Enterprises have 100s, if not 1000s, of corporate resources spread across hybrid environments - on-premise, cloud IaaS, cloud SaaS, etc - that are accessed over public and private networks. Banyan uses the term Service to refer to these corporate resources, providing secure connectivity agnostic to the underlying network.
Banyan categorizes corporate resources into 4 Service Types. Each type of service utilizes a different state-of-the cryptographic technique to provide one-click connectivity combined with Zero Trust security.
|Banyan Service Type||Description of Corporate Resource||Cryptographic Technique|
|Hosted Website||Web applications hosted on corporate servers, typically single-tenant||OIDC JWT token|
|Infrastructure||Linux servers, Windows servers, databases, etc.||MTLS & SSH certificates|
|SaaS Application||Web applications hosted by the SaaS provider, typically multi-tenant||SAML token|
|Service Tunnel||VLANs, VPCs, subnets, etc.||Wireguard key-pair|
You may use just one or all the types of services in your environment, depending on the use cases in your organization. Some common scenarios for each service type are listed below, along with the request flow diagram that explains how the Zero Trust security mechanism works.
Hosted Websites can be accessed by your end users directly from any browser without needing to turn on their VPN client, or any other type of agent. Banyan leverages the OpenID Connect protocol and HTTP headers (typically cookies) to transparently insert a JWT token into every request. Client access is then integrated with your organization’s Single Sign On provider, and continuously authorized based on the security posture of the device and user.
You can publish Hosted Website services when you need to enable:
Flow Diagram - Hosted Websites
Infrastructure services enable one-click, secure access to development and production environments. Traditionally, infrastructure access has relied on a combination of network access via a VPN and service-specific authentication protocols that use long-lived credentials such as passwords or SSH key-pairs. Long-lived credentials can be a security nightmare, given the ease with which they can be shared or lost. Banyan transparently upgrades infrastructure service traffic to Mutual-Auth TLS using short-lived X509 certificates. Security policies can then be continuously enforced, locking down access to specific servers based on user and device attributes and trust levels.
You can publish Infrastructure services when you need to enable:
Flow Diagram - Infrastructure Services
SaaS Applications manage access into multi-tenant Software-as-a-Service (SaaS) products used by an enterprise. While SaaS applications are typically configured for multi-factor authentication (MFA) via an organization’s Single Sign On (SSO) tool, that is often insufficient security for sensitive corporate applications. Because SaaS applications are, by definition, open to the Internet and enterprise data can be compromised by any device with an internet connection, it critical to restrict access to sensitive corporate SaaS applications to trusted devices. Banyan uses SAML/OIDC federation (also known as IDP chaining) to transparently intercept SAML/OIDC SSO flows and add policies based on the security posture of the device. Note that Banyan does NOT replace your enterprise SSO nor does it proxy SaaS application traffic.
You can publish SaaS Applications when you need to:
Flow Diagram - SaaS Applications
Service Tunnels provide encrypted network connectivity to network segments - VLANs, VPCs, subnets, etc. While the objective of Zero Trust security is often to migrate away from granting full network access to users and instead provisioning access to specific corporate resources, there are some scenarios where full network access is necessary. Banyan uses Wireguard to create secure, easy-to-use tunnels. As with the other service types, security policies are continuously enforced, locking down access based on user and device attributes and trust levels.
You can publish Service Tunnels when you need to enable:
Flow Diagram - Service Tunnels
Learn about Zero Trust policies and TrustScoring