Services & Connectivity

Enterprises have 100s, if not 1000s, of corporate resources spread across hybrid environments - on-premise, cloud IaaS, cloud SaaS, etc - that are accessed over public and private networks. Banyan uses the term Service to refer to these corporate resources, providing secure connectivity agnostic to the underlying network.

Service Types

Banyan categorizes corporate resources into 4 Service Types. Each type of service utilizes a different state-of-the cryptographic technique to provide one-click connectivity combined with Zero Trust security.

Banyan Service Type Description of Corporate Resource Cryptographic Technique
Hosted Website Web applications hosted on corporate servers, typically single-tenant OIDC JWT token
Infrastructure Linux servers, Windows servers, databases, etc. MTLS & SSH certificates
SaaS Application Web applications hosted by the SaaS provider, typically multi-tenant SAML token
Service Tunnel VLANs, VPCs, subnets, etc. Wireguard key-pair

Use Cases

You may use just one or all the types of services in your environment, depending on the use cases in your organization. Some common scenarios for each service type are listed below, along with the request flow diagram that explains how the Zero Trust security mechanism works.

Hosted Websites

Hosted Websites can be accessed by your end users directly from any browser without needing to turn on their VPN client, or any other type of agent. Banyan leverages the OpenID Connect protocol and HTTP headers (typically cookies) to transparently insert a JWT token into every request. Client access is then integrated with your organization’s Single Sign On provider, and continuously authorized based on the security posture of the device and user.

You can publish Hosted Website services when you need to enable:

  • Browser-based access to internal web applications
  • API access for integrations between collaboration software
  • Developer access from HTTP-based CLI (Command Line Interface) tools
  • Mobile workflows, where mobile VPNs degrade performance and battery life
  • Client-less BYOD and third-party access, where admins cannot mandate clients
  • Modernization of legacy Web Access Management (WAM) solutions such as CA SiteMinder, Oracle Access Manager, etc
  • Browser-based access to desktops (leveraging Apache Guacamole)

Flow Diagram - Hosted Websites

Infrastructure

Infrastructure services enable one-click, secure access to development and production environments. Traditionally, infrastructure access has relied on a combination of network access via a VPN and service-specific authentication protocols that use long-lived credentials such as passwords or SSH key-pairs. Long-lived credentials can be a security nightmare, given the ease with which they can be shared or lost. Banyan transparently upgrades infrastructure service traffic to Mutual-Auth TLS using short-lived X509 certificates. Security policies can then be continuously enforced, locking down access to specific servers based on user and device attributes and trust levels.

You can publish Infrastructure services when you need to enable:

  • Organized service catalog showing users all of the services they need to do their job
  • Access to Linux machines using SSH
  • Access to Kubernetes clusters using kubectl
  • Access to Windows machines using RDP
  • Access via TCP-based protocols to Databases, Remote Desktops, etc
  • Developer access from TCP-based CLI (Command Line Interface) tools
  • Modernization of bastion hosts

Flow Diagram - Infrastructure Services

SaaS Applications

SaaS Applications manage access into multi-tenant Software-as-a-Service (SaaS) products used by an enterprise. While SaaS applications are typically configured for multi-factor authentication (MFA) via an organization’s Single Sign On (SSO) tool, that is often insufficient security for sensitive corporate applications. Because SaaS applications are, by definition, open to the Internet and enterprise data can be compromised by any device with an internet connection, it critical to restrict access to sensitive corporate SaaS applications to trusted devices. Banyan uses SAML/OIDC federation (also known as IDP chaining) to transparently intercept SAML/OIDC SSO flows and add policies based on the security posture of the device. Note that Banyan does NOT replace your enterprise SSO nor does it proxy SaaS application traffic.

You can publish SaaS Applications when you need to:

  • Restrict access to cloud SaaS products to approved devices, without man-in-the-middling traffic
  • Configure SAML/OIDC authentication without registering the application in enterprise SSO
  • Configure SAML/OIDC authentication for development applications

Flow Diagram - SaaS Applications

Service Tunnels

Service Tunnels provide encrypted network connectivity to network segments - VLANs, VPCs, subnets, etc. While the objective of Zero Trust security is often to migrate away from granting full network access to users and instead provisioning access to specific corporate resources, there are some scenarios where full network access is necessary. Banyan uses Wireguard to create secure, easy-to-use tunnels. As with the other service types, security policies are continuously enforced, locking down access based on user and device attributes and trust levels.

You can publish Service Tunnels when you need to enable:

  • Network and system administration, where users need complete access to the network
  • Access to legacy applications that use multiple ports or unpredictable port numbers
  • Access to latency-sensitive, real-time, UDP flow based applications such as IP telephony, media streaming, etc

Flow Diagram - Service Tunnels


What’s next

Learn about Zero Trust policies and TrustScoring

Last modified: Jun 16, 2021