Banyan Security Demo – Infrastructure Access

Tarun Desikan:

Welcome to the third demo for Banyan security at the Zero Trust Demo Forum. In this demo, we’re going to focus on how Banyan provides secure access to developers. Particularly, in the context of fast moving infrastructure as a service environments such as AWS and so on.

Tarun Desikan:

We have a demo environment we call MedSoft. It’s a medical software company that like many enterprises today has applications running in the data center, as well as Amazon, as well as Google cloud, and also many as SaaS. In this particular demo, we’re focusing on access to the production infrastructure running in AWS. We have both Daisy who’s a developer as well as Adam who represents IT. We have different types of resources in AWS, including SSH servers, ES clusters, databases, and so on.

Tarun Desikan:

Now because MedSoft collects sensitive patient data in AWS it is really important that it stay compliant. Developer access needs to match its security policies, developer productivity is of paramount importance as well, because, as you know, if you don’t give developers easy convenient access they will find a way work around your security systems.

Tarun Desikan:

Now, traditional tools like VPNs and bastions were designed for static physical environments. Customers today run tens and thousands of VPCs in the AWS cloud and traditional tools have become way too cumbersome to manage and also painful to use.

Tarun Desikan:

Let’s start in the Banyan Cloud Command Center. You can see in your directory and infrastructure view when we look at the different types of access tiers that we have access tiers securing the different, data centers, the Google Cloud, and the AWS presences for MetSoft. Banyan’s enforcement component is an identity-aware proxy. It’s a distributed access tier that can be deployed in all these environments using native tooling for AWS. For example, we use Cloud Formation, Terraform, and so on. No matter how you deploy these in your different environments they’re all managed centrally from our SaaS platform.

Tarun Desikan:

Once we set up your infrastructure, we gather your directory of users and devices. Then you can write your different types of policies and apply them to the different types of services. Our policies are written in simple easy to use constructs. You specify the rules. Hey, this is an admin on a certain type of device. You specify the level of trust and that’s the entity that’s allowed access based on that policy.

Tarun Desikan:

Then you can define different types of services. You can define SSA services, community services, web services, and so on, and grant access. Essentially, you create a service catalog that you then give access to your developers.

Tarun Desikan:

Here in the Banyan App, you can see, I have my Device Trust in the devices tab and on the services tab, I also have a services catalog. I am logged in here as an administrator and you can see that I have access to all the different services that I have defined in the admin console. Now, to access a given service, you will click on that service and hit connect. Once you hit connect, you get click button access into that service that you needed access for. Like in the other demos, you get access based on your trust score, as long as your trust score is high, as long as your trust score matches policy, you get access. Once your trust score falls below a certain level you get denied.

Tarun Desikan:

I’m going to take you through a few different scenarios in this demo as well. We’re focused on AWS infrastructure. In AWS we have an SSH server, so a Linux server that developers SSH into, as well as, a Kubernetes cluster, which you interact with the KubCTL command line interface. We have policies that say only authenticated users on trusted devices can access services. We also have a policy that restricts root access.

Tarun Desikan:

We just showed you the administrator view on their windows device. We’re going to switch to a Mac laptop and show you the developer experience there. We’re going to reduce the trust on that developer laptop and show you the experience there, as well.

Tarun Desikan:

Let’s switch to Daisy’s developer map a laptop to see her experience as a developer. On this laptop, Daisy logs in and she can see the different services she has access to. You can see the standard device trust here. Then when I log in, you establish the device trust, we authenticate as the user, and then you can see the list of services Daisy has access to. As you can see, Daisy has access to fewer services than the administrator did. In this organization, the developer has access only access to a DevServer and a staging Kubernetes cluster. Now, in this scenario, Daisy needs to SSH into this DevServer. She clicks connect to set up behind the scenes a short lift tunnel into this DevServer. Banyan procures the certificates and sets up the connectivity that she needs to access. Let’s copy that command, paste it in here. It’s at as simple as that. Banyan’s SSH capability allows Daisy direct secure access into that server.

Tarun Desikan:

If I check who this is you’re logged in as the correct user, you’re allocated to the same groups, all of this is done behind the scenes, and best of all, you see that Daisy does not have pseudo privileges. She cannot run any privileged commands using pseudo. Now, one of the key concepts here is that Daisy’s given a limited user on the Linux laptop. Banyan uses modern SSH certificate based authentication and authorization to enable this.

Tarun Desikan:

It’s not just SSH that Banyan manages access to. Banyan also provides first class one click access to different types of infrastructure, including Kubernetes clusters, Windows servers, databases, and so on.

Tarun Desikan:

Let’s see Daisy connect to our staging Kubernetes cluster. This is running a managed elastic Kubernetes service in AWS. Again, you just click connect, copy the conflict commands here, paste it in, and now Daisy has access to the Kub cluster. She can run her standard Kubernetes commands such as, for example, getting the pods in the cluster or even the status of an individual pod. Just like with SSH Banyan gives restricted access to a Kubernetes cluster, so if Daisy were to try to get, for example, all the services running in the Kubernetes cluster that is blocked, because she does not have the privilege to do that.

Tarun Desikan:

Now, let’s see Banian trust scoring in action as well. Let’s come back to the SSH server she’s logged into where we are monitoring all the processes. As you can see on the devices tab Banyan has computed the trust code of Daisy’s device. It’s at 100, because all the different organization factors are met. Let’s turn off, for example, say, CrowdStrike, which is a required factor for this organization. We might have a script which will just stop CrowdStrike. Now, when we click on the devices tab, Banyan instantaneously can detect that a given mandatory app is not running and it sets the trust code to zero. Now, behind the scenes all connectivity has been immediately revoked. You can see that this SSH session, which was previously active, is no longer active. Then when Daisy tries to connect she gets rejected.

Tarun Desikan:

What we just saw on Daisy’s laptop was one click connectivity to SSH Kubernetes, other developer resources, as well as, a tight integration with Banyan device trust, trust scoring control mechanisms.

Tarun Desikan:

Now traditional back and white controls just don’t work this way. In the traditional world, the network centric worldview, you would have different types of network appliances, a VPN server, maybe a bastion, as well as, a firewall between the user and the internal service SSH, Kubernetes, Windows servers, and so on. In addition, you would have authentication controls on that internal service. Now, when a user needed to access, say, the SSH server in the corporate network they would turn on the VPN client that would put them onto the network. They’d have to go through a bastion. They would have to make sure the correct firewall rules were enabled and then make sure their user accounts were correctly provisioned by their directory services and their authentication manager. This is a complicated clunky system. Developers would have to file multiple tickets just to get access to the right resource.

Tarun Desikan:

In Banyan’s world, it says much simpler. We have an access tier that is deployed as close to the internal services you need and which registers into the cloud command center where you write your policies. We have the Banyan app that runs on your laptop or your other devices and then you get direct one click access to server that you need. Complexity has its purpose, but when it comes to security, simple is better. Banyan’s modern certificate based access controls allow you to provide simple yet secure access. This is the right approach for today’s cloud environments.

Tarun Desikan:

In the cloud command center if you come to our events log, you can see Banyan does make life easy for the developers and give them one click access. On the flip side, as an administrator you have granular visibility into what services, what resources, a given user is accessing.

Tarun Desikan:

You can see in this case, that user Daisy initially access the DevServer access was authorized. Then user Daisy access to Kubernetes cluster access was authorized. Then you saw the trust score being recalculated when a given signal changed and then now you can see access was revoked. Access was denied, because trust score changed. Banyan also of supports advanced logging scenarios where you can see the exact commands a user runs on a server and so forth.

Tarun Desikan:

Banyan also makes it very easy to administer these access controls and apply Zero Trust policies. In the modern cloud environments that are hundreds of servers, hundreds of accounts it can get very complicated very quick.

Tarun Desikan:

Here I am in my AWS management console. Banyan has native integration with cloud resources tagging, so you can use the different types of tags to define what types of security policies need to be applied and when the service is created in the AWS console Banyan are automatically imbibes those tags and applies the correct security policy. For example, here we have a Banyan service tag called production service and this applies to all these different resources, these different servers, and so on in AWS. Back in the Banyan console, when you click on production servers these production servers are automatically mapped to the appropriately tagged resources in AWS. This is how you can set up access controls, secure access controls. Makes the developers life easy, also enables the DevOps team to use their favorite automation tools.

Tarun Desikan:

A quick recap in this demo, we focused on access to AWS resources. We enforced a couple of different types of Zero Trust policies around needing a certain level of device trust us to access resources, as well as, limiting root privileges only to administrators. We started with an admin user on a high trusts windows device. We switched to the developer experience where we saw a Mac laptop with a high level of trust being allowed access to different servers and Kubernetes clusters, but limited to non route. Then, finally, we dropped the level of trust on the Mac laptop and we saw access being denied. We also saw how for the administrators Banyan can integrate with AWS tagging to simplify the creation of services, and policies, and so on.

Tarun Desikan:

With Banyan you can secure your dynamic multi-cloud and infrastructure as a service environments. Your developers get one click access. They have a service catalog that lists the different resources they have access to. Click a button and they get dropped right in. You can enforce lease privileged security and also get a granular audit trail that is very useful for compliance. Finally, the whole system is designed for automation and for modern workflows.

Tarun Desikan:

We all know software is eating the world and that engineering team productivity is critical for a business to thrive, so Zero Trust tools for these kinds of environments have to go beyond security. They also need to consider the developer experience, as well as, the admin experience and also maintenance. That’s what Banyan provides.

Close Transcript