What is the Banyan Zero Trust Access Platform?

Banyan is a modern Zero Trust Access platform inspired by Google’s BeyondCorp Architecture and built on Zero Trust Principles.

With corporate applications and services deployed across hybrid clouds (on-premise, cloud IaaS, cloud SaaS, etc) and clients with an ever-changing security posture (mobile workers, third-parties, other applications, etc), a solution with secure and scalable access controls are critical. This is what Banyan is designed to offer.

The Challenge with Traditional Controls

Organizations have traditionally relied on network tools such as VPNs, bastion hosts, and firewalls to manage access to private applications and servers. These tools were designed to integrate with on-premise directory services, granting users network access to on-premise static environments– not for today’s cloud-first dynamic environments.

Traditional Controls

The issues with traditional controls typically fall in three categories:

  1. Security – VPNs and bastions, by design, grant broad network access and are often used in conjunction with static credentials. Credential leakage and compromised VPNs have caused innumerable security breaches. VPNs also lack granular visibility or detailed audit logging of user access, meaning malicious actors can make their way into a network and remain undetected for months or even years.

  2. Operations – Access controls need to be managed across multiple tools - IP whitelisting rules for VPNs, static SSH keys in bastions, firewall segmentation rules, application-specific authentication and authorization, etc. The coordination and execution of so many touch points for common actions including the onboarding of new team members, the changing of roles, or the adding of a new service can quickly become a significant operational burden.

  3. User Experience – Users have to go through multiple redundant steps to access applications and services they need. They need to turn on the VPN, get through the gateway/bastion, and then authenticate with the underlying service. They need to do this multiple times a day for each corporate service they need to use. Even worse, users often have no idea what corporate resources they have/need access to. This results in frustrated users and lost productivity hours.

The Banyan Solution - Zero Trust Security

Banyan was designed to address issues with traditional network controls, ensuring that access is authenticated and authorized, regardless of which network the request originates from.

Zero Trust Security

The Banyan solution is built on three foundational principles:

  • TrustScore - By using the Banyan App (deployed on your macOS, Windows, Linux, iOS, or Android devices) and integrations with your device manager and endpoint security tools, Banyan provides a quantified metric of the user’s and the device’s security posture.

  • Cloud Command Center – The Command Center is a SaaS platform, connected with your enterprise identity provider, that lets users write granular policies based on user and device entitlements. The Command Center issues short-lived tokens and certificates, offering 1-click access to applications, while also ensuring every access granted is continuously authenticated and authorized.

  • Distributed Access Tier – Click-button deployed, cloud-integrated, identity-aware reverse proxies that enable access to private applications and services.

Banyan is then able to address issues with traditional controls, across the three categories:

  1. Security – Users are granted access to the specific services they need to be productive rather than overly broad access to entire network segments. The Command Center also provides administrators detailed audit logs of what services are being accessed. Revoking access is as easy as removing a user from a group, or adjusting a policy. Instead of a single check during authentication, security policies are continuously assessed and access is terminated in real-time if a user’s device doesn’t meet the minimum security posture threshold.

  2. Operations – Administrators need to deploy a lightweight Banyan Server Component in their network in order to securely publish services for their end users. All service and policy definition is managed via the Cloud Command Center, tied to the user’s IDP groups and entitlements. To provision access to all the corporate services for a new user, all the admin has to do is assign the right groups.

  3. User Experience – Users can access web applications directly from their browser and infrastructure services via the Banyan App. In both cases, users see a well-organized service catalog showing all of the services they need to do their job, and they can connect to each service with a single click. Passwordless, programmatic, and CLI-based accesses are supported as first-class citizens.

Deployment Models

Banyan has a flexible architecture that allows for different types of deployment models, depending on an organization’s needs.

Self-hosted Access Tier

In the self-hosted Access Tier deployment model, an organization deploys the Banyan Access Tier on a server (with a public IP address that can be reached from the internet) in the data centers or cloud clusters where the corporate resources are hosted.

Deployment - Self-hosted Access Tier

Global Edge Network

In the Global Edge Network deployment model, an organization leverages the Access Tiers Banyan hosts in its global edge. The organization deploys the Banyan Connector on a server (that can dial out to the internet) in the data centers and cloud clusters where the corporate resources are hosted; the Connector establishes secure tunnels with the Global Edge Network.

Deployment - Global Edge Network

Regardless of deployment model, admins define policies and services via the Cloud Command Center. End user traffic flows through the Access Tier, which enforces Zero Trust policies.

What’s next

Read more about the Banyan Components.

Last modified: Dec 01, 2021