What is the Banyan Zero Trust Access Platform?

Banyan is a modern access control solution inspired by Google’s BeyondCorp Architecture and built on Zero Trust Principles.

Banyan delivers secure, simple, and scalable access controls for today’s enterprise environments, where corporate applications and services are deployed across hybrid clouds (on-premise, cloud IaaS, cloud SaaS, etc) and clients that require access have an ever-changing security posture (mobile workers, third-parties, other applications, etc).

The Challenge with Traditional Controls

Organizations have traditionally relied on network tools as VPNs, bastion hosts and firewalls to manage access to internal private applications and servers. These tools were designed to be integrated with on-premise directory services to permit users to gain network access into on-premise static environments, not for today’s cloud-first dynamic environments.

Traditional Controls

The issues with traditional controls typically fall in three categories:

  1. Security – VPNs and bastions, by design, grant broad network access and are often used in conjunction with static credentials. Innumerable security breaches have been caused by credential leakage and compromised VPNs. VPNs also do not provide granular visibility or detailed audit logging of user access, which means malicious actors can make their way into a network and remaining undetected for months or even years.

  2. Operations – Access controls need to managed across multiple tools - IP whitelisting rules for VPNs, static SSH keys in bastions, firewall segmentation rules, application-specific authentication and authorization, etc. The coordination and execution of so many touch points for common actions including the onboarding of new team members, changing roles, or adding a new service can quickly become a significant operations burden.

  3. User Experience – Users have to go through multiple redundant steps to get access to applications and services they need. They need to turn on the VPN, get through the gateway/bastion, and then authenticate with the underlying service. They need to do this multiple times a day for each corporate service they need to use. Even worse, users often have no idea what corporate resources they have/need access to. This results in frustrated users and lost productivity hours.

The Banyan Solution - Zero Trust Security

Banyan has been designed from the ground-up to address the issues with traditional network controls, ensuring every access is explicitly authenticated and authorized regardless of which network the request originates from.

Zero Trust Security

The Banyan solution is built on three foundational principles to deliver modern Zero Trust access controls:

  • TrustScore - By using an App deployed on your devices (macOS, Windows, Linux, iOS, Android), and via integrations with your device manager and endpoint security tools, Banyan provides a quantified metric of the security posture of user and device.

  • Cloud Command Center – A SaaS platform, connected with your enterprise identity provider, that lets you write granular policies based on user and device entitlements. The Command Center issues short-lived tokens and certificates, enabling users to gain 1-click access to their applications, while also ensuring every access is explicitly, continuously authenticated and authorized.

  • Distributed Access Tier – Click-button deployed, cloud-integrated, identity-aware reverse proxies that enable performant access to private applications and services.

Banyan is then able to address issues with traditional controls, across the three categories:

  1. Security – Users are granted access to the specific services they need to be productive rather than overly broad access to entire network segments. The Command Center also provides admininistrators detailed audit logs of what services are being accessed. Revoking access is as easy as removing a user from a group, or adjusting a policy. Instead of a single check during authentication, security policies are continuously assessed with the ability to terminate access in real-time.

  2. Operations – Administrator need to deploy a lightweight Banyan Server Component in their network in order to securely publish services for their end users. All service and policy definition is managed via the Cloud Command Center, tied to the user’s IDP groups and entitlements. To provision access to all the corporate services for a new user, all the admin has to do is assign the right groups.

  3. User Experience – Users can access web application directly from their browser and infrastructure services via the Banyan app. In both cases, they see a well-organized Service Catalog showing all of the services they need to do their job and can get connected with a single click. Passwordless, programmatic and CLI-based accesses are supported as first-class citizens, further enhancing end user experience.

Deployment Models

Banyan has a flexible architecture that allows for different types of deployment models, depending on an organization’s needs.

Self-hosted Access Tier

In the Self-hosted Access Tier deployment model, an organization deploys the Banyan Access Tier on a server (with a public IP address that can be reached from the internet) in the datacenters or cloud clusters where the corporate resources are hosted.

Deployment - Self-hosted Access Tier

Global Edge Network

In the Global Edge Network deployment model, an organization leverages the Access Tiers Banyan hosts in its global edge. The organization deploys the Banyan Connector on a server (that can dial out to the internet) in the datacenters and cloud clusters where the corporate resources are hosted; the Connector establishes secure tunnels with the Global Edge Network.

Deployment - Global Edge Network

Regardless of deployment model, admins define policies and services via the Cloud Command Center. End user traffic flows through the Access Tier component, which enforces Zero Trust policies.

What’s next

Read more about the Banyan Components.

Last modified: Jul 07, 2021