If you’ve been looking for a Security Service Edge (SSE) solution, especially ZTNA or VPN as-a-service, then you’ve most definitely heard the term PoP. Most vendors are quick to emphasize the number of PoPs they offer, and some have started talking about dynamic PoPs. With so many market and customer questions around PoPs, I thought I’d spend some time on the subject.

What is a PoP?

A point-of-presence (PoP) is a point or physical location where two or more networks or communication devices build a connection from one place to the rest of the internet. A PoP primarily refers to a location, facility or access point that connects to and helps other devices establish connections to the internet. Organizations and end users connect to PoPs, whether they know it or not.

It is worth nothing that some vendors specifically refer to PoPs that are in their own data centers rather than what is deployed in a Cloud Service Provider (CSP), such as AWS or Google Cloud. These legacy vendors are spending insane amounts of money to run data centers or rent space in co-locations. Buyer beware: these costs are passed on to customers, and the vendors are not taking advantage of economies of scale, or shared technology.

Dynamic PoPs are becoming more popular as well. A vendor can bundle SaaS software and drop it in various locations, such as customer sites or various CSPs.

Why Does the Choice of PoPs Matter?

In a nutshell, it matters because of the following:

• Performance / Latency – the closer the PoP location, the less time the traffic spends on the open internet. In most cases, a vendor using a CSP will use high-speed back channels to get traffic from location of the world to another.
• Availability / Stability – CSPs are built to support thousands of customers globally, where a vendor will only rely on itself and build for a much smaller set of customers in very specific area around the world.
• Compliance – PoPs and traffic may need to be various location based on local laws. This may be more severe when it comes to certain verticals, like financial and banking. It may also depend on the country, with China, for example, being a very special case.
• Security / Anonymity – shared responsibility models have evolved; in parallel, so have the location and how logs are stored. Vendors can choose to spread the data across various CSPs to limit the attack surface or possibility of a concentrated attack.

How CSPs Deal with PoPs

Some Cloud Service Providers (CSPs) also provide what I’ll call pseudo-PoPs, or lightweight PoPs. These may be seen as content delivery networks (CDNs) for public and private applications.  Amazon’s CloudFront and GCP’s Cloud Premium Tier are examples.

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you’re serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.

Premium Tier delivers Google Cloud traffic over Google’s well-provisioned, low-latency, highly reliable global network. This network consists of an extensive global private fiber network with over 100 points of presence (PoPs) across the globe. By this measure, Google’s network is the largest of any public cloud provider. Google Cloud customers benefit from the global features within global load balancing, another Premium Tier feature. You not only get the management simplicity of a single anycast IPv4 or IPv6 Virtual IP (VIP), but can also expand seamlessly across regions and overflow or fail over to other regions.

The way Banyan’s solution has been architected offers the most portable solution on the market. Our general commercial offering is deployed in GCP and accessible globally using the above-mentioned Premium Tier IPs. Our solution is also available for some of our customers that have their own CSPs (such as Oracle) to quickly and easily deploy the full stack on their own servers. MSSPs may host the solution in their leased colocations. The solution is also elastic, and scales up and scales down as needed. Without needing to worry about limitations due to licensing or the cost of gateways/connectors/access tiers, like other vendors, the solution can realistically be deployed anywhere around the world in as many ways as administrators can imagine. While some vendors force you into their cloud, Banyan gives you the flexibility to be unique and take advantage of what you’ve already designed and built.

Test-drive Banyan for free or schedule a custom demo today.

Welcome to our release highlights blog, where we delve into the exciting world of Banyan Security and uncover the release highlights for the month of June. In this fast-paced digital era, ensuring the utmost security has become paramount. Banyan Security has been at the forefront of providing innovative solutions that safeguard organizations against ever-evolving threats, including security for AI tools. From cutting-edge technologies to insightful developments, this blog will be your guide to the new features in Banyan Security over the past few weeks.

New Features in June

More Connection Options

Mobile Tunnel:

Banyan’s mobile app now allows end users to connect to Service Tunnels in addition to hosted websites.

Learn more on connecting to service tunnels here.

Enhancing Device Trust Factor Options

• New Trust Factor: Enhanced OS Version
  • OS Versions can now be configured by the “Last x version(s)”. This frees admins from having to update the Trust Factor configuration with every new OS version release. Previously, admins had to configure and continually update specific OS version numbers.
• New Trust Factor: CrowdStrike Registered With
  • The Registered With factor validates that the device at hand is registered with the CrowdStrike environment. Registered With is derived from a CrowdStrike API endpoint.

Learn more on trust factors here.

New Features – Customized Branding

• Branding Customization
  • Admins can now use customized branding for any Banyan browser error and success pages with their organization’s own logo and brand colors.

Get the complete details on the May and June 2023 releases here or schedule a custom demo today.

Let’s talk about the darker side of the ChatGPT security story: a recent DarkReading report found that 4% of workers are leaking protected corporate information into AI tools by feeding schematics, statistics, instructions, and other intellectual property into large language learning models (LLMs). ChatGPT security took center stage in April 2023 when Samsung employees leaked intellectual property into ChatGPT (including both confidential product information and meeting notes), leading to its ban by the company on May 2nd, 2023. Such risks are leading more and more organizations (such as Apple) to try to block these sites. As the number of generative AI and LLM tools and companies grows, the problem of ChatGPT security becomes more challenging.

ChatGPT Security is Simpler Than You Think

Of course, these AI systems can facilitate research and development efforts by simulating and generating ideas, designs, and prototypes, expediting innovation cycles. Unfortunately, they also create a wide range of security issues for companies because of the behaviors noted above, in addition to attackers searching LLMs for carelessly shared company data. (Side note: have you opted out of sharing your company and personal data with ChatGPT?)

There is a profound danger in reactive security without strategy, and much opportunity for overcorrection. Some of the solutions for ChatGPT security include blocking access by directing all traffic over a VPN, and then using an outbound security stack to inspect traffic. Eventually, though, employees find new ways to get around some of these blocks, or hunt for other tools that aren’t blocked. And drastic measures like the ones Samsung and Apple have taken leave security gaps of their own. Blocking AI tools completely from your organization isn’t necessary if you have the right security tools.

Discovering AI tools

Discovery is important and a crucial step to combating data exfiltration. Security for AI should be able to detect quickly, then categorize accurately where the data is going. With new AI tools popping up daily, this isn’t always so easy. Banyan’s solution looks at all DNS transactions and its real-time categorization engine assesses a range of information. Our security for AI also inspects traffic for sensitive data, such as PII, PHI, Secrets and Keys, PCI, using a modern cloud-based Data Loss Prevention (DLP) engine. As you can see below, the administrator sees where users are going, when, from what device this traffic originates, as well as what type of data is being sent:

It is worth noting that our solution is always-on, so end users will benefit from the protection without having to do anything. Administrators also gain visibility without needing to configure anything extra, or have their users do the same. As soon as the first user visits the first website, the administrator gets actionable insights. These are presented as applications and categories: much easier to use and create policies for those rather than just configuring policies around domains.

A single SaaS application can have hundreds or thousands of domains, so being able to quickly find a SaaS application (and how it’s been used) is the first step to creating a comprehensive policy:

Once you’ve Discovered Resources, you have options on what to do next. The most restrictive option: to completely block these types of sites (along with new domains and proxies) that may be used to circumvent blocks. Less restrictive options including proxying or tunneling the traffic to be able to further inspect or enable URL filtering.

As you can see, the end user is made aware of why access was denied, and is not being blackholed, which may lead to a call to IT’s Helpdesk and degraded productivity:

The administrator also has the option to apply a Data Loss Prevention (DLP) policy. The policies may include blocking downloads or restricting sensitive data uploads, as shown here:

Sensitive data inspection is based on known patterns across multiple regions and countries:

In this example, a user tries uploading a social security number to ChatGPT. All other non-sensitive information interactions with ChatGPT, and other AI tools, are allowed:

The end user is notified that the specific action is not allowed, and the interaction is blocked.

Banyan ChatGPT Security

Generative AI introduces new cybersecurity threats by enabling the creation of highly sophisticated and realistic phishing attacks, capable of tricking even the most vigilant users. Additionally, malicious actors can leverage generative AI to automate the creation of advanced malware, making it harder for traditional security solutions to detect and mitigate these evolving threats. Employees are also leaking valuable corporate intellectual property in the hopes of getting work done quickly and easily. Effective security for AI must effectively address all of these facets.

In closing, focus on solutions that give the ability to block access to generative AI sites and tools effectively. By leveraging advanced web filtering capabilities and DLP inspection, SWGs like the Banyan SWG can detect and prevent users from accessing websites or tools specifically designed for generative AI. These solutions analyze and categorize web content based on predefined policies, allowing administrators to create rules that identify, then block sites related to generative AI. SWGs employ a combination of URL filtering, content inspection, and machine learning algorithms to accurately identify and categorize websites and tools associated with generative AI.

By blocking access to these resources, organizations can mitigate potential risks and prevent unauthorized or inappropriate use of generative AI technologies within their networks. SWGs provide a robust defense against potential security threats, ensuring that employees are unable to access generative AI sites or tools that may compromise data integrity, violate privacy regulations, or infringe upon intellectual property rights. In summary, SWGs offer an effective solution to block access to generative AI sites and tools, helping organizations maintain control and security over their network environments.

Learn more about ChatGPT security through Banyan SSE by scheduling a custom demo today.

The way we work has changed dramatically over the past few years. Gone are the days when we all worked in a centralized office, using only company-owned devices to access company applications and data. Today’s workforce is distributed, and people use a variety of devices to access work resources, from laptops and smartphones to tablets and personal computers. 

Those devices increase our risk exponentially. Consider how many devices you have in your own home that are connected to the internet. Multiply that by the number of employees your organization has, and then multiply that number by the number of accounts each device and employee has and you can begin to fathom how big the risk and the problem are.

Traditional security models that rely on firewalls, VPNs, and perimeter security are no longer effective. Instead, organizations must move to a new approach that can secure their data and applications regardless of where they are accessed from. The two dominant approaches are SASE (Secure Access Service Edge) and Zero Trust.

Device Trust Anchors SASE, SSE, and Zero Trust

Device trust anchors SASE, SSE, and Zero Trust; in order to explore how that happens, let’s see first how they are interrelated. SASE is an emerging network architecture that combines network security functions, such as firewall and web filtering, with wide-area networking technologies like SD-WAN. The goal of SASE is to provide a single, cloud-delivered platform that delivers secure access to corporate applications and data to anyone, anywhere, on any device. SASE is the evolution and application of security technologies into the Google “cafe everywhere” style of security architecture.

SSE (the Security Service Edge) can be considered a subset of the SASE framework, with its architecture squarely focused on security services. Delivered from a unified cloud-centric platform, Banyan SSE frees teams from the challenges of traditional, perimeter-focused network security.

Zero Trust, on the other hand, is a security model that assumes that all access attempts (from everything) are malicious until proven otherwise. Devices, humans, accounts, files, accesses, truly everything is untrusted until proven otherwise, and all connections are session-reliant. Instead of centering on a perimeter-based approach to security, Zero Trust requires organizations to verify the identity of users and devices before granting access to any resource.

Device Trust Rules Them All

SASE, SSE and Zero Trust pivot on device trust as a key component of their security strategy. There are three main reasons today’s security solutions point back to device trust:

1. Devices are the primary access point for users

In today’s world, users access work resources from a variety of devices. These devices are the primary entry point into the corporate network and contain sensitive data. As a result, it’s essential to ensure that these devices are trustworthy and secure. Those many access points and their associated connections are each an additional avenue of compromise that must be secured at every session that is initiated.

Device trust ensures that only authorized devices can access the corporate network. It enables organizations to verify that devices meet minimum security standards before granting access to any resource. Not having this capability also invalidates a corporate security compliance program as without managing those remote devices there is no level of corporate assurance and accountability.

2. Devices are vulnerable to attack

Devices are a prime target for cybercriminals. Attackers can compromise devices through phishing, malware, or other tactics, allowing them to gain access to sensitive data. Once they have access to a device, attackers can move laterally across the network, accessing additional resources. Devices are also connected to those remote networks that our employees work from at home and abroad. As we do not necessarily have the ability to manage those networks; all of the devices and those networks must be treated as compromised.

Device trust helps prevent these attacks by requiring devices to meet minimum security standards before granting access. It also enables organizations to monitor devices for suspicious activity, helping to detect and prevent attacks. Additionally, by applying security controls outbound and as far reaching as possible allows for additional security control and remediation of potential risks and threats.

3. Devices can be lost or stolen

Devices can be lost or stolen, potentially exposing sensitive data to unauthorized access. Device trust policies can help prevent this by allowing organizations to remotely wipe data from lost or stolen devices.

In conclusion, device trust is a critical component of both SASE and Zero Trust security models. It helps ensure that only authorized devices can access corporate resources, that devices meet minimum security standards, and that lost or stolen devices can be remotely wiped. By relying on security centered around device trust, organizations can enhance their security posture and reduce the risk of data breaches.

Device trust has come a long way, and is evolving even faster, stimulated by integrations and vendors that are developing device-centric solutions. But it wasn’t always this way… in the early networking days, a device that didn’t have a user (for example, a printer) would be put on a segmented network that wasn’t even secured. Anyone could unplug the printer, connect their computer, and get access to the network.

A brief history of device trust

This quickly became the weakest link in the network, so functionality like Network Access Control (NAC) and protocols like 802.1x were introduced. MAC authentication (what Cisco calls “mac auth bypass”) used a MAC address as username and password. Sadly, companies that had thousands of phones, printers, and other devices would have to manually enter each device. This was not ideal and took forever, often resulting in incorrect entries. This was followed by automated profiling based on mac address OUI (organizationally unique identifier). OUIs would identify the device to allow them to be automatically added to specific VLANs.

To quickly check out how OUI works, you can get the MAC address of the physical or Wi-Fi network interface and then check it against WireShark’s OUI lookup tool. Here’s an example of the (partial) MAC address of my MacBook:

Next on the scene: Internet of Things (IoT) and management server integration came along, and were useful to get extensive information on devices trying to connect to local networks, usually in manufacturing environments. As systems became more proprietary and didn’t support basic networking, they had management systems offering APIs or integration with systems that use standard protocols like RADIUS.

Both IoT and NAC protocols are helpful when dealing with on-premises and mostly fixed devices. So, what can be done for mobile and portable devices coming in from anywhere in the world?

So what is mobile device trust for?

Mobile device trust isn’t just for mobile devices like cellphones or tablets, but also for laptops. A solution should tie into mobile device management (MDM) and unified endpoint management (UEM) solutions that can be used to configure devices with zero-touch from the end user, as well as collect important device information that’s needed for certain types of compliance: how the device is configured, what applications are loaded on it, or location, for example.

Device identity is integral when creating a device trust policy. Device trust policies can be based on ownership type, such as corporate or customer-owned (in the case of BYOD). These policies can also be based on type (such as Apple or Android) or screen size, which may make connection types like RDP easier to use.

Device posture is just as important as identity. Device posture checks ensure that the device is in a state that the organization requires. This may include having the proper configuration, settings, and applications running. Device posture can also tie into endpoint detection and response (EDR) software for deeper inspection of traffic and applications which may detect malware and other unwanted software.

A word about UEBA

Knowing about the user on the device, the device itself, and the health state of the device is great, but a good user on a good device may still present a problem. That’s where User and Entity Behavior Analytics (UEBA) comes into the picture. Let’s take the example of discovering a company’s “business hours.” Most organizations may say business hours are Monday to Friday from 9am to 6pm, however, these business hours may not apply to software developers or devops folks that are working atypical hours pushing updates. The UEBA engine should create baselines for each user, and policies can be created to react when behavior is outside of the threshold of the learned behavior.

Having outdated device trust information is useless. Unlike other vendors that have lightweight device info, Banyan’s Device Trust is always-on; the effective changes to authorization based on device trust are real-time, happening almost instantly, resulting in the safest possible device-to-resource communication.

To learn more about how Banyan’s real-time Device Trust can help your organization deflect breaches, schedule a demo today.

Oh, network-centered security. What a brilliant idea. Let’s put all our faith in the network and forget about those pesky little devices that connect to it. Who needs to worry about laptops, tablets, and smartphones, anyway? They’re just small, insignificant pieces of technology that have absolutely no bearing on our security. Device-centricity? Maybe it’s a fad.

Let’s face it, the network is the most important thing when it comes to security. Who cares if your employees are connecting from home, the office, a coffee shop, or an airport? As long as the network is secure, everything is fine. After all, hackers would never be interested in attacking individual devices, would they?

But wait, what if one of those devices is compromised? What if someone steals an employee’s laptop or gains access to their smartphone? Oh, I know, let’s just blame the network for that too. It’s clearly the network’s fault for not being secure enough to protect those devices. So what if the devices themselves have security features like posture verification and user verification? We can just ignore those and focus solely on the network.

And let’s not forget about the joys of network-centered security when it comes to mobile devices. Why bother securing those pesky little things when we can just assume that the network will take care of everything? Who cares if an employee loses their phone or accidentally connects to an unsecured Wi-Fi network? It’s not like those devices contain sensitive information or anything. Device trust – what’s that?

Clearly, device-centric security is just a waste of time. We should all be focusing on the network and ignoring those silly little devices that connect to it. I mean, who needs a holistic approach to security when we can just blame the network for everything? It’s so much simpler that way.

Oh, and let’s not forget about the joys of intelligent routing. Because clearly, the network is capable of determining which devices are secure and which ones aren’t. Why bother with individual device security when we can just rely on the network to make all the decisions for us? It’s not like the network has ever made a mistake before, right?

In conclusion, device-centric security is a complete waste of time. Let’s just focus on the network and ignore all those insignificant little devices that connect to it. After all, what could possibly go wrong?

The idea of customer self-service has been around since 1833 when Percival Everett’s first self-service vending machines appeared in London, selling postcards. But when it comes to IT, many organizations find self-service daunting (though they agree it can be a path to increasing productivity and profits while reducing costs). Self-service, at its best, allows users to access resources and find solutions on their own without requiring time-consuming and costly assistance.

Here’s what your IT department looks like without it: the lack or minimal use of self-service means IT pays for tools and a helpdesk to address each task. Let’s take the example of getting a new employee hired and making the laptop ready for that corporate user. IT will have to receive a new system, image it with the correct software, and then ship it to a remote employee. The IT helpdesk is simultaneously getting many calls and service-related emails from everyone else in the company. To get a good idea of how much this is costing the organization, multiply your average cost-per-call by the total number of calls each month to get your direct monthly costs for end-user issues.

Now, imagine if you can reduce that number by 25%.

Organizations pay when they lose productivity. Let’s look at a conservative example: say the lack of self-service results in 1% less productivity for a $1M business. That’s $10K a year for a smaller business – and we can help you calculate your ROI for your own company.

Imagine what this means for billion-dollar global enterprises with 100K+ employees.

How Banyan Security simplifies self-service security

Take a look at how Banyan Security helps with self-service from day 1 of a new hire to when the employee is productively working day-to-day:

• Integration with MDM/UEM to deploy client: using Zero Touch Deployments means being able to get a new computer directly from a vendor like Apple and getting the client software installed quickly.
• Configuring Banyan to trust device certificates managed by your organization’s Device Manager: many organizations deploy device certificates to all managed devices using an enterprise Certificate Authority (CA), such as Symantec. You can configure Banyan to trust Device Certificates issued by your enterprise CA and distributed by your organization’s Device Manager.
• Global app availability via http://getbanyan.app/ or mobile app stores: many employees start off installing the Banyan app on their desktop and then add it to mobile as the need arises (available from Google Play and Apple App Store).
• Configuring continuous device posture assessment to ensure the device is running the other software that is needed. Continuous authorization via the Banyan solution ensures, for example, that the personal firewall is enabled, auto-updates for the operating system are turned on, and many other system-level capabilities are enabled and running smoothly.
• Enable remediation when the device goes out of compliance: go a step further to provide custom instructions letting your end users know exactly what to do when they experience an issue. Often, this guidance points to software that needs to be installed along with detailed, step-by-step instructions to walk through installation and configuration of software.
• Automated client log uploads to help troubleshooting issues: the end user may run a Health Check using the built-in Diagnostic Tools, or an admin can go into the Banyan Cloud Command Center (Admin Portal) and retrieve logs from the end user system.
• Configure service catalogs and service bundles: when a user logs into the Banyan app, Banyan lists all resources and applications for which the user is authorized. The user will never have to ask or guess, and they can add the ones they use most often to Favorites to make sure they are easily accessible from the Banyan app.

To make self-service easier for the administrators, Banyan’s Everboarding capability allows an admin to start many of the onboarding workflows that they may have initially used when configuring Banyan. This allows quick configuration of some of the more frequently used features.

Test-driving our product for free is one of the easiest ways to try our self-service capabilities for your own organization and see how it can reduce the cost of your IT overhead.

In Banyan Security’s October release, we announced a new Granular Trust Scoring feature, called Trust Effect. Trust Effect brings transparency to Banyan’s trust scoring process. This new feature also offers admins control over the relative impact of each Trust Factor on a device’s security posture.

The Love/Hate Relationship to Device Trust Scores

In the past, we took a conservative approach to access control, allowing admins to enable or disable Trust Factors, while we determined how much weight each Trust Factor had in the Trust Scoring process. Customers offered us two key pieces of feedback:

1. I love the simplicity of enabling Trust Scoring with Banyan.
2. I dislike that I’m unable to relatively weigh Trust Factors. Some are more important than others, and I need a way to determine this.

So, we pivoted and made an adjustable trust scoring process: In our new model, admins now determine the weight of Trust Factors.

Introducing: Trust Effect

The Trust Effect feature allows admins to determine how important each Trust Factor is within their environment. The Effect determines which Trust Level (High, Medium, Low, or Always Deny) a device receives if the device does not meet the Trust Factor requirements. For example, if an admin sets the Effect to Low on the Firewall Trust Factor, and the device doesn’t have its Firewall enabled, then the device’s Trust Level will drop to Low. The Trust Level is then used as a criterion for security policies, applied to Banyan-protected services.

Moving away from a numerical trust score simplified the process. Now, the conversation flows simply, as such: “Is Auto Update critical to us?” If the answer is “yes,” set the Trust Effect to Low TL (Trust Level). If the answer is “it’s a little less important,” set it to Medium TL.

There are, of course, situations in which admins would want to evaluate a new Factor without impacting their users’ access. That’s why we created a No Effect setting, which calculates the device’s security posture against the Factor, without influencing the device’s Trust Level.

Standardizing with Trust Levels

In moving away from a numerical score and toward Trust Levels, we also hoped to help standardize trust scoring. Ideally, this should reduce misalignment between admins when configuring policies and it should standardize the end user experience in the Banyan app.

Finding the Sweet Spot of Control

In conversations with our design partners and our customers, we found that the addition of Trust Effect and the standardization of scoring via Trust Levels offered just the right approach to measuring device trust.

Try it out for yourself, and sign up for Banyan’s free Team Edition.

Additional Information

For more information about Banyan’s approach to trust scoring please check out the following resources:

• Trust Score Overview
• Trust Effect
• Trust Calculation

Thank You!

Huge thank you to all the engineers, designers, and many others that we partnered with to bring this feature into fruition.

Let’s look at some of the leading vendors of well-known legacy VPN products and compare them to Banyan Security’s Zero Trust Network Access (ZTNA) solution featuring Service Tunnel.

Limits of legacy VPN deployments

Physical appliances have numerous limits. You need to order them and wait for them to arrive (and sometimes make it through Customs), before you unbox, rack, wire, power-on, and provide cooling.

Also, have a single appliance means that both the control and data planes are on the same box. If either fails, there is no access.

Banyan’s ZTNA is cloud native using scalable, highly-available microservices. The Controller is in the cloud and completely independent of the data plane. You’ll have always-available, anywhere access with minimal fuss.

Deploying Active/Passive clusters are expensive. You buy hardware and licenses that are rarely used, if ever.

Banyan’s ZTNA model never charges for gateways or connectors. To get the performance, scale, and best experience possible, Banyan’s ZTNA auto scales as needed to ensure global availability. Deploy connectors to your disaster recovery (DR) sites if you’re deploying software there, all at no additional cost and little configuration changes. You can also automate these deployments using Terraform.

No need to touch the edge

VPNs require inbound and outbound access meaning you’ll need to log in to your edge firewall (FW) and open many ports. Not only does this take time, but each port that’s opened means the attach surface increases.

Banyan’s ZTNA connector does not require any inbound ports to be opened since it only makes outbound connections over standard, secure ports. Add as many ZTNA connectors in your data center or in your cloud provider as needed without ever having to log into your FW.

VPNs require external IP addresses on your DMZ which means logging in to your edge firewall (FW). Not only does this take time, but each external IP address may cost you money.

Banyan’s ZTNA connector does not require a static external IP address. Adding additional ZTNA connectors is possible without consuming a valuable external IP address.

VPNs require certificates which are tied to static hostnames. This means paying for SSL certificates and needing to update DNS records each time you add a single VPN appliance.

Banyan’s ZTNA solution is cloud-based so we automatically take care of DNS and certificates for all aspects of the solution. ZTNA connectors can be spun up without ever having to worry about buying a certificate or adding/updating DNS records.

Decision-less access

Your end user needs to know a lot about your architecture and where backend resources live. They must make the decision on where and how they must connect before they do their actual work.

Banyan ZTNA makes it very simple. End users log in to the Banyan app and are magically connected to all their authorized resources whether you have one office or hundreds of locations, physically or in the cloud. No more decisions, just productivity.

Tunnels made easy

Banyan Security’s vision is to help organizations migrate from inefficient, legacy VPNs and to do so introduced the Service Tunnel (ST) capability. The Service Tunnel isn’t for all members of the organizations. An organization that’s deploying using Zero Trust principles should deploy in the most secure, least privilege access method possible. For super users, and those with special requirements, a Service Tunnel can be the appropriate answer. The Service Tunnel is a tunneled, layer 4 connection to a single server and a specific port. A sample use case for this is when trying to local map a drive to a remote file server. The Service Tunnel can also be used when backhauling traffic that’s intended for a source-IP-validated SaaS application.

Service Tunnel configuration is simple and there a workflow (or wizard) that makes this possible:

The policy to allow the use of a Service Tunnel is also simple to configure. The authorization policy can be based on specific users, groups, devices, and/or a combination of these parameters.

The access policy can be to a specific IP and port, or it can be expanded to subnets, ports, and various protocols:

A single service tunnel can be used to connect to resources sitting behind multiple (or all) of your Banyan Connectors.

For the end user, the only decision that needs to be made is whether to access Banyan or not. Your end user doesn’t need to know where VPN appliances are deployed, or what backend resource is available through which VPN appliance. Simply log in to Banyan and be productive.

Next steps

1. Learn more about legacy VPN replacement
2. Sign up for Team Edition and quickly deploy a Service Tunnel
3. Learn more about getting started with Banyan’s Free Team Edition

We’ve made some enhancements to our self-service offering and we’re convinced that intent-based onboarding will be a leading conduit to the successful first time user experience. This post is to share more about what we did, why, and some lessons learned along the way!

Great onboarding flows orient around outcomes

A key goal at Banyan is to guide organizations on their journey toward securing a modern, hybrid workforce. “Journey” is the most important word in that statement. In hundreds of conversations with customers and prospects, we’ve seen that organizations ultimately agree on an end state but they are at a variety of stages along the way.

We’ve found that orienting the user around the outcome they want to achieve at the start of onboarding will lead to an optimal experience and higher conversion.

Let’s take the three main personas we encounter evaluating our Zero Trust Networks Access (ZTNA) offering.

Networking teams are looking for a modern VPN solution that accomplishes the following:

• Better performance. And even the ability to own and manage their own points of presence
• Device trust that integrates with their existing security investments and provides continuous evaluation
• Easy to configure policies with a streamlined end user experience

Security and Compliance teams are aiming to reduce reliance on the VPN and accomplish the following:

• Publish granular, least privileged access to private resources such as databases, internal websites, Linux servers, and more
• Establishing different baseline trust profiles for employees, contractors, and vendors
• Add device trust and passwordless to SaaS applications without IP whitelisting

Devops teams are having a field day with the automation capabilities that ZTNA and SSE (Security Service Edge)  vendors provide. They are increasingly looking for:

• Automation via “zero trust as code”
• Strong access policies, audit logging, and monitoring to infrastructure such as SSH servers and Kubernetes clusters

We’ve built a personalized, intent-based onboarding flow to account for the goals these teams have and the early results are promising.

Why we love intent-based onboarding

A benefit of layering on a bottoms up, product-led growth motion is that users are often signing up with a specific problem already in mind. Their intent is to see if your product solves that problem and provides them a stellar experience along the way. Building your onboarding flow to account for this has many benefits.

• It helps personalize the experience. Canva asks users how they will use the tool in order to cater a series of templates for them.
  
• It allows you to quantify the outcomes that are most important to your user base. Based on this data, you can iterate quickly and ensure you are providing enough value to have an active, monetizable user base.
  

More self-service learnings and insights

Effective onboarding is emotional

The beauty and challenge with self-service is instilling joy in signing up for and configuring a product. This is where the lines between consumer products and B2B products start to blur. It’s also a test of which organizations really understand their users and the types of products they love.

I wouldn’t go as far as saying onboarding onto Banyan’s security offering should be equivalent to signing up for TikTok but there are two key learnings thus far:

• Users want to feel progress as they navigate their onboarding. Small wins add up to a larger win or ‘aha’ moment. For example, this could be a dashboard updating in real-time or even providing test connection buttons to successfully show a component is connected.
• Education and context is key. The user must understand the context of the step they are on but also WHY the step is needed to accomplish their broader goal. Investing in this area will result in product stickiness as well as a savvy user base.

Remove dependencies on other teams

Often, setting up a security solution requires talking to multiple groups within an organization. The infrastructure team may need to be involved to set up a server and add firewall rules. The identity team may be required to set up users and groups. If a self-serve offering requires this much interaction, it will strongly impact activation metrics and user sentiment. You want to get users to their ‘aha’ moment as quickly as possible.

At Banyan, we sought out a design that would eliminate many cross-functional dependencies within teams while prioritizing context and user education. When you sign up for the product, we provide local user management and default to our Global Edge deployment model which eliminates the need to open inbound ports or change firewall rules. This is the fastest way to get going with the product and allows a frictionless first time user experience.

The Banyan team in a workshop to design the enhanced onboarding flow!

Every step must build on the next

When we started building a self-service offering, we had many conversations on the most streamlined way to get to the ‘aha’ moment. I suspect this is common with most organizations venturing into self-service. However, we became obsessed with removing dependencies! Can the user see the value without having to set up infrastructure? Do they need to download an app?

The danger in this approach is that you can end up building around friction points and ultimately miss creating any stickiness within the product. Every action a user takes in the product should build towards the outcome they are looking for. Address key friction points head on as the payoff is exponential for not only a self-serve motion but existing customers as well.

Try it out for free!

The product and engineering teams worked hard to get this first phase of intent-based onboarding out the door so we’d love to hear what you think. All you need is a resource you want to provide secure access to and 15 minutes of time. There’s plenty more to come…

Sign up here!