Banyan Security ZTNA – Solution Overview

Tarun Desikan:

Hi, everyone. Welcome to Banyan Security at the Zero Trust demo forum. I’m Tarun Desikan. I’m one of the co-founders of Banyan and I’m excited to talk to you about Zero Trust at Banyan Solution for Zero Trust Remote Access. In terms of logistics, in this first speaker session, I’m going to provide a high level overview of Banyan, how we see traditional tools, how we see Banyan Security, the general state of Zero Trust and our architecture and so on and then in subsequent sessions, we will jump into the product demonstration itself in different scenarios to highlight different capabilities of the Banyan product.

Tarun Desikan:

So most of us watching from home in the midst of the pandemic, know what work from anywhere is, and that’s what we’re doing right now. Now the reality is even though work from anywhere has been thrust upon us, it has actually been a secular trend over the last many years. The idea that an employee can do their job from anywhere, the coffee shop, home, the office and do so securely has only been growing. Now, of course, with COVID-19, it becomes the new normal. So businesses have to adopt work from anywhere to thrive in this new normal, IT teams know this and IT teams know that they have to upgrade their decades old VPN and network approaches to support the shift.

Tarun Desikan:

Now, these traditional approaches have a lot of security issues, a lot of operational issues. I will go through those a little bit in the slides, but at a high level, Zero Trust, the whole thesis behind Zero Trust and Zero Trust Remote Access is to address many of these deficiencies with traditional networking based access controls. So what is Zero Trust? Well, any good Zero Trust solution is based on five core concepts. The first is user trust. You have to know who is logging in. You have to trust that they are who they say they are. The second is device trust. It’s just not enough to assert user identity. You need to know what device they’re coming from because in the days of the internet, a user can be anywhere. You have to continuously verify this trust because things change.

Tarun Desikan:

Malware can be installed on a laptop in a matter of a second, users lose their passwords. You have to enforce these rules no matter where the application is running, no matter where the user is from and we call that distributor reinforcement and the last one is integration with existing tools. Any good Zero Trust solution will leverage the other security investments your organization has already made and this is what Banyan does, organizations rolling out Banyan benefit in many ways from improved security, better manageability, lower cost, lower risk and so on.

Tarun Desikan:

Now there are many, many Zero Trust solutions out there and many talk about Zero Trust in many different ways. So let me dive into how Banyan thinks a bit differently about the problem and thus, how we’ve crafted our solution.

Tarun Desikan:

So traditionally there have been two types of controls in an enterprise, network controls and identity controls. So network controls are built on the idea that your corporate resources reside in a trusted network, VPNs, firewalls, setting up different types of tunnels. These are the techniques used in network controls. Identity controls are based on authenticating the user, active directory is one core example of an identity control and these tools focus on single sign-on, multi-factor authentication. Basically SAML assertions to let users in. Now, network controls, in this diagram, sitting on the left hand side are your traditional gateways, firewalls, bastions.

Tarun Desikan:

While your identity controls take the idea that you can have SAML or an open idea assertion, and then authenticate with several other applications that reside on the internet. What happens when you view your corporate ecosystem in this black and white lens, is that in the modern world with modern applications running in different clouds and different environments, you start exposing yourself to different types of security risks. Let me dive into a few of them. The first is third parties. This is probably the number one cause of security breaches in the world today.

Tarun Desikan:

We just talked about the SolarWinds attack recently, that’s an example of third parties getting in and basically hacking into a large, vast number of enterprise networks, over provisioned users. The challenge here is that when you have third parties and in some organizations, it’s bring your own device, BYOD that has these characteristics, you cannot have complete control over how they access your corporate systems. Third parties will use their own devices. They come from their own networks. They can be from multiple different locations. The second challenge is you need to constrain these third parties into accessing just a subset, just the core set of applications that they need to do their job. We call that least privilege access. Now turns out, even though this is pretty straightforward in description, it’s pretty hard to do. We’ve seen customers try to set up dedicated contractor VLANs. When that doesn’t work, we see organizations rolling out clunky VDI systems, when that doesn’t work, some organizations, even resort to remote desktop technology.

Tarun Desikan:

All of this just highlights the fact that the traditional controls just don’t work for these kinds of scenarios. The second scenario that we see traditional controls failing on is SaaS applications. These are applications like Dropbox and Salesforce, more and more sensitive corporate data has started residing in the SaaS applications and your traditional controls just do not provide sufficient security. You want to be able to lock down access to a subset of trusted devices, devices that the enterprise manages, perhaps devices that are running antivirus, EDR, DLP tools and you want to be able to revoke that access instantaneously when you detect a deviation in posture.

Tarun Desikan:

In order to accomplish security for SaaS applications, we have seen companies trying to use their existing device management tooling that is not really intended for this, we’ve seen companies trying to set up split tunnels to force traffic through centralized gateways, where we’ve even seen companies resort to secure web gateway technology to force say, Dropbox traffic through a third party gateway, none of these work either. The third set of risks we see with traditional controls is around developers and developers accessing infrastructure as a service.

Tarun Desikan:

This is AWS, Azure, these cloud resources that are very easy to spin up, very easy to get productive on, but also very hard to secure you. Security is hard because it’s dynamic, these environments change all the time and traditional controls don’t work and the other part that makes security really hard is any security controls harm the productivity of the developers and what do developers do? They just find a way to work around it, so that just doesn’t work. We’ve seen companies start out with IP Whitelisting, then try to use native tools provided by the infrastructure players and then eventually resorting to doing it themselves.

Tarun Desikan:

So fundamentally, traditional tools fail across these three dimensions and that’s what Banyan does, that’s what Banyan has been designed from scratch from the ground up to address these modern security risks for third parties, SaaS applications, and as developers access IaaS and to us, that’s what Zero Trust needs to do today in order to deliver on a work from anywhere vision. In addition to setting up an easy user experience, removing bottlenecks in the network, you have to solve of some of these fundamental security issues that we see.

Tarun Desikan:

So Banyan, the Banyan product, which I will dive into in future sessions, we employ a modern cloud-based architecture. It’s delivered as a service. It’s easy to deploy, just consume what you need. We implement some great security principles. Zero Trust as a concept is awesome, but Google has a BeyondCorp security principle, Gartner, the analyst company has a great CARTA security principles. Banyan has been able to operationalize these principles so that you can actually use them in your enterprise environments, because we are built from the ground up. We are designed for today’s reality, where your applications can run a infrastructure as a service, platform as a service or software as a service, essentially across the board and finally, we have a novel trust scoring system.

Tarun Desikan:

So we’re not just relying on your user attributes and device attributes, we’re also computing a realtime trust of the entity that’s trying to access a resource and we have a TBAC, trust based access control that is analogous to your traditional RBAC and ABAC to enable that access. So let’s drive into how Banyan works now.

Tarun Desikan:

On the left hand side, you have your user and the device that needs to access a corporate service on the right hand side to do their job. Banyan is comprised of three main components. The first one is our distributed access tier, this is an identity aware, measures reverse proxies that runs in your environments, this what traffic will go through to access the actual hosted service. In the bottom of the slide, we have our cloud command center. This is our SaaS platform.

Tarun Desikan:

This is where your administrators log in, you can manage your policies, you look at your PKI infrastructure, you can look at your trust scoring rules and so on and then on the user’s device itself, we have a lightweight app that can be downloaded from the app stores or pushed via device manager and this allows us to score the user and the device that’s trying to access the resource. So what happens when this user tries to access the resource? Well, the first thing the access tier does is send the quest for approval and so in the command center, in the cloud, we make the user go through a single sign on flow that would be with your identity provider. In this case, in my diagram, I use Okta, that establishes user trust.

Tarun Desikan:

The next thing we do is we start looking at the device. We can look at the Banyan app itself, gives you some featured data from the device. We also do API integrations with device management tools, such as VMware’s Workspace ONE or CrowdStrike. We ensure that this device is trusted and complied and then once we can compute these factors, we can evaluate the risk of this request, assign it a level of trust and once the trust has been established, we issue a short lift token or a short lift certificate that then gives the user access to that specific service.

Tarun Desikan:

The interesting thing about this architecture is if we ever notice a change in trust, so this could be a malware on the device or a change in the user entitlements in real time, the trust level changes and access is revoked. So that is a quick high level overview of how Banyan works and how it’s delivered in the cloud. Just a small caveat, for SaaS applications, the architecture is very similar, but the enforcement is slightly different.

Tarun Desikan:

So SaaS applications are Office 365, G Suite, Salesforce tools that run in server infrastructure that you as an enterprise do not own. So in this case, we use the identity provider as our enforcement component and so the exact same flow follows in this scenario as well, the user who needs to access Salesforce or Dropbox, because those tools are SAML enabled will get sent to the identity provider. The identity provider will federate with Banyan command center, where we establish user trust and we establish device trust, evaluate the risk and grant access and in this scenario as well, if we notice a change in the risk of the trust levels, access is instantaneously revoked.

Tarun Desikan:

So let me just highlight a few more interesting and innovative capabilities in the Banyan product. The first is around trust scoring. So traditional tools authenticate the user and then they’re done. In Banyan, we believe in the Zero Trust world trust needs to be dynamic and continuous. It needs to be more like your credit score than a simple thumbs up thumbs down decision. So just like your credit score is based on your available credit and kind of changes with your payment history, that’s how we compute a trust score for every user and device in an organization. Of course, our factors are a little different. We integrate with identity providers like Okta to figure out the user attributes, device managers like VMware’s Workspace ONE to get device attributes, similarly for user activity and device activity and once we gather these signals, we compute a trust score for every user and device, which you can then apply in access controlled decisions.

Tarun Desikan:

So trust scoring the way we’ve implemented it, it’s real time nature, it’s still a relatively new area and we’re excited to be on the forefront of it. The next thing that Banyan works on is the different types of connectivity. So a lot of people focusing on Zero Trust, focus on network connectivity, which is important, but it is only one type of connectivity that is required to implement Zero Trust in an enterprise environment. There is a lot of infrastructure that people need access to, and these could be Linux servers, Window servers, databases, and so on.

Tarun Desikan:

The other type is websites, more and more hosted corporate applications can be accessed via the browser and even on mobile. So we, Banyan thinks about those as first class citizens and then we have SaaS applications which are applications hosted by somebody else. So within Banyan, each of these is treated as a first class citizen, and depending on the kind of access control and the kind of end user population, you as an administrator have to deal with, you can use any of these connectivity techniques.

Tarun Desikan:

The last part I just want to cover about the Banyan product is how we think about our policies. So you know trust after all, is an access controlled policy concept, so within Banyan, you can set up global rules, policies that apply to all your users and all your services. An example could be unregistered devices cannot access corporate services. So these are global rules that apply to your entire organization. You can start applying, creating service specific rules that apply to just some applications. Hey, this is a finance application. It can only be accessed by finance users on certain devices and within Banyan you can also create resource specific rules. So for example, you can lock on specific admin APIs saying you can only access admin APIs if you come from a managed device at a high level of trust, because the risk of these APIs is high and so these policies, which is what we’ve been calling a trust based access control system allow a very flexible yet robust Zero Trust implementation in any enterprise.

Tarun Desikan:

So that’s a high level overview of Banyan, our architecture and some of our core capabilities. In the subsequent sessions, I’m going to jump into specific product demonstrations and for these demonstrations, I have a fictional, but representative company called MedSoft with different types of infrastructure and environments and we will go into that in subsequent sections.

Close Transcript