Banyan Security ZTNA – Interview with Richard Stiennon

Richard Stiennon:

Hi, I’m Richard Stiennon, industry analyst covering the cybersecurity space and I’m talking to Tarun Desikan who is the COO and co-Founder of Banyan Security. Welcome Tarun.

Tarun Desikan:

Hi, Richard. Thank you for having me.

Richard Stiennon:

Yeah, no, I’m happy to be talking to you. I’m anxious to discover what Banyan’s all about. So secure access, right?

Tarun Desikan:

Zero Trust, the other buzzword.

Richard Stiennon:

Add them all in there.

Tarun Desikan:

Yeah.

Richard Stiennon:

But yet, Zero Trust is a good framework or philosophy, I guess, tell us how Banyan goes about establishing Zero Trust.

Tarun Desikan:

So just to step back, there are different flavors of Zero Trust, so the specific flavor of Zero Trust we are focused on is Remote Access, and what we saw in the market when we got started was that there was a traditional networking worldview to Remote Access, which is your VPN and your firewall, and you turn on your tunnel and you get in and everybody knows that. We also saw there’s another worldview, which is, I call it an identity centric worldview, which is authenticate the user, authenticate them really well, and it doesn’t matter where the application is running. It can be on the internet essentially, and what we found is that this is very black and white, you either belong to one camp or the other, but the reality was the world is like many shades of gray.

Tarun Desikan:

And you have to have some network concepts, you have to have some identity concepts, but at the end of the day, you have to secure that application. That’s what you have to do, and so that’s what Banyan does. Our Zero Trust is focused on enabling users and devices to get access to the applications that they need to do their job. It doesn’t matter where the applications are, it could be in your data center, behind a firewall, it could be an Amazon cloud, running in AWS, it could be running a SaaS, so the location of the corporate resource doesn’t matter, the location of the user doesn’t matter, our framework is connecting the user to the application so that they can be productive.

Richard Stiennon:

And frankly, the network doesn’t matter, right? It’s users and applications.

Tarun Desikan:

Well, in the sense, the network doesn’t matter in the sense that the internet has become so good. Right? So we rely on the internet for connectivity. I think connectivity still matters, but who provides that connectivity maybe is not quite as important. The internet providers have become really good, some companies have invested in SD-WAN, I think historically people have relied very heavily on the network for security as well, and so nobody’s saying connectivity doesn’t matter if you can’t get to the application, you’re not going to do anything, but combining connectivity with security, I think that’s a problem.

Richard Stiennon:

Totally agree. Yeah, I grew up on the network side when I was… we’ve got four billion IP addresses and our only task is decide which ones are good and which ones are bad.

Tarun Desikan:

Right. In those days, if you got access to the IP and port, that’s kind of done, right, that’s the job of the network and if you didn’t have access to the IP and port, okay, you didn’t get access. So it was very simple in those days.

Richard Stiennon:

Yeah. So I can imagine the lockdown we experienced because of COVID-19 has kind of given you a shot in the arm.

Tarun Desikan:

Oh, that’s so many metaphors there, I don’t know if I should go there, but I think when we started Banyan, it was well before COVID-19 hit, we saw the trend as still being a circular trend, there was still a movement amongst many Companies, we call it work from anywhere. That movement has been growing and growing, even at our company Banyan, we used to let people work from home maybe once or twice a week, and that’s become more and more the paradigm that your employee or workforce can be anywhere in the coffee shop in the airport, they should be able to do their job. So the change has been happening, but I really think COVID-19 just skyrocketed, it just became forced on all organizations and definitely for a company like Banyan, we don’t have to go motivate anymore. Hey, CIO, you should plan for work from anywhere.

Tarun Desikan:

No, the people we talk to, they’re already dealing with work from anywhere, they’re setting it up with their traditional tools, they’ve just scaled up their licenses of their VPN or they’ve just put things on the internet and said, just go to town. Don’t bother, and so now they’re trying to step back and think, okay, if this is the new world, what does technology have to look like to enable this? And how do I enable it in a scalable fashion, in a secure fashion, so definitely COVID-19 has been game changing for all of us, not just for Banyan, but for the industry as a whole. Yeah.

Richard Stiennon:

Yep. So help me understand the architecture, because there’s several ways to do this, one is a big proxy in the cloud, direct everybody’s traffic to Banyan and then forward it as authorized. What approach do you take?

Tarun Desikan:

Yeah. We call those man in the middle clouds and we do so because, I understand why some companies do it, but we really think that’s maybe the previous generation’s technology. So our architecture is also a cloud-based architecture. We have a central command center. This is a SaaS platform. We hosted… you specify your policies, you have your inventory of users, devices, that’s where you manage everything from now in terms of enforcement itself, we also have an identity of web proxy, we call it an access tier that does the enforcement, but we allow you to define your edge kind of the access point essentially, depending on your infrastructure. So for example, if you’re in AWS, your edge would be in your AWS account, a VPC, a Virtual Private Cloud, where you run our identity web proxy. If you wanted our edge in your data center, you would deploy our Smartproxy in your data center and GCP and so on.

Tarun Desikan:

And so we also have the ability to have… we have hundreds and thousands of these, we call them access tiers, creating an access edge, but I think we’re not a man in the middle cloud in the sense the corporate infrastructure you’re securing is running in your data center or in AWS, we put the access control right next to it. Now we do have architectures, which we call, a cloud secured edge. So if a company is a hybrid company where they have AWS and they have a data center, then we set up a cloud, but it’s your cloud.

Tarun Desikan:

The access tier runs in your AWS account and then access goes into your data center. So those are the two core components of Banyan, and the third part is what we run on the devices. So we do allow devices in an agentless fashion to access our secured services, but for the higher level of security, we install an app. So it’s a lightweight app, you download from the app store, it registers your device, it scores your device, and then we give you access into the corporate resources based on that score. So we call it a Trust-score Based Access Control TBAC, which is kind of like the RBAC and the ABACs. Ours is trust based, takes some of the best concepts of roles and attributes and delivers all of it as trust.

Richard Stiennon:

And it gives higher authentication, right? It’s a device somebody has, so you’ve got more assurance that they are who they say they are?

Tarun Desikan:

Yeah, absolutely. And it goes beyond authentication. So traditionally there was user authentication, we are getting into device authentication, which is the certificate we installed, but also device posture, what’s running on the device, if it’s a managed device, is antivirus running on it? If it’s an unmanaged device, is it patched at least? At least running the latest operating system, so we can integrate the device, and then when you combine them together, that’s when we create a trust-score, and I think we also go beyond authentication, it becomes authorization because these trust factors can change, they change very dynamically and you typically authenticate a user once every day, once every two days, something like that, but you can get a malware within a second, that completely changes the dynamic or your level of trust, essentially.

Tarun Desikan:

And so in addition to user and device trust, we authorize the access. So if your trust level falls, we immediately revoke the authorization and your access is denied. So just the SolarWinds hack, I know everybody has been thinking about that and you’ve done some… thinking about it as well. Those guys had been in the network for like one to two years. Isn’t that insane? They just had full unfettered access to the network for multiple months at a time, and at some point they were trusted, but not recently.

Richard Stiennon:

Yeah. Which brings up the question of active directory. Right? Which is one of the misconfigurations I guess, to be generous, you’d call it in the SolarWinds attack, but that’s where everybody keeps their current identities and authorizations. How do you interact with active directory?

Tarun Desikan:

Yeah, I think active directory bears the brunt of a lot of insinuations, but at its heart, it’s a directory service, it’s an authenticating system where you authenticate a user, and of course if you misconfigure it, put a fake user don’t remove users who have left the organization, it can be abused, but I think especially in the days of the cloud, there is a bigger problem, which is, most people put their active directory on the internet, right? That’s the portal, it’s called single sign on, identity providers, Okta, one login, there are many of them, and so if you take active directory and just extend it, you’re essentially putting your entire directory now on the internet. So in the SolarWinds case, they had active directory inside their network, but they didn’t secure it, and now you have other companies that put it on the internet and potentially misconfigure it.

Tarun Desikan:

I think these are both pretty serious security risks because you’re relying on human beings, administrators, and a small configuration change can break every thing. So from Banyan’s perspective, and you’ll see this in our demos, our technology allows you to cloak your identity provider, so you can only access your identity provider to register your device, but nobody else can access the identity provider. So if you try to access my organization’s identity provider and you don’t come from an approved device, you don’t even see it. And that’s one example of Zero Trust, inaction securing something real, very real.

Richard Stiennon:

Yeah, I like that, and it’s an addition to the stealthing of the applications that you can provide, right? Only authorized users even know they exist.

Tarun Desikan:

Yeah, I think one of the poorly kept secrets in the Zero Trust world is, most Zero Trust solutions only work if you host the applications yourself. You’re going to interview so many people and they all primarily focus on replacing a VPN. The reality is most infrastructure has flown the coup, it’s running a Salesforce and Dropbox and Slack, you’re not even in the data part, you’re relying purely on active directory to authenticate the user and that’s it. So you’re literally running blind and if you don’t provide security by cloaking, the identity provider, revoking sessions, add Salesforce and Dropbox, I think it’s a big problem and it’s just an example of where it’s black and white, the people in the black say, it’s not my problem, the people in the white solve the problem slightly differently and the bad guys just get in.

Richard Stiennon:

Yeah, tell me about Banyan’s kind of their origin story, where’d you come from? What problem were you looking to address originally?

Tarun Desikan:

Yeah, I’m both proud and a little embarrassed to say we’ve been working on Zero Trust for many years, so my co-Founders come from VMware and the CEO Giant, when he was at VMware, he specifically had worked on these kinds of security problems. VMware has kind of been absent maybe from the cloud, but they really invented… with software defined networking and vSphere, and they acquired AirWatch, the device manager, so they’ve been really on the forefront of modern scalable operations, but when he was there, he kind of saw that, okay, operations is fast, productivity is fast, what about security? And so he started developing a security layer that would essentially run agnostic to the network and yet work for these modern environments, so that was kind of the thesis, and fast forward a few years, we decided a big company wasn’t necessarily the right place to do it.

Tarun Desikan:

So that’s when we started Banyan, and when we first got started, we were pitching the idea of a beyond cob style infrastructure for the enterprise, or applying Gartner’s CARTA principles to access control, and I must say, people were polite, but no one really paid that much attention to us when we got started, but I do think in the last couple of years, the need for Zero Trust, the growth of the Zero Trust economy in general and the pandemic not withstanding. That’s when we have really found our footing and being able to establish the problem statement and how our solution helps.

Richard Stiennon:

Got it. Oh, this is exciting. I can’t wait to see your demo and I want to thank you Tarun, for spending some time with me.

Tarun Desikan:

Thank you, Richard. It’s a pleasure.

Close Transcript