Zero Trust Security for DevOps & Cloud

Jo:

Good morning, good afternoon, or good evening, depending on where you are in the world. And welcome to today’s Banyan webinar entitled Zero Trust Security for DevOps & Cloud. I’m joined today by Carlos Martinez our director of solutions architecture, and Matt Schiller, senior software engineer. And what we’re really looking at doing is, uh, sort of a hands on workshop, um, in which we help organizations migrate infrastructure to the cloud and rethink software development and deployment using zero trust as an approach. Uh, today, I’m gonna just go ahead and pass it over to Carlos and Matt, and they can introduce themselves. This will take about an hour. And yes, this, uh, will be recorded for your viewing pleasure later, and will pass on these materials to you, um, uh, throughout, uh, the session. And plus, you’re, you’re all welcome to ask questions throughout. So, we’re here to help. And, uh, take you on your zero trust journey. So, with that, I’m just gonna pass it over to Carlos and Matt.

Carlos Martinez:

Great, thank you, Jo. Um, again, Carlos Martinez. Uh, part of the team responsible for solutions architecture here at Banyan. Um, I joined Banyan… A little bit about my background here is I joined Banyan Security back in December of 2021. So, I think I’m close to six months, uh, tenure. Uh, but prior to Banyan, um, I was part of the team responsible for kicking off the zero trust initiatives at Adobe, and most recently at Cisco. So, yeah, hoping to share… And I can speak to f-firsthand just some of the benefits that we’re going to speaking on today. Uh, Matt.

Matt Schiller:

Uh, and then my name is Matt Schiller and I’m a senior software engineer at, at, Banyan, and I’m the principle developer behind our terraform provider. And my, little bit of my background is I was, uh, part of the continuous delivery team at, uh, Lookout Security and we went through a [inaudible 00:02:05] implementation, which, in which, uh, Banyan would’ve been a really good fit. So, uh, (laughs), that’s a bit of, of my background.

Jo:

(laughs).

Matt Schiller:

Yeah.

Jo:

Hindsight. Well, there’s always the future.

Matt Schiller:

Yeah, yeah.

Jo:

Yeah.

Carlos Martinez:

[inaudible 00:02:20].

Jo:

And this is a, sort of a stripped down version of a, of a talk you two gave to a developer’s conference a few months ago. And now, we’re just sort of doing the high octane version of that, uh, along with sort of diving into how Banyan can help in particular.

Carlos Martinez:

That’s, that’s right Jo. And, and let me just go ahead and actually just touch on, um, again, the agenda. A-as you pointed out, um, we’re, we’re here to talk about the security approach that I’m sure you may have heard of. It’s coined the zero trust. Uh, really, for us, it’s, we’re going to show how implementing the zero trust principles will help enable a more seamless and secure method of access to, to infrastructure in corporate resources. Um, and as, as you pointed out, Jo, um, I’m gonna go through a few slides. But really, the, the meat of this, today’s webinar is gonna be Matt showing you guys firsthand that demonstrating, um, how you can get started and how you can sort of apply some of these zero trust principles firsthand. So, uh, we’re… I don’t know, Matt. I’m hoping the demo gods are with us today. But, uh, we, we’re [inaudible 00:03:32]-

Matt Schiller:

Yeah, well, I, I got some, uh, some, uh, it, we, we, preapplied the setup, so we already know it’s good to go. (laughs) So, no-

Carlos Martinez:

Excellent.

Matt Schiller:

… no relying on the demo gods today.

Carlos Martinez:

Okay.

Jo:

(laughs).

Carlos Martinez:

All right. Let me, let me, let me turn off the candle then. Um, all right, guys-

Jo:

(laughs).

Carlos Martinez:

… well, um, but before we go into just sort of, um, just the benefits of applying zero trust principles, you know, what I wanna first cover are, um, you know, what, what does a traditional method for accessing infrastructure or resources look like today, specifically how DevOps or engineers fo- uh, folks access some of these resources, uh, that are located in a private network. And in this example, we can say it can be a database or Kubernetes cluster.

Carlos Martinez:

Well, there’s typically a variety of components that exist today, um, between the user and that target system hosted i-in that private network. And that, that private network can be a VPC, a on-prem data center, whatever the case may be. Uh, you would typically deploy, um, uh, some systems on the edge of your network. And that could be a, a VPN solution or an SSH bastion host, uh, which essentially joins the user to the network, a-again in order to gain access to that resource.

Carlos Martinez:

Now, typically, to ensure you’re not granting someone full access to all the resources on the network, you’d have some sort of a firewall. Or, in this case, uh, set of security group or groups to, to, limit or restrict access from that VPN or bastion host to that target resource. Uh, now, in, in order for users to gain access, that end-to-end access, to that resource, uh, users need, uh, some information, right, some access. And that consists of, you know, credentials. So, in the case of that VPN concentrator or system, it, you, you need to know where to connect to and have that set of credentials to initiate that VPN connection. Uh, next is, similarly, you need those, uh, keys or credentials to gain access to that bastion host. And then, last, is, is what about that downstream service or application? Now, those are some of the things.

Carlos Martinez:

Um, similarly, or on the flip side, your administrators need to manage all of that. So, in the case of VPN access, um, ensuring that certain users, uh, based on their roles or f- or, or job function, are they added or, or set to, defined to certain set of, of groups? Um, what about handling that key, those keys that are, are issued to your users, that rotation of keys, et cetera? You know, things like firewall rules and making sure that you only allow that necessary access to subnets. And then, let’s not forget that downstream service or application, ensuring that service owners are, are, are providing users with the necessary set of credentials for those systems. So, there’s quite a bit, both from a user and administrator standpoint that need to be considered. And there’s a lot of challenges with this traditional approach.

Carlos Martinez:

Um, we’ve listed here a few of those, those challenges. But, you know, one challenge is really around that whole workflow for offboarding and onboarding users. Um, as an administrator, I don’t wanna have to manage VPN or SSH keys for people who join or leave the company, that things like key rotation. It, it can be a total burden, especially when an organization is rapidly growing or a large enterprise has to deal with the constant stream of exiting employees.

Carlos Martinez:

Uh, a-another challenge is around utilizing these old network centric approach for restricting access, uh, based solely on static IP or host information. Now, the reality today is that you’re, you’re likely dealing with a highly ephemeral or dynamic environment where there’s a need to restrict access to specific logical services based on the role of the user.

Carlos Martinez:

And then, the last piece that we call out here is, is, you know, as you provide certain credentials directly to a user, what happens in that scenario if, that, that set credentials becomes compromised? And ideally, you don’t want to be in that position where you’re providing certain system credentials to users. So, um, those are some of the challenges. But again, the reality is that these problems are greatly compounded when you’re deploying and managing services across different cloud networks or cloud accounts, compartments, or even in the multi-cloud architecture, where you’re utilizing different cloud providers.

Carlos Martinez:

The reality is, is, you know, ideally you want to move towards a zero trust security model. And, and, yes, while we’ve seen, and you probably have not been able to escape the, the marketing buzz or the machine when it comes to zero trust, right, but the reality is, is that the fundamentals are sound, which is all about removing that inherent trust that’s granted when you join a particular le- network.

Carlos Martinez:

Now, with zero trust architecture, has its variety of benefits. And, again, we, we call out a few here and we try to keep them as ge-generic as possible, because they really do apply to, uh, the different zero trust network access, or ZTNA, solutions out there. Uh, but one of the benefits, uh, comes around the user experience. Um, with a zero trust network access, or ZTNA model, users are able to move away from having to know the varying credentials that they were previously given, and instead move towards, uh, a user performing a single sign-on. And, and this helps ensure that, you know, we’re getting the strong assertion of the user by requiring things like MFA, not just the set of credentials. Um, and, and in the case of Banyan, we do this, uh, again, like other solutions, by integrating with your existing identity provider.

Carlos Martinez:

Additionally, um, many zero trust network access, or ZTNA, solutions, like Banyan, will also typically offer a lightweight app that can be installed on the user’s computer. Uh, this app, or, or lightweight agent will typically serve as a catalog that allows users to, to see quickly what services our resources they have access to. It also enables the ability for us to, to, to, for a user to leverage their existing tools or command line that they’re already familiar with.

Carlos Martinez:

Now, now let’s talk a little bit about the security benefits. So, from a security perspective, uh, this lightweight app that I just mentioned can also be used to perform device posture checks to determine if a device meets certain security requirements. Things like, are you running the latest security patches? Is this encryption enabled? And, and if, for whatever reason that device doesn’t meet those requirements, well, that, that application can serve, can provide users, a, a way of self-remediation steps that they can do. Again, upgrading your device to, to, to have the latest security patches installed, et cetera.

Carlos Martinez:

And so, with a zero trust, uh, environment or architecture an administrator can define and enforce a specific set of policies or conditions that are required in order to be allowed access to a specific, again, logical service or resource. So, these are some of the benefits. Um, as we sort of move now to, um… Before we go into the actual, the actual, uh, demo, you know, one of the things that we wanted to sort of call out is that, when it comes to an ZTNA solution, there’s some core concepts that you want to familiar familiarize yourself with. And we’ll be using these as we walk through the demo.

Carlos Martinez:

The first is around roles. So, roles are really, is, is how you’re able to map a user to a set of permission grants. So, as an example, I want to define a role that includes all of my regular workers that are acc- that, that are tied to corporate issued devices, as an example. That could be an example of a role. Another could be a vendor. Yeah, I want to define a role that includes all of these contingent workers.

Carlos Martinez:

Um, the next sort of concept, as I mentioned already, is service catalog. Uh, I, I already touched on some of the, the, the capabilities of what a service catalog does. Uh, the next piece is the, the concept or, or term is policy, which a policy really comes down to defining which roles can access specific services, uh, available in that catalog.

Carlos Martinez:

And then, the last piece that I’ll call out are our workflows. Um, and in our case, you know, there’s a variety of workflows to consider, things like publishing that service. Um, the other is, as mentioned earlier, ma- being able to manage those policies or defining those granular, contextual-based, policies and attaching them to the services. And then, the last piece is, as I touched on earlier, is how you integrate that with your SSO solution. So, those are some of the core concepts. Again, we’ll be touching on that.

Carlos Martinez:

Um, all right, so let’s get into the de-demo. Um, before I, I pass it over to Matt, um, I just wanted to call out that, you know, f- the, the demo you’re about to see, we’re gonna be, uh, e-ex-exclusively be using terraform to fully deploy all of the network infrastructure and test resources in AWS. Um, we’ll also be using a free version of Banyan zero trust network access solution to… And really, what we’re gonna be doing is deploying this, this connector component, um, the same private subnet as the test resources, which allow that end-to-end connectivity from a user to a resource. Uh, this is one method of deploying, uh, uh, access or deploying a ZTNA solution, where you have a connector that dials out to that set of proxy infrastructure. In this case, it’s managed or, or hosted by Banyan.

Carlos Martinez:

But similarly, you can deploy that entire proxy infrastructure in your environment, eliminating the need for a user to traverse that Global Edge Network. So, there’s a variety of, of options here. Um, but, you know, without further ado, I’ll go ahead and pass it over to you, Matt, for you to kind of shem, uh, demo the experience. So, let me stop sharing.

Matt Schiller:

All right, sure, thank you, Carlos. Um, once I get on, I’ll share my screen. Okay, so, um, we’re, we’re gonna walk kind of through like a live code set up, so that, um, we can see some of this in action. And, and we’ll walk through, uh, how you can, you know, uh, go to GitHub, see which, uh, demonstration may be more relevant to you, depending on what your, your cloud provider is. And for this demonstration, we’re gonna be using, uh, AWS. And we’ll upload a new repo to our Banyan GitHub, which has this webinar code in it.

Matt Schiller:

Um, so terraform is a really great tool for something, you know, any type… It’s really become a defacto for infrastructure automation in the industry. And, and the, the crux of, you know, what’s the difficulty between, you know, a, a VPN and a zero trust solution, is the de-definition of services, right? And that allows you to create that granular access model to the different services that you’re publishing into your zero trust solution, in this case, Banyan.

Matt Schiller:

So, with Banyan, uh, we are going, each service that you have in your, your infrastructure is published with a, a policy which defines, you know, who has access to that service and that device posture that Carlos was talking about. And when you, uh, are setting this up, uh, any of these demonstrations can be done with the, uh, Banyan Team Edition. So, you just go to sign up for the Banyan Team Edition.

Matt Schiller:

And when you, uh, log in, the first thing that you’ll be brought into is the onboarding section. And in here, we have, just, all we’re going to need to do is get an admin API key so that we can, uh, deploy infrastructure automated with terraform. So, we just exit out of here, and then go into our, uh, API keys. And we’ll just create a new one for the admin. And you can see I’ve already created an admin API key here. So, once we have that API key, that’s gonna allow us to authenticate as the admin to the, uh, um, Banyan control, uh, control plane. And that will make it so that you can initialize the terraform provider.

Matt Schiller:

So, every different, uh, resource in the Banyan, uh, API is available into the, in the Banyan provider. And if you go to the terraform registry and search for Banyan, you’ll s- you can see the documentation, which has how you would implement each of the different pieces. So, in this demonstration or this walk-through repo, I’m gonna be showing you how, uh, all these pieces come together with terraform and how terraform is, well, extremely like basically the perfect tool for automating the deployment of resources, right. Because, when we’re talking about a DevOps environment, it really comes down to, you know, DevOps, you don’t have like a DevOps person, you know. DevOps is a practice that’s within your organization.

Matt Schiller:

So, the responsibility falls to different teams to do different things, right. We have people that are network practitioners, we have people that are security practitioners. And then, we have our service owners, right. And for me, as like an infrastructure person, it’s all about extracting away the complexity of infrastructure with a tool like terraform, so that my service owners can consume something, which, you know, the, the security organization, or the network organization, has said, you know, “This is how we want this to be implemented.”

Matt Schiller:

So, for example, in this demonstration, what we’re going to be doing is just, um, just setting up… There’s a, a fair amount of boilerplate here just with, uh… Or how this is divided up, really, is that we have this app instance file, which is, all this is, is just deploying a demonstration site that’s all in an instance. And then, we have our Banyan file, which we’re gonna go through this in this demonstration, explain what each of these pieces are. And then, we have this connector module. And the connector module is what’s actually providing, uh, the connection into our private environment.

Matt Schiller:

So, when we go through, when we have this, uh, this setup, we are creating a, uh, private… The first thing that this module’s going and doing is creating a, a private subnet. Okay. And once we’re in the private subnet, we’re just gonna drop in the Banyan connector. And I wi- I wish I had a slide for this, Carlos. (laughs) Um. But maybe, maybe, i-if you could shoot me over the, the diagram of what we have [inaudible 00:19:45].

Carlos Martinez:

Yeah, I ca- and, and I can, um, show it as well, if you want me to kinda show. But yeah, let me, let me find the-

Matt Schiller:

Oh, yeah, I think if somebody could send me a slide, would be awesome. But anyways. So, what… We’ll just go in. I’ll, I’ll just apply this really fast just to, to show that this has already been applied, so that we don’t have to wait for like the instance to come up or anything. Okay. And this is going through, and it’s doing multiple layers, really. But what the layers are is that private subnet, then we’re dropping in the Banyan Connector. And the Banyan Connector is a easy way for people that are, are, uh, trying to, you know, try out Banyan to get, uh, access into their private network.

Matt Schiller:

So, in, in a, a zero trust solution, instead of a VPN gateway that you end up hitting, you’re, you’re actually going directly to a, a, like proxy on steroids would be the best way to, to put it. This is a, what we call, our access tier. And there is two types of access tiers that Banyan offers. There is the, um, self-managed access tier, which you would deploy into your network and give a public IP address with a public DNS record, so that users are going directly to the access tier, and getting authenticated, getting their, their device posture evaluated. And then, based off of the, the context, are allowed or not allowed access to services. So, there i- there is no tunnel.

Matt Schiller:

And, you know, that, that’s all fine. But there’s also the, the case where, well, maybe I don’t wanna go set up a whole, you know, a DNS record for this so far. So, what we’ve done is allo-, is made it so that there’s a connector. And the, the connector, what it, it does is that it makes it so that we have our public, our, uh, managed access tier, which we call the Global Edge. And it will create a tunnel into this connector, which you deploy inside your private network. So, there needs, no, no, uh, public IP address needs to be, needs to be shown.

Matt Schiller:

And we can deploy that connector with just as easy as this, which is in the, the repository where we just bring in the Banyan, uh, Connector module. We give the subnet, the VPC, we give it a name and the instance size, and the API key to host the region. Just the basic amount of stuff that we need to go to deploy this connector. And what this will do is go and, uh, create the connector instance and connect it into the Global Edge under the context of your organization. So, what that leaves us is with… Uh, let me, let me see if I got the… Oh, thank you, Carlos. Perfect. Okay. Let me, let me bring this up. Hold on one second. Hold on.

Carlos Martinez:

And, Matt, while you’re, you’re bringing that up, um, I’ll just reiterate the point of the different, um, options. And, and we see a lot of folks, um, that will prefer deploying their own proxy infrastructure, gives them that, that, that ability to deploy… Oh, you’ve got it up here. Okay, perfect.

Matt Schiller:

Yes. So, there is that, uh, the Global Edge, which we host. And then, there’s the, uh, access tier, which the, the customer hosts. And that wi- That eliminates this, uh, tunnels at all. So, that is, you know, the ideal production set up. But you also end up having, you know, edge cases, like maybe I just want to throw up a private subnet somewhere else, and I don’t wanna have to deal with, you know, deploying a new access tier, and, uh, doing a new public DNS record. So, we really leave that up to the customer. And that’s, that’s one of the things that’s nice about the provider is that, you know, you, you get these different, all the different components and can match them together in the ways that fit how your organization works.

Matt Schiller:

So, in this demonstration, we basically just deployed a connector inside of our, uh, private network, which we just created as well. And what we’ve also done is, uh, deployed an instance. And this instance just shows a demonstration website, which will show us what that instance private IP address is. But what’s awesome about this is you see like when, when some, when you deploy an instance in AWS using, using a terraform, unless you’re going and, and, you know, saying, “Oh, this is…” You know, you’re reserving IP addresses for everything, which is typically not what people are doing. You’re getting generated some type of endpoint. So, like, for example, if I deploy something in Kubernetes and I wanted, wanted to expose it, uh, through Banyan, I could do a, uh, private load balancer. And then, that i- the idea of that load balancer or the address of that load balancer, Amazon’s just going to give me, right. So, that would be like some other step that I would have to go and do to be able to publish a service for, um, that matches to that internal address.

Matt Schiller:

So, what, what terraform allows us to do is to create services dynamically based off of how the service was created within the Amazon. So, when we go and we create that, that, uh, application instance, that’s our demonstration service, we’re just telling AWS to go and create and instance. And when it creates that instance, then we have these other attributes which are being exposed, like the private IP address. So, when we’re using Banyan, what we’re able to do is use, define a web service and an SSH service that are using the, uh, uh, the backend domain or like the backend a-address that’s being produced by that instance being raised up, right. So, when that, when AWS created that instance, then the instance was assigned a private IP that, you know, nobody knew about until AWS created it. And terraform is able to inject that into a new service within Banyan that uses the private IP of that service.

Matt Schiller:

So, we can.. And then, what we’re doing is that… Let’s just go through each of these. We have the connector. So, we’re saying, okay, this service is, uh, do- is accessible behind that connector, uh, that we deployed. So now, it knows that, uh, Banyan’s command center knows that when a user wants to access a service that it’s going to have to be behind the connector that we created. And then, we give that a, an address. So, this is the address that, that, that is going to be public facing for that service. We give it the backend domain, which we’re just feeding the, uh, AWS instance’s private IP. And we’re giving it the port, and in this case, because this is just a small demonstration service, we don’t have TLS enabled. But Banyan is able to wrap this entire connection in SS, in a, uh, TLS with the, your Banyan short-lived certificate.

Matt Schiller:

So, that’s really important to something like a DevOps environment. Because, typically when people are doing a DevOps model, they’re rapidly deploying, you know, that continuous delivery, continuous integration. And when you’re developing an environment, you know, before you had the, the advent of zero trust, you ei- you either had to have a very, very locked down, very, uh, strict security setup, which in many organizations tends to be two different VPNs, right? You have one for development and you have one for production. And Banyan allows you to have one plane of access, which is gonna be the end user’s applica- Banyan application, which looks like this.

Matt Schiller:

And these, all of these different services can be hosted in different places in all of your different, you know… It could be… You can have on-premise stuff, you can have Edge stuff, you could literally run the connector or have access to your own Raspberry Pi in your office if you wanted to. It allows you extreme amounts of flexibility and isolation between your different networks. So, I can, I can be, even though this is one plane of access, the Banyan application, I can be publishing apps that have no connection to each other whatsoever. So, my development environment, I can be publishing services that it is not possible for them to go into another network. The, that route does not exist. Right? And those different services are being published to the u- to your end users. Um, and they, they just access them, you know, without you having to know the, then implementation. Right?

Matt Schiller:

So, so in this setup, uh, we’re just doing very basic. We’re just se- making a, a web policy which allows everyone that has a high trust level. And we have a infrastructure policy which allows everyone with a high trust level. And what that’s saying is that, you know, the user, end user’s device needs to be encrypted and updated, and needs to be, um, a, a trusted device. Right? So, I wouldn’t be able to just go do this on like some random cellphone or whatever, even though I was logged into my account. This actually needs to be able to trust my device before I get in, before I get into any of these services.

Matt Schiller:

So, this demonstration service, and what’s great about this is that all you need to know to set this demonstration up is just, you know, give us a VPC, give it a VPC and an NAT gateway, and your, um, the subnet that you’re using and your organization API key, and this will go and deploy a, a private subnet to, to show you, uh, you know, hey, we went from, you know, nothing, private subnet, no access whatsoever to dropping in a connector, then dropping in a service. And we actually have access to that service through the Banyan app.

Matt Schiller:

So, if I, we can see that, you know, we named this the Live Demo. And in the Banyan, when we applied it, we went and, it went and created all of the different pieces, so the, the instance, the connector, the policies that were applied to it and then, my end user will see that live demonstration website. Right? And then, I can open that up. And then, that website, I mean, you can see how blazing insanely fast that is too, which is definitely, when you go zero trust one of the benefits. And all this demonstration site does just shows us, you know, what’s the IP address of that, that pro- that, uh, instance. So, we can see, you know, this is a private address. And if we got into, uh, you know, um, AWS console, you would defi- You would be able to see that there is, there is no, um, public access, no public IP address for this server.

Matt Schiller:

So, the only way to get to this server right now is to go through the connector, which is connected to our Global Edge, and you’re authenticated into that server. And even this served did not have SSL enabled, Banyan is going to wrap that in a TLS connection with a short-lived certificate and give you access to that service.

Matt Schiller:

So, okay, there’s a faire amount of pieces there. There’s a lot to unpack in, you know, what, how do we, how do we leverage this in a DevOps environment, where everyone is, you know, deploying their own services, right. Like, I, me, as, as an infrastructure practitioner, I want people to be able to deploy services within the context of a model that I’ve created. So, uh, we a di- a, a bit or a reorganization of this demonstration, um, which we call, which I’m calling the, um, the Modular Demo.

Matt Schiller:

And let me open this one up real fast. [inaudible 00:32:00] sorry. Okay. So, now, what we’re able to do here is that we’ve taken all of the Banyan pieces that, uh, we had written. So, we have the web service, the SSH service, the, and the policy attachments, right. So, we, in the, the, the first repo, we went and created a network. We created policies. We deployed the connectors. And all of those are kind of, you know, those are one time things, right. So, typically, that would give live in a, a, a infrastructure repo, which is controlled by your networking infrastructure team or whichever team is, you know, responsible for kina laying groundwork, right.

Matt Schiller:

And what they do i- What, What, something that’s really powerful about terraform is this idea of modularization. So, what we can do is we can package up the web service, and the SSH service, and the policy attachment for each, and just, uh, create a, a, module for that, which will only expose a couple of variables to the end user. And most of them we can actually populate with some type of defaults, right. So, we need the connector security group, so that will allow the internal firewall and AWS, uh, it will allow whatever service is gonna consume this module. It will, uh, be able to talk to the connector and, you know, whatever else we defi-defined in that service. But very important that, you know, the connector is, is, uh, open to whatever service on the firewall side, because obviously then you would not have a network connection.

Matt Schiller:

And then, we give it the connector name, and, you know, we can populate that with some type of defaults. Or, you know, in a typical setup, you would say like, “Okay, this access tier is dev.” You know, “This access tier is staging. This access tier is production.” or, you know, maybe, you know, connector. Whichever, whichever piece that you’re leveraging for the connection, you know, you give it some type of name which describes… You know, typically, it would be like the subnet or the VPC that, uh, that component is, that connector or access tier is allowing access to.

Matt Schiller:

And then, we have the org and the API key and the host. And normally, what you would do is you would have some type of, uh, like a Jenkins job or a terraform enterprise, or any, you know, whatever your CI system is you would inject these variables for the users, so like the end user, you know, and, uh, blissfully unaware of all of these variables, with the exception of the service name and the backend domain name, right.

Matt Schiller:

So, what that does is, what we can do is that we publish this module into our internal GitHub or a module registry that we have for terraform. And we can have our service owners leverage the con- the, leverage this module in which we have basically created the context, right. So, we say, when you deploy a service into dev, you know, use the, use the module which we provided for dev, or use the module that we provided for, uh, staging or production. And we can gradually increase the security between those different, those different environments, right.

Matt Schiller:

So, if I have a module for dev, I could be referencing a less, less secure posture than I needed for production, for example. Like, in a lot of, in a lot of places, a lot of, uh, shops, a typical example of this is that, I want to enable SSH access for u- for service owners in, uh, development and staging, but this is not something that I want in production. That’s something, you know, we see a lot. Or maybe, maybe in production you want to have the production group be, you know, some more secure group. So, sometimes, people do an access elevation into a type of group where, you know, some approval is required to add the user temporarily to a group, which has SSH access to servers in production, but only the ones that, that user is the, a team member for. Right?

Matt Schiller:

So, that whole setup can be determined by your policies. And your policies are written as infrastructure as code, right. So, I can have a in- this, the two that we’re using here are, are very, you know, very open, very easy. But we can be, we can lock this down more and more depending on the environment. So, maybe I wanna have one for dev, maybe I wanna one, have one for production, and those be completely different groups in postures than I would need for, you know, development, for example. And what, that way, the user isn’t having to go to, you know, one VPN for dev and one VPN for production. And we’re not just exposing, you know, our environment like a big network slice as you would with a typical VPN.

Matt Schiller:

So, when the user goes in, in, uh, when a service owner is publishing their service, you know, they’ll… Usually, what will be happening is, you know, these days is that people are, the services owners are leveraging some, some of their own infrastructure with terraform, like they needed to spinoff a database or they needed to spinoff some security groups. And then, the actual application, which could be deploying, you know, through Kubernetes or they could be an actual virtual machine. It could also be a, you know, a, uh, a proprietary service, right, to like AWS or GCP. Whichever it may be, they’re, they’re leveraging that with terraform to implement it.

Matt Schiller:

And now that we’ve created a module, which has the web service, and the SSH service, and the posture that we want predefined, we can then give the user a very, very easy module implementation here, like this, right. It just says, module Banyan, you know, backend domain, service domain, super, super easy. So, if they, all they, if they include this one file that has the module, which you predefined, then they can have their zero trust network access, uh, like dynamically provisioned as they create the service, right.

Matt Schiller:

So, in this, in this example, we’re, we’re just doing the, the same exact thing where we’re just setting… All this does is create that demonstration instance that shows the private IP address. And that they’re just gonna feed the Banyan module, which we, our networking or our infrastructure people have created and determined, you know, this is the posture we want. And they would… All they need to do is just provide it, what is the backend domain? So like, the backend address inside of AWS. And what is the service name? Right?

Matt Schiller:

And so, when we go and we do and apply for this, this will go and it will crea- it wi- I preapplied this. But it goes and it creates a new instance, and it uses the Banyan module, which now we’ve got, we’ve got down to two variables, which is literally just, what’s the name of your ser- What do you want the service to be called? And what’s the address of the service? And those, the, uh, that will populate the Banyan Command Center with all of the different infrastructure, which is rep- or all the different, which are required to, uh, publish that service.

Matt Schiller:

So, you can kinda think this is as wrapping your service with Banyan, right. So, if I, if I’m the, the network practitioner and I wanted to add, you know, an additional, uh, an additional piece here, I will, all I would need to do is update that module. And then, when people rerun their, uh, deployment, all of those deployments will be updated. So, let’s just say I wanted to change the group for some team, or I wanted to change the device trust for some team, and I, all I need to do is update that in their module. And then, when they rerun their deployment, all of that is going to be propagated throughout their entire team or all of their services to update to match what I have, uh, provided within that, you know, that con- that team consumed module.

Carlos Martinez:

Mm-hmm.

Matt Schiller:

So, and we can see the same thing here where the module or implementation has been, uh, set up, and it’s a different, different IP address than that firs one. And, and this is literally just to represent what any, a service. But this, this could be anything, right. If I was to deploying anything that’s giving you a network endpoint inside of whichever cloud you want, that you’ve deployed a connector in, into, or an access tier, you’re gonna get… You’ll, whichever private address you’re getting, uh, you will just, you just feed into the service that you want to publish with Banyan.

Matt Schiller:

And like I was saying, you can go into, into the docs and you can mix and match all these different pieces, right. So, we have pieces where you can, uh, you can secure a database or you can secure your Kubernetes API, or your remote desktop instance, SSH, TCP, and, uh, allow you to really take the building blocks and, uh, match it to how your organization is, is gonna go ahead and deploy a zero trust solution, like Banyan.

Matt Schiller:

And when you want to…. We talked a lot about like a, a zero trust journey, you know. People, they’re, customers that we have are, you know, they’re coming from a VPN. And with the VPN, the, they were, uh, deploying… They were opening up a big slice of their network and they were locking it down with security groups, right. So, you have access to the VPN. And basically, with the exception of security groups, you got access to, for keys to the kingdom, right.

Matt Schiller:

So, when people, the, typically, the, the, the pain point is always comes around, uh, publishing services, right. Like, you know, when I had a VPN, if I made a new service, that service, I already, I had some access to, but, you know, I needed to go find out what the address of that service was when it was deployed, right. So, there was still always that piece of like, okay, where is the thing, you know, so I can go get to it? And what this approach allows you to do is to not open up your network like that, and to individually publish each service, and then have them appear in the, in the end users catalog, and so that they can access them securely and have all of that stuff, like their device posture and their group membership, taken into consideration before they’re given access to that service.

Matt Schiller:

And that, that, you know, we can also do the, the same thing with, with, uh, SSH. So, for example, each of these different services, we have a, we just, just connect. And then, it shows us what the command is gonna be. So, for me, this would be, SSH ubunto@livedemo. And we’ll see… What was it? Livedemoweb. Oh, oh sorry, livedemo-ssh. And you can see that I’m SSHed in the, into that service.

Matt Schiller:

Um, so, really what that-

Carlos Martinez:

And Matt, that’s, that’s powerful, right? I mean, the user, you’re, you’re abstracting access to that service. Uh, user does not have to know where to VPN to or what bastion host to connect to. I mean, it’s all there, which is-

Matt Schiller:

Exactly. And the, the end user doesn’t have to deal with the networking component, right. Because, when the, it’s, we come back to, you know, DevOps, it’s like the shared responsibility, right. Each team is a practitioner of DevOps. It’s not just like, you know, somebody is the DevOps guy. And before you do a zero trust setup, you’re, you’re le- you’re basically leaving it up to the service owners to, uh, you know, correctly configure security groups. Whereas, with a zero trust solution, you’re a- you’re adding another layer, which is saying that not only do I want, you know, now just make up so that you have, uh, your service has access to the connector.

Matt Schiller:

But when you publish a service, uh, you need to, to implement one of the modules that we’ve preconfigured to make it so that your service is properly published within the context of the model that we’ve all agreed one, so that the… And you can get that down to literally just, you know, two variables, where it says, okay, each service has deployed, and development gets the development policy for your team. And then, there’s an SSH in a web service that’s configured for it.

Matt Schiller:

Or maybe I want to, you know, add another variable to that module where I would just say like, okay, I want, you know, what, like… Let’s see, let’s see. Wha- If we wanted to do like the port, we could say I want the port is going to be like 8443. Or oops. And then, in the module, I would just add a new variable that says variable is port. And then, type. And then, oh, [inaudible 00:45:37]. Um, and then, here, we would just make it so that it’s variable port. And that’s how we would be able to expose, you know, mo- Uh, make, make it so that the end user could choose their port.

Matt Schiller:

So, you can decide on the level of flexibility that you want to, that you want to have for the end user. Or, you know, you could have them just go totally custom if you wanted to, you know. Introduce them the com- the components and have a preset level, or a preset couple of policies that you want your, uh, service owners to leverage when they go and they publish a service. So, I, I think that’s about the, the demo right there, Carlos. (laughs)

Carlos Martinez:

No, I mean, you… A-and, and I’m gonna go ahead and just close. I know we’re, we’re getting down to the end of our time. But, you know, really to just kinda bring it all back, um, what, what, Matt, what you presented, um, really was how you enabled, uh, access to, to the resources that you see here in, in this slide, um, the VM instances, and in our case it was some web service, could, you know, SSH server, some sort of a backend servicer, uh, could’ve been the Kubernetes cluster that you’re accessing. But what, what you did, essentially, a-and it took, it, it, you, you were able to do this in, in a matter of minutes, is, is you deploy all of the infrastructure, that outbound connector that established, uh, uh, enabled the ability for users to establish and, and, and connection to the, the downstream user, uh, service.

Carlos Martinez:

But you were able to require or enforce specific user device-based, or user and device-based policies that, uh, validates the user, so makes sure that the user is in fact, you know, who they say they are. And, and that’s through the integration with your identity provider, that, that whole SSO component. And then, verify the, the device. So, is this device tied to the user? Does it meet certain posture requirements? I think you defined low or high trust, uh, policy, uh-

Matt Schiller:

Yeah, we just did the most basic. I, basically, the blue lines between the connector-

Carlos Martinez:

Yeah.

Matt Schiller:

… and the, the uh, the infrastructure piece is what we’re trying to expose to our, to our service pr- our service owners, right?

Carlos Martinez:

Right.

Matt Schiller:

So, each team, when they publish their service, we give them a very simple module with a var- a minimal amount of variables, so that they can just populate it with whatever the, uh, the address is of that private service, and, uh, you know, what the name the, of it they want it to be. And so, that would, you know, take care of, you know, what team they are, what policy we want them to use. And, and we really leave it up to, you know, the division between teams to define like, okay, who, you know, how are we defining the network? How are we defining the policies? And then, the service owners are able to leverage that, le- uh, leverage the publishing of services within the greater context of that model. Yeah.

Carlos Martinez:

No, exactly. And so, again, folks, if, if you guys are interested in, in like following with what Matt shared, um, the link we have up here, you can access that, that whole demo repo, um, for you guys to, to, to play with. Um, also, just wanna just call out that, you know, if you wanna learn just a little bit more, we have uh, uh, uh, quite a bit of resources that talk about sort of the, the DevOps use case and some of the workflows. Um, but, just like Matt showed, I mean, everything he showed is, is available for you guys to kick the tires on.

Carlos Martinez:

So, as an example, um, you guys can get that, that free version, um, of Banyan, the Banyan Solutions. So, get that Team Edition set up with that similar connector configuration. All of that you can set up in, I, I would say, in the same amount of time it took Matt to, to kinda get things working. And so, I encourage you guys to try out Team Edition. Um, but if you guys also wanna spend a little bit more time with some of engineers or, you know, myself, um, you can always schedule a, a, a, request a demo where we can go in and talk about your specific sort of, um, use cases and workflows. So, again, um, you know, we wanted to share, at a very high level, what were some of sort of the benefits in, in sort of implementing the zero trust network architecture, what you gain from that, uh, versus the traditional sort of method, and, and actually showed you guys how to get it done.

Carlos Martinez:

So, um, if, um, with that said, I don’t know if there’s, Jo, if there’s anything else you wanted to provide. But, um, this was the last shameless, uh, sales slide or marketing slide that I wanted.

Matt Schiller:

(laughs).

Carlos Martinez:

But other than that, I really don’t have anything else. I’m not sure if there’s any questions.

Matt Schiller:

Um, I def, I definitely just wanted to point out that we have a, a, in our Banyan Security, uh, GitHub, we have, uh, several different demonstrations. So, there’s one for GCP, there’s one for AWS, and there’s one for Azure, that walks through this in step by steps. So, rather than one big thing it, you know, you will deploy a network, then you’ll deploy the connector, then you’ll deploy a service. And, uh, highly encourage, you know, if you wanna kick the tires on this to get the Team Edition. And then, check out whichever repo is relevant to your, um, your cloud provider.

Carlos Martinez:

Awesome.

Jo:

With that, I just wanna thank everybody for joining us today. Thanks to Carlos and to Matt for all your insights and information. Um.

Matt Schiller:

No problem.

Carlos Martinez:

Of course. Happy to do it.

Jo:

We’re, with that, uh, one last shot (laughs), and, uh, thanks everybody. And we’ll do this again. Um, you guys are going to be on stage at Black Hat. Very exciting. And, um, some other sessions between now and then. Um, but with the, uh, hands on workshop, it’s always great to get the product in the hands of people who can, um, see the value and make life better for their teams.

Carlos Martinez:

Absolutely. All right.

Matt Schiller:

Absolutely. All right, thank you, guys.

Jo:

Thanks, everybody.

Carlos Martinez:

Thanks, Jo. Thanks Matt. Appreciate it. Take care.

Matt Schiller:

Mm-hmm.

Jo:

Bye.

Close Transcript