Cluster Deployment

Details on the Shield component and how PKI is managed by Banyan

Every organization in Banyan has a Cluster that represents a logical grouping of Access Tiers that are managed together. The specific component the defines a Cluster is internally referred to as Shield. While the Shield is conceptually part of the Command Center, it is deployed and managed on a per-organization basis.

Shield distributes security policies to, and aggregates network data from, Banyan’s enforcement component, Netagent. In addition, Shield manages a Private PKI (Public Key Infrastructure), also known as an Internal CA (Certificate Authority), to distribute cryptographic identities (X.509 Certificates) to clients and services in your organization.

Internal Certificate Authority (CA)

Certificates issued to your organization’s clients and services are signed by your Internal Certificate Authority (CA). Your Internal CA is, by default, named {orgname} Banyan Private Root CA.

Banyan uses the same Internal CA key-pair to issue both SSH and X.509 certificates. For more information about the specific types of certificates Banyan issues, see our article on managing cryptographic tokens and certificates.

Security and Availability

Your Banyan-managed Internal CA is secured at a level commensurate with public trust anchors while giving you oversight over its properties and the names on those certificates.

Banyan leverages our cloud infrastructure provider’s native key management security tooling, that is purpose-built to manage cryptographic keys, to secure your Internal CA. An organization’s Internal CA private key is encrypted with an organization-specific password and stored in a key vault. At runtime, the Internal CA itself is deployed in an isolated and dedicated Kubernetes pod we create for each organization.

Access to the accounts which host the key vault and the Kubernetes clusters are controlled in accordance with the Banyan’s Information Security program and SOC2 controls, which establish rigorous practices for production access, audit logging, and compliance. Read more about our security practices in our security statement.

Your Internal CA is also deployed in a high-availability configuration using our cloud infrastructure provider’s global Kubernetes service.

Custom Managed PKI Capabilities

For large, global deployments, Banyan can provide additional capabilities.

To optimize network latency, Banyan can deploy multiple clusters across multiple regions.

To leverage an organization’s existing PKI tools, Banyan can use an Intermediate CA certificate signed by the organization’s Root CA. This allows a customer to continue to be responsible for protecting their Root CA, while Banyan can manage the issuance of certificates for its clients and services. The customer retains overall control since it can revoke the Intermediate CA at any time.

Please contact support for specific details regarding our custom Managed PKI capabilities.

Last modified: Jul 07, 2021