaS applications, so MedSoft uses Okta as it’s single sign-on identity provider, and Steve and Carly and Adam use Slack and Dropbox just like you or I would. MedSoft IT wants to roll out stronger security requirements. As it stands today, there’s a lot of sensitive data that is stored in Dropbox, that is stored in Slack, but it’s just protected with a single sign-on credential in Okta.

Tarun Desikan:

And MFA is a good add on, but it does not provide the Zero Trust or continuous authorization you need for a strong security posture. Traditional VPNs do not work in these scenarios either because you end up back hauling Dropbox and Slack traffic through your on-premise gateways, which is just a performance nightmare. And also the identity provider alone is not enough because they don’t do anything post-authentication.

Tarun Desikan:

So let’s see how Banyan does this. Here is an administrator view of the Cloud Command Center. This is where we gather an inventory of your users, their devices, and also the different types of infrastructure you’re securing with Banyan. In our secure access tab, you can create different types of roles. In this case, we have admins with different types of devices, contractors from any device, as well as users from registered devices. Roles is how Banyan combines user attributes from the identity provider and device attributes from your device. Or your device manager.

Tarun Desikan:

In Banyan, you can then write policies to assign access rights to individual roles. So for example, an admin’s only policy would say only administrators can access a given service. And then in your services tab, you can define all your different types of services, your catalog can also include your SaaS applications. The other thing you specify in Banyan is how to think about device trust. You can configure various checks in Banyan for your devices, based on the operating system, the types of applications that are running and so on. Banyan checks these different device scoring elements using the Banyan app. And here it is running in my tray, the Banyan app continuously computes the trust of your device and evaluates it against the different parameters that you have an administrator have set up.

Tarun Desikan:

In this demo, I’m going to take you through of few different types of journeys. We’re going to focus on accessing Dropbox, a SaaS application and Okta as a single sign-on tool. We have a few different types of Zero Trust Policies enabled, the first is that you have to be an authenticated user on a registered device to access SaaS applications. And the second is that if your TrustScore falls below a certain level, we revoke your access. We’re going to start with the administrator on a Windows laptop, with a high level of trust. We’re going to compromise the device and then show you the same device, same user, but now with the low level of trust. Then we’re going to show you what happens if your contractor is to access one of your corporate SaaS applications from an unknown device. And then we are going to show a fluid experience for a sales guy. Let me start by logging into Dropbox. So I just enter my username and password, I’m going to log in as user, we know single sign on is enabled. Takes me to Okta, where I need to authenticate, and I’m in.

Tarun Desikan:

So Banyan functions completely transparently, I’m into my Dropbox, I can upload my things, I can check my different videos. Banyan is completely transparent when trust is high. Of course, what happens is during the course of my day, as I access Dropbox, I might click on a link and I might download something malicious onto my laptop. A big red screen. It’s as easy as that, your single sign-on tool like Okta can do nothing about it. Malware has been installed. Your corporate files in Dropbox are at risk and your organization could face a security breach. Now in this demo, Banyan is integrated with CrowdStrike, so it’s able to detect when Malware is downloaded. So in this case, if I just refresh this page, you’ll see that in real time, a change in device posture has been detected, and my trust score has dropped.

Tarun Desikan:

So now let me try to go through that same flow again. Let me come to Dropbox, try to sign in, and when I go through that same flow, access is denied. In real time, access has been revoked because my device posture has changed. I’m prompted to check my desktop app to see why, and I can see it’s a CrowdStrike integration. So note in my organization, CrowdStrike is deemed… Malware is deemed a high risk. So this indication of a tag or indication of compromise from CrowdStrike results in a trust code drop to one, which revokes my access.

Tarun Desikan:

If something else had changed, say my disk encryption on my Firewall, you would’ve still been granted access. Users can remediate themselves, and IT teams love this because it dramatically cuts down on support tickets. Now we covered what the experience was for a device that is registered and managed. Let’s look at what the experience is from a device that’s completely unregistered. Now let’s go back to the contractor tablet that we had used previously, let me enter the Dropbox URL here. The exact same flow, you have to… you’re asked to authenticate. We know the single sign-on, I continue. Your access is blocked. Your access is blocked because your device is not registered.

Tarun Desikan:

Let me similarly try to access my identity provider in this case, Okta. So if I try to access Okta, I get a similar page. So most organizations are not able to cloak their identity provider. Most organizations are not able to lock down sensitive SaaS applications to specific devices. So that’s exposing them to various risks on the internet. So Banyan allows you to cloak your identity provider, protecting you against attacks, such as credentials stuffing, and user phishing and so on.

Tarun Desikan:

Now let’s look at the user experience on a registered mobile device. Here, I’m on Steve’s iPhone. You can see he has the Banyan app installed, you can see the different factors that comprise his TrustScore, you can see this is a fully trusted device. Now, when Steve is on the go, he needs to get to Dropbox to upload some sales assets, opens Dropbox. Oh crap, I have to sign. In a traditional tool you’d have to turn on your VPN, you’d have to perhaps perform other gymnastics. In this system, you enter your Dropbox user name and password. Dropbox no single sign-on is enabled. You hit continue, seamlessly Dropbox authenticates the user, Panion verifies the device trust. Hit allow, we know this is a trusted device, it has been registered.

Tarun Desikan:

And in a passwordless fashion, you don’t even have to enter a password here, you’re seamlessly dropped in to the Dropbox app. You can now click, upload assets, browse, do your job, as easy as that. The key thing here is that the Banyan app is lightweight, it does not take VPN profile, it does not drain your battery. All it does is register the device and compute Trust.

Tarun Desikan:

Users love this because it is easy and can be installed even on personal devices. And IT teams love this because you can support sales and field teams mobile workflows, and you don’t necessarily need to keep track of what Netflix movies they’re streaming on their phones.

Tarun Desikan:

So in this demo we saw how Banyan secures different types of SaaS workflows. Our Zero Trust Policies were such that you have to be an authenticated user on a registered device to access any SaaS application. We use Dropbox and Okta in this demo. And we also block access if your trust code falls below a certain level. We started with a user on a high trust device and saw how Banyan was transparently granting access, the user didn’t even know Banyan was there. Then we downloaded some Malware to lower the trust of the device and we saw the real time revocation of the session. We looked at what access looked like from an unknown device, a contracted device and access was denied. We were able to cloak the identity provider, and finally, we saw a smooth workflow from a registered iOS device.

Tarun Desikan:

So we call this transparent Zero Trust, a Zero Touch Zero Trust, and we’re very… we’re particularly proud of how we’re able to restrict access without man in the meddling traffic. There are a lot of solutions that require you to send your SaaS application traffic through someone else’s gateway, where they will do some kind of IP white listing or man in the meddling checks. Banyan does real time policy enforcement based on establishing device trust and device posture without needing to inspect every bite.

Tarun Desikan:

This is particularly useful when you have mobile work for mobile workers and you’re interested in enabling mobile workflows. And finally, we showed you how Banyan can cloak your identity provider be it active directory or Okta, which protects you against different types of phishing attacks. So Zero Trust doesn’t necessarily need to mean a big brother, heavy handed approach. You can roll it out incrementally, you can roll it out in a Zero Touch fashion so it does not disrupt existing workflows and actually improves productivity.

Close Transcript