With another year of record growth under our belt, Banyan Security is expanding its partner program, shifting its go to market focus to better leverage a channel-centric model.

Growth has stemmed from a strong focus on a self-serve ZTNA and SSE solution in what is a historically very complicated network security space. To continue this strong growth into 2023, Banyan Security will be onboarding additional partners.

Our program delivers particular benefit to those partners who provide more value in the form of additional services to their customers and prospects without the requirement of weeks-long training and an alphabet soup of unnecessary and often obsolete certifications. In fact, to reinforce this point, Banyan provides an instance of its platform for partners to use internally at no cost to them. Each partner can spin up a fully functional and easily demonstratable instance within minutes.

Banyan Security’s partner program drives value via:

• Attractive margins without complex rebate systems
• Simple partner program requirements
• Tailored solutions to drive services revenue for partners of all types (MSPs, MSSPs, VARs, SIs, etc.)
• A high-touch, highly capable field and marketing team to quickly enable your business and technical folks

We recognize that there are many network security vendors with which to partner, particularly in the SSE/SASE market and we differentiate with a program that mimics our solution, delivering strong value, satisfaction, and ease of use.

To join the Banyan Security partner community, please visit https://www.banyansecurity.io/partners/.

There is a lot of “buzz” around zero trust these days, mostly for its ability to provide superior security outcomes. Done properly, a zero-trust framework can help reduce phishing and ransomware attacks, make it harder for attackers to move laterally and escalate privileges, and generally help reduce an organization’s overall attack surface via more granular controls over who can access apps and resources. Central to a proper zero-trust stance is authentication, as well as device trust (device identity and device security posture), which jointly help reduce the risk of lost or stolen credentials.

But as we discussed in a recent virtual roundtable with Banyan CTO Den Jones and 451 Research Principal Research Analyst Garrett Bekker, there is also a business angle to be considered that thus far has been underappreciated. For starters, zero trust can help with more effective work-from-home policies, in part by reducing reliance on legacy VPNs, offering more flexible access methods that support a greater number of remote/mobile workers with fewer resources.

In our view, one of the most critical benefits of zero trust is the potential to deliver a better user experience. For much of its history, user experience for most security products has been flat-out awful. The upshot is that users will often go to great lengths to get around them if possible. Poor UX has also held back adoption of many security products, with multifactor authentication (MFA) being an obvious example. For end users, if you have to do MFA for every single app and everything you touch, it’s a nuisance. For developers, app dev teams don’t want to have to configure their apps to use an identity provider (IDP) and enable MFA. It’s like being disciplined about going to the gym and eating your vegetables – everyone knows it’s good for you, but a lot of people can’t be bothered.

Another way that zero trust can help improve business outcomes is via reduced infrastructure complexity. Zero trust can be a simple overlay on existing networks, and allow for less reliance on VLAN- and subnet-based segmentation, 802.1X, NAC, IP whitelisting, perimeter firewalls, DNS changes, client-based legacy VPNs, etc. This means zero trust does a better job supporting special cases like temporary workers and teams, contractors and consultants, and BYOD policies that include both managed and unmanaged devices. Further, for companies that do a lot of acquisitions, M&A no longer requires reconfiguration of networks, switches, policies, etc. A single policy can cover on-premises or remote, private network and cloud scenarios.

A good zero-trust implementation can also help accelerate migration toward a more modern, cloud-based architecture for which a perimeter-based security model is less relevant. That, in turn, makes it much easier to roll out new business apps. A zero-trust approach can also enable passwordless access to any internal application or resource, thus improving the user login experience – which is still a nightmare for most people – as well as drastically cut down the number of password-related help-desk tickets and save time.

The bottom line is that while organizations might begrudgingly spend money on security products and services in general, reducing reliance on passwords and VPNs can help deliver security’s “holy grail” – improving both security and user experience for employees, partners and potentially customers.

Garrett Bekker III

Principal Research Analyst, Information Security at 451 Research, part of S&P Global Market Intelligence
@gabekker

10 Aug 2022 update: See additional supporting data points in the “Driving Superior Business Outcomes with Zero Trust” infographic.

Virtual private networks (VPNs) are the established choice for IT and security personnel when it comes to granting remote network access. But traditional VPNs have become outdated – they are no longer able to offer the scalability and flexibility to serve modern hybrid workforces, or adequately cope with sophisticated contemporary cyber threats.

Zero trust network access (ZTNA) is the natural successor to corporate VPN usage, offering many advantages over its traditional counterpart including reduced up-front architectural requirements, easier global deployment, improved user experience, accommodation of both remote and on-premises access, better overall performance, easier integration/scalability, and a much narrower attack surface for malicious actors to attempt to compromise.

Recent research commissioned by Banyan Security shows that of all IT and security personnel approached to participate in this survey, 14% are in the early stages of ZTNA adoption and an additional 17% have begun to roll it out.

This is despite the adoption of a zero trust model being viewed as a priority for 97% of organizations that we spoke to. So, what accounts for the hesitation?

What’s the delay with adopting ZTNA?

It’s definitely not due to a lack of pressure faced by organizations. Our research findings also show that in a post-pandemic working landscape where hybrid working is prevalent, 51% of workers use a combination of personal and corporate devices to connect to business applications and resources. For larger companies (between 1,001-5,000 employees) this figure rises to 59%.

Chart 4

This wide range of devices (with varying levels of security between BYOD and company-owned devices) regularly accessing corporate networks means there’s clear potential for ZTNA solutions to improve both security and the user experience, whilst making the lives of the IT and security teams easier. Both device identity and device security posture can be assured via policy, thus reducing risk normally associated with BYOD.

Some troubling data also surfaced. It seems that overall satisfaction with existing systems and solutions is high: 92% of respondents were confident their remote access solution adequately protects the organization from unauthorized access to applications and resources. This statistic is especially worrying given that VPNs grant overly-broad network access, and threats like ransomware use this lateral movement freedom to shut down organizations for illicit profit.

Chart 3

A further 92% are satisfied with the admin user experience for their existing secure remote access solution, while 88% are satisfied with the end user experience. Given the clear advantages that ZTNA offers over traditional VPNs, it seems likely that this confidence is also misplaced – particularly when it comes to data security.

Chart 5

Chart 6

ZTNA is popular with those in the know

Whilst IT and security personnel who are currently using VPNs remain relatively satisfied with the solutions, there is a clear impetus to switch to ZTNA amongst those who are aware of the benefits it offers. Of the IT and security personnel that are aware of both VPNs and ZTNA, adopting a zero trust model is a priority for almost all (97%) organizations.

Chart 7

Across the board, those sticking with VPNs or transitioning to ZTNA are planning to spend money on improvements: over 9 in 10 (93%) of organizations have a committed budget to enhance their VPN or move toward ZTNA for this year or the following year.

Chart 8

Why is ZTNA viewed as a priority amongst those who have chosen to adopt it? Secure remote access (48%), improving the end user experience (34%) and eliminating exposure to VPN vulnerabilities (34%) were key drivers in the decision to choose ZTNA for IT and security personnel – all of which align with easing the pressures that contemporary organizations face.

Chart 9

Whilst most of those who are aware of ZTNA understand its advantages, and those who remain satisfied with VPNs are likely to be so due to a lack of awareness about alternatives, IT and security personnel did also highlight some perceived issues with migrating to ZTNA that are relatively straightforward to address.

Myth-busting ZTNA adoption

For some, ZTNA may be considered to be tricky to adopt. Over two thirds of current VPN users (69%) believe implementing a ZTNA strategy would be a large undertaking. If there is a belief within the organization that current remote access solutions offer adequate protection and end user experience (as our research suggests) the underlying issue could be one of complacency and misplaced confidence.

Chart 14

It is unlikely that IT and security personnel with this attitude would have suffered a recent security breach. A single instance of malicious actors gaining access and being able to move laterally through the network due to VPN vulnerabilities or compromised credentials would certainly give them cause to think again – but by then, the damage would be done.

More education around the risks associated with relying on outdated remote access technologies could have huge preventative value for this particular cohort. This is further evidenced by the 13% of VPN owners who claimed that zero trust is ‘confusing’ and that they don’t know where to start.

Chart 11

Even amongst those who understand ZTNA, there is a fear that complexity could be a problem – 30% of VPN users believe it is difficult to implement ZTNA infrastructure in their current security environment. But this is not necessarily the case. The best ZTNA solutions are cloud-native by nature, and designed to integrate seamlessly with existing security solutions.

Chart 12

Time considerations can also be a factor for those concerned about ZTNA adoption. Organizations rolling out zero trust solutions took 11.5 months on average to implement ZTNA. This is undeniably a significant undertaking, but pales by comparison to the timescales involved with migration away from other legacy systems towards SaaS and cloud-based architectures.

Chart 10

And as always, cost is also a factor in an organization’s decision to adopt new technologies. 62% of VPN users claim that cost/budget constraints are the key barrier to ZTNA adoption. But when weighed against the potential cost to an organization of a serious data breach, an investment in ZTNA is minimal and extremely worthwhile. So, avoiding ZTNA for financial reasons should be considered risky and short-sighted.

Become a ZTNA evangelist

How can IT and Security personnel who understand the value that ZTNA offers their business convince decision makers that adoption is the way forward? Overcoming potential objections such as the ones outlined above will be key to winning the battle for hearts and minds.

Our research shows that 82% of VPN users would likely implement ZTNA if there were an easily deployable, inexpensive option. Three quarters (75%) of IT and security personnel also said they often make use of “freemium” or “try before you buy” options when making decisions about technology solutions – so seeking out providers that offer these models can really help convince the risk-averse.

Chart 15

Overall, better understanding of the benefits that ZTNA offers, as well as the risks that it negates are the most compelling arguments for adoption. Legacy VPN systems are becoming more outdated with each passing day – the time to future-proof your workforce’s ability to easily and securely access resources now.

About the research

The survey contacted 1,025 respondents but continued the interview amongst 410 Senior Decision Makers who are responsible for IT or security and aware of both VPN and ZTNA, as they fitted the criteria of being aware.

Respondents worked in organizations that employ 500 to 5,000 employees. The survey took place across the USA (357) and Canada (53).

At an overall level, results are accurate to ± 4.8% at 95% confidence limits assuming a result of 50%.

The interviews were conducted online by Sapio Research in April 2022 using an email invitation and an online survey.

As Banyan Security’s Chief Security Officer, I want to not only make sure that the Banyan organization and product offering are safe, but also that our customers and partners are secure.

First, we want you to know that the Banyan Security solution is not impacted by the breach recently disclosed by Okta related to Lapsus$. For more information on the incident please refer to Okta’s website: https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/.

We have taken steps internally to review our Okta tenant, accounts, and logs. We have confirmed that everything is in order and also that there is no evidence to suggest Okta’s incident impacted us as a customer.

Furthermore, the Banyan zero trust network access solution is often integrated with Okta as noted in our feature guide here:  https://docs.banyansecurity.io/docs/feature-guides/manage-users-and-devices/identity-providers/okta/.

Banyan’s approach provides user trust independent of device trust, to reduce risk in scenarios like this. Customers who use Okta with Banyan are better protected as a result of this philosophy.

There is no evidence to suggest that in this case Okta was not operating under the principle of least privilege, or that the 3rd party in question had excessive permission to access to the services and applications needed to do their job.

However, at time of writing, there is an open question regarding how a lost device can be unlocked and authenticated providing access into systems, especially if you assume a short session duration for a user with privileged access. We’re hopeful that in the coming days and weeks there will be full transparency and we will learn more.

Banyan mitigation & potential response for this attack

Here is a list of key activities performed by Banyan’s security team. We recommend you perform similar checks in your environments.

Mitigation for employee directory and corporate resources

• Review user directory – Banyan Security staff reviewed the user directory and ensured that all accounts created had IT tickets associated with them and were known employees. We made sure no Okta support staff ever had access to our systems (by looking for eventType “user.session.impersonation.initiate” in the System Logs).
• Review certificate issuance – Banyan Security staff used data compiled from Banyan APIs and the console to identify when certificates were issued to new devices. Any certificate issued to a user that was not in good standing would be revoked (none were found).
• Review Okta & Banyan audit logs – Banyan Security staff reviewed the administrative logs within the Banyan Console for anomalous or unexpected configuration changes and found none. Additionally, a review of Okta audit logs for indicators provided by Okta did not turn up any findings.

Mitigation for production environments (our customer data and systems)

In order to access customer data either through the administrative console or directly via the production infrastructure, there are additional controls in place that must be met that do not rely solely on Okta users and groups. As a result, there is no additional risk from this incident to Banyan customer data.

Additional course of action for Banyan Customers

Any customers who feel they would like to take additional steps are encouraged to change their invite code to the Banyan platform and revoke any device certificates issued by Banyan in the last 90 days (the suspected incident window). Your new users will have to re-register their devices with Banyan and procure new device certificates.

See our blog, “The Okta Breach and Securing SaaS Administration Interfaces” for more information on preventing such breaches.

If you have any questions about the Banyan zero trust solution, please do not hesitate to contact us.

Today is a very exciting day for Banyan Security! We just announced $30M in new growth financing! We are partnering with Curtis McKee from Third Point Ventures as lead investor and Board member for our Series B funding round, along with participation from new investors SIG and Alter Venture Partners and previous investors Shasta Ventures and Unusual Ventures.

Third Point Ventures brings an excellent portfolio including SentinelOne and Sysdig. Curtis brings deep expertise in network security and remote access, partly from his prior experience at Intel and Arista. I feel incredibly fortunate and honored to have these accomplished investors on our journey to transform security for this new era of work-from-anywhere.

A lot has changed since our Series A round in late 2019. The rapid shift to remote work environments and the push for digital transformation are greatly exacerbating the secure access challenges that we founded Banyan to solve. As a result, the interest in Zero Trust Network Access (ZTNA) is skyrocketing, and the market has gotten very noisy with new entrants and old players cobbling together repurposed VPNs with a Zero Trust sticker.

In contrast, Banyan has been laser-focused on these issues from the company’s inception and we are confident that we have built the market’s most trusted and scalable secure remote access solution. Moreover, Banyan is “architected for diversity”. Modern organizations are incredibly heterogeneous. This diversity is reflected in the employees, developers, and third parties they work with, the mix of operating systems and device types being used, in the locations where people work, and in the types and locations of resources being accessed. Banyan’s solution securely and conveniently handles access across all of this.

In the last year, we grew our user and customer base by over 300%. Our product has gained many new security features with a delightful user experience and a new free offering (Team Edition). We’ve also built a world-class leadership team including the recent addition of our CSO Den Jones, one of the most experienced leaders in zero trust implementation.

I’m very excited about the future of Banyan. I’m very confident we’ve found the right partner in Third Point Ventures and Curtis, with their background, track record, and recognition of Banyan for being a true market disruptor and innovator. We’ll use this investment to increase our brand awareness and double the team by the end of the year with hiring across sales, marketing, and product innovation.

I invite you to keep up with our latest product and company updates by signing up here. If you have challenges with your remote access or want to pursue bringing zero trust into your environment, please reach out to us and see how we can help with your efforts.

First, we want you to know that the Banyan Security solution is not impacted by the Log4j vulnerability.

As Banyan’s Chief Security Officer, I not only want to make sure that the Banyan organization and product offering are safe, but I’m interested in making sure our customers and partners are safe as well.

A severe vulnerability in the popular Java-based Apache logging library Log4j was recently discovered being exploited in the wild, and you’re no doubt seeing important communications from your tool stack vendors with recommendations for patching and remediation.

This library is used by thousands of services around the world, facilitating logging from applications into log files. The vulnerability allows unauthenticated remote code execution (RCE) and access to servers.

Please know that the Banyan Security Zero Trust Remote Access solution is not impacted by this vulnerability, as we do not use this library or Java.

This vulnerability does, however, merit your attention, so we’ve compiled some select resources for your consideration.

CVEs
At time of writing there are 10 CVEs related to the Log4j vulnerability. Remember that just because a vulnerability is “old” doesn’t mean it poses any less risk to your organization. Successful security programs manage vulnerabilities to their respective risk, and four of these are considered Critical.

CVE-2021-44228
CVE-2019-17571
CVE-2019-17531
CVE-2017-5645
CVE-2021-45046
CVE-2021-4104
CVE-2020-9488
CVE-2014-0722
CVE-2012-5616
CVE-2008-7261

Additional Resources
As you can imagine there are lots of resources out there that explain this in more detail; here’s a select few we recommend:

Apache.org: https://logging.apache.org/log4j/2.x/security.html

CVE Details: https://www.cvedetails.com/product/37215/?q=Log4j

NIST: https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=log4j&search_type=all&isCpeNameSearch=false

CISA: https://www.cisa.gov/uscert/ncas/current-activity/2021/12/13/cisa-creates-webpage-apache-log4j-vulnerability-cve-2021-44228

MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

If you have any questions about the Banyan solution, please do not hesitate to reach out.

A Q&A with Den Jones, Banyan Security CSO

Why join a startup now?

Early in my career I moved from Scotland to California with no financial safety net while providing the sole income for my young family. In those days finances were extremely tight and I felt that it was a lower risk to work for a large and stable company like Adobe. I always thought of startup life being less stable.

However, for the past 20 years I’ve run my teams like a startup. Moving fast, taking calculated risks and recognizing that our company and our customers need to see exciting, business-enhancing results on a regular basis.

I’ve always wanted to join a startup, being able to contribute to a fast-paced and nimble organization that delivers industry leading results is an appealing opportunity.

OK – so why Banyan?

At that point, it was about joining the right start-up. In Banyan, I already knew the founders and many engineers from our partnership at Adobe. An extremely gifted team, humble but with a solid product and strategy. It was vital to me that I join a company that really solves industry problems and with a vision to transform the future of businesses around the world. Press release announcing Den’s role here.

Why did you pick zero trust as a focus area?

Zero trust is such an exciting space; it really revolutionizes both identity security as well as the remote access space.

What I experienced during our deployments at Adobe and Cisco was how incredibly impactful Zero Trust can be. It’s very rare that you can improve the employee experience while also improving security. Normally one happens at the expense of the other.

Zero Trust done right can deliver this and much, much more.

It’s often said that zero trust isn’t a product, but rather an aspirational strategy. Would you agree?

Ha, it’s really a blend of both…and maybe a little more.

In the last few years I’ve seen many companies struggle to get started. Just defining the problem often escapes many companies I’ve spoken with. As a result, there was no way they could describe the business value, problem statement, or the current risks.

COVID has permanently changed the global workforce. The composition of the average business will have more contractors, consultants, gig, and temporary workers working hand in glove with the full-time employee base. Physical locations are increasingly varied and remote. A dropping unemployment rate will mean hiring best in class with less regard for geography.

Relying on network-centric tools and legacy VPNs is simply not going to cut it from any meaningful perspective be it security, manageability, or usability.

And so, for all these reasons we’ll want to drive toward solutions that use zero trust tenants. Is it a “buy this product and magic happens” situation? No, of course not. But, being able to take advantage of technology that leverages zero trust will become an important competitive advantage for organizations.

Most security and IT folks seem to have arrived at agreement as to the value of zero trust principles. Why aren’t we seeing more successful deployments?

That’s the rub. We’ve got general agreement as to the “what”. Where folks are struggling is with the “how”.

Having things like continuous authorization, user and device trust, least-privilege access are all desirable.

But when your starting point is a legacy VPN, getting there can seem daunting. And the dirty little secret is that yeah, it takes work. You can’t buy a zero trust product and expect magic to happen. You have to think about your existing tech investments. About your workforce composition. Device requirements. Resource sensitivity.

Can the right technology help? You bet. And we can do better. I plan to use my experience deploying zero trust in global enterprises to help other practitioners in industry make it real.

Why isn’t having a modern identity system sufficient for granting folks access to resources?

Historically we relied on user authentication to make sure the “right” people accessed our systems. However, in practice this means a legitimate user can connect with a device that has a completely unacceptable security posture. For example, an out of date OS, no disk encryption, no installed endpoint security, even the possibility that it’s already compromised. Which means a bad actor can still sit on the device while the user authenticates and then with that access perform background tasks to further their attack.

What are some of the aspects of zero trust that deliver the biggest bang for the buck?

There are several areas that really help an organization improve productivity and reduce operational costs; here’s a few:

• Ending the need to change passwords every 90 days
  • Reduces user frustration and wasted time
  • Reduces service desk tickets related to password changes by over 60%
• No longer requiring users to VPN in
  • Saves time for your workforce and reduces frustration
  • Enables reduction of expensive VPN concentrators, lessens need for geographic spread
  • Depending on your approach you can remove the legacy VPN platform entirely and adopt Banyan’s Service Tunnel feature, accelerating your Zero Trust adoption
• Security Improvements
  • Eliminate access to applications and data from unsecure devices
  • Prevent the ability for mass attack on your corporate network
    • By removing overly-broad VPN access
    • Turn your office network into a guest network to prevent lateral movement

It’s evident that in the Identity and Remote Access space companies turn a blind eye to a huge problem – no one is really achieving least privilege. If they did then attestations would not be blanket approvals each quarter and VPN platforms wouldn’t simply provide full access to the internal networks for full time employees.

Imagine a day when upon an employee’s device being compromised a bad actor doesn’t get full access to your entire network. Or automatically adjusting access privileges to those applications that aren’t being used, thus preventing access creep.

What do you want your professional legacy to be?

I’ve only thought about this in the last few years. Legacy takes several forms. As a leader I want to build world-class organizations that break the mold and lead the industry.

As a practitioner I’d love to be seen as someone who collaborates with other industry leaders; not just in a visionary capacity but also as a servant to others. I’m curious, still learning myself, and see this type of engagement as personally and professionally important. And, being able to share my experiences to enable others is an incredibly rewarding experience. I invite people to reach out.

Dogfooding your own product is a long-standing tradition in software development. The benefits are many – from finding and fixing glitches before any customer rollout to developing empathy for the end user (since that end user is you). Great stories arise from the efforts to deploy and use your own product and not surprisingly, our Banyan @ Banyan dogfooding program has yielded these benefits too. I’m going to share a few stories that explore our experience and help unpack the complexity of building a Zero Trust environment. The first in this series will cover how we approached compliance, and later posts will cover remote access for engineers, InfoSec, and finally productivity.

Part I: Compliance without a VPN or MDM

I love compliance.

Yeah, you heard me, I love it, it’s great. How’s that you might ask? Isn’t it the pain in the tuckus that we have been fighting with for decades while still trying to be productive?

I love compliance because it’s the right thing to do. Security compliance standards are all about best practices. They help your customers have confidence that you are taking security seriously and making a true best effort. Sure, there will often be some annoying aspects that just don’t seem to be relevant to your situation, but that’s a discussion for another time.

At Banyan, when it came time for our compliance efforts, I dove in headfirst. I knew it would be a straightforward exercise – mostly documentation – as we are already mature in our internal security posture for a young company. But where is the fun in that? We decided to up the challenge and use our own technology as much as possible. We’re a secure remote access platform and compliance has everything to do with securely accessing systems that contain sensitive data.

Hypothesis – could we become SOC 2 compliant without the presence of a VPN or UEM/MDM, solely by leveraging our own platform?

We wanted to avoid deploying a VPN because we believe it’s an artifact of a bygone era and wanted to have our systems start off secure from day one.

The UEM/MDM though was different. Our employees are very security and privacy conscious, values we hold dearly. Many of our employees want to use personal devices, whether it’s using Slack or email, or checking production system health status while on the move. Installing UEM/MDM agents on personal devices that give an administrator the ability to wipe or lock a personal device was deemed unacceptable to all involved. Having a UEM/MDM that only covered corporate devices to provide inventory of devices was also insufficient as it leaves out many of the devices that access our corporate resources! As a result, we chose to use the Banyan Security Zero Trust Remote Access platform for Inventory Management requirements, and relinquish our dependency on the UEM/MDM.

Could we do it?

Challenge accepted. The following is an overview of what we did to achieve compliance in our production environment.

This diagram illustrates connecting to each of the 5 interfaces: Product Console, Containers, Kubernetes, Databases and Cloud Infrastructure.

The primary part of SOC 2 compliance that is relevant for this discussion focuses on how we control and limit access to sensitive information. In the Banyan platform, our SaaS component has a database that contains all of our persisted data, and while it’s not super sensitive, no PII, credit cards, etc, it does have customer data. The SaaS component has a range of interfaces that users can leverage to access sensitive data, a web interface for the administrative console, Public cloud provider console, SSH, Kubernetes, and the database itself. These all need to be protected by a small set of privileged users. These users are identified in a group definition in our identity provider, and then protected by Banyan using a number of different techniques:

1. Product console – Administrative interface to configure system, view usage and monitor security events. This interface is available via HTTPS, so we configured it as a SaaS application with our identity provider leveraging Banyan’s Device Trust continual authorization capability.
2. SSH Microservices– Containers that host our application microservices. This interface is SSH, so we enabled the hosts behind a Banyan Access Tier and end users would establish connections from our App Proxy using HTTP_CONNECT mode.
3. Kubernetes – IaaS managed Kubernetes. Leveraging the standards-compliant OIDC Provider, it natively provides the ability to authenticate and authorize users against K8S clusters. This gives end users the ability to connect to K8s clusters without a VPN, authenticate against the cluster directly through the Banyan app, and authorize users with RBAC using Banyan Roles and Policies.
4. Databases – Cloud DBaaS instances. This interface is TCP, but cloud-provided so no SSH directly to the host. Here we AllowListed the IP range for accessing the SQL instances to be the Access Tier, then let end users connect from our App Proxy using TCP_MODE.
5. Cloud resources & cloud console – Public cloud provider’s console and APIs. For the cloud provider’s console itself, we put it in our Identity provider to use our SaaS Continual Auth, and for the Cloud APIs followed the same strategy as with the databases. We limited the IP range to our Access Tier.

This approach allowed us to comprehensively provide secure remote access to our entire production environment. However, there is an interesting nuance. If we are using our own production environment to limit access to our production environment, what happens if our production environment encounters a true disaster? If it’s not available, we would not be able to get into our production services to fix our production services!

The answer here is not super clever, we just created a second production cluster to protect the first. We use this cluster for non-customer activity but still treat it with production standards. During our compliance audit, we all had a good chuckle about this irony.

Moving on to the audit process itself, there were some key bits of evidence that we relied on the Banyan platform for:

1. List of corporate assets (hosts & devices) – Instead of using an MDM, we provided the list of hosts and devices, both mobile and desktop, from Banyan.
   
2. Ensure EDR – The compliance standard calls it AntiVirus, but nobody says that in the industry, instead it goes by Endpoint Detection and Response (EDR). We demonstrated for the auditor that we could show that access was not granted to a sensitive resource unless both EDR was installed AND no critical issues were on the endpoint. The auditor loved this capability, they hadn’t seen it before.
3. List of access activity – We provided the auditor a list of access-granted events for each time an end user attempted to consume a sensitive resource. Again, the auditor greatly appreciated this visibility as they hadn’t seen this independently collected outside of a SIEM, and even then the SIEM list was often obtuse and hard to understand. Also, being able to show access events to a specific service broken out by personal and corporate devices was a big plus.
4. Evidence of least privilege access – Auditors want to see evidence that only certain employees are allowed to access sensitive data. We not only showed this via our policies in the administrative console, but gave them a full view of a least privileged access model for all services, employees, and contractors.
5. Evidence that 3rd party contractors could not access sensitive data – Finally, we were able to show via policies that our 3rd party contractors are all beholden to Banyan policies, with no shadow IT set up for them to work around our standards.As I mentioned at the beginning, I enjoy the audit and compliance process. Am I nutzo? Perhaps. But using our own product and pushing the limits of the norms of our auditors? That was fun. Heartily enjoyed by all involved.

End Part I

The recent disturbing incidents of racial injustice and the subsequent demonstrations for change have prompted us at Banyan to take stock of our role as a startup company, the values we live by and what we’re doing about them. We’d like to live in a society where the color of your skin doesn’t matter, where everyone is treated fairly, where people can express themselves freely, and where everyone is given a fair shot to thrive.

We founded Banyan with a goal of creating such an environment where people and ideas could thrive. We started that journey by thinking deeply about what our core values are — including respect, integrity, and openness — to be sure we had our own north star and the people we brought into our community could be assured and confident that we would do everything we can to live up to our best intentions. We believe that is the best way to build a successful company to have a positive impact on society.

As we reflected on the events that recently sparked so much passion and activism, we realized that there are some things we can do today, even as a small company, that can have a positive impact on our community and beyond. We reconsidered our company’s business practices, processes, and interactions that make up the work environment and are taking some initial steps:

• We’re kicking off an intern program to proactively recruit from schools not traditionally sought out by silicon valley startups and train them for success.
• In order to ensure that our hiring and promotion decisions are consistent with our values, we’re undertaking specific training in these areas to do our best to eliminate bias.
• We’re also granting our employees time to participate in the causes and organizations important to them. And, we’re enabling our systems to make it easier for them to donate and support these organizations financially.

In the words of Gandhi, “Be the change that you wish to see in the world.”

We see Banyan as a place where any qualified individual, regardless of race, religion, origin or gender identity, can build a career and thrive. We think this is how we can be the change we want to see in the world. We will continue to strive to foster a culture that makes us feel proud to be part of Banyan.

Jayanth, Co-founder and CEO