Carlos Martinez is the Director of Solutions Architecture at Banyan Security, a Zero Trust Network Access (ZTNA) solution. In this role, he helps customers deploy the solution in their environment and works with clients on their strategic initiatives.
Prior to joining Banyan, Martinez was a security practitioner. He was a key part of Zero Trust initiatives at two major enterprises – Adobe, where he helped deploy Banyan Security’s solution across their workforce, and at Cisco, where he was one of the lead architects to help deploy Zero Trust across their workforce.
John Dasher is the VP of Product Marketing at Banyan Security. He has over twenty years’ experience of security engineering, product management, and product marketing.
Expert Insights recently interviewed both Martinez and Dasher to find out how organizations can implement Zero Trust security for their users, the importance of securing device identities as well as user identities, and what security teams should be looking for in a Zero Trust Network Access solution.
Zero Trust is one of the hottest topics in the security industry at the moment, but we hear from a lot of organizations who aren’t sure what Zero Trust should really mean for them. How do you both define the concept of Zero Trust, and how important is it for organizations, beyond the buzzword?
CM: It’s funny, if you ask ten people what Zero Trust means to them, you’ll get 10 different responses! But for me, I always like to start with the fundamental assertions of Zero Trust. And it all starts with you assuming the network is hostile. You assume that threats exist across the network, externally and internally. And that the traditional method of perimeter-based security is really not sufficient for determining that trust.
That leads you to some of the principles of Zero Trust, which really come down to making sure that all of that communication is inspected and secured, regardless of network location. So, the whole notion of inherent trust just moves away; you’re making sure that access to corporate applications and resources is granted on a per-session basis.
And from a Zero Trust perspective, you are continuously verifying as a user accesses “Resource A”, “Resource B,” etc.
And then the last piece is about making sure that access is determined by contextual-based policies. So, applying this notion of least privileged access, and enforcing that based on roles, based on where you are located, based on the device being used.
It’s about being able to understand and have those granular policies based on the type of data, and the type of application. So, is the data sensitive? Are you part of a role that should access a specific database or Kubernetes cluster?
That contextual-based approach is key for the whole Zero Trust methodology.
JD: As the guy who is often responsible for trying to figure out how to help people understand what we do and how we add value, I’m just as dismayed with the muddiness of the term “Zero Trust” as everyone else. And it seems like vendors continue not only to muddy that term, but to invent new derivative terms from it.
And so, we try hard to simplify it. I think Carlos’ view is a great way to look at the assertions, look at some of the key characteristics that come with Zero Trust and recognize that it’s not one and done. It’s not: “If I buy this product, I’ll be Zero Trust ready tomorrow!”
Certainly, a product or a solution can help you to realize your strategy, but it is very much a journey, and it involves not just a product but the processes through which you run your business.
Zero Trust Network Access (ZTNA) is perhaps the biggest category of product spinning out of the Zero Trust space, and we’re seeing that become a highly competitive market. Where does Banyan Security position itself in the ZTNA space, and what are your USPs?
CM: Banyan Security offers an industry leading ZTNA solution that provides not only secure but also seamlessaccess to corporate resources and infrastructure from anywhere.
The key use case that our customers are looking towards is modernizing or even replacing their existing legacy VPNs to provide pinpoint access to resources in a seamless, secure method.
Another key use case is to provide access to different types of workers, be it employees, contractors etc., without having to go through these old IP-based or network-based controls, which we all know, can lead to over provisioning or just allowing folks overly broad access.
What we offer, as a ZTNA solution, is the ability to say: “Hey, if you need to allow access to infrastructure, we’re going to just allow them access to that.” Not to a specific subnet or network.
And then the last piece is that app component where users are empowered to actually improve their own device posture, their security posture. It’s easy as an administrator—and I’ve been there—to just restrict access. But involving the user and having them do the right thing is simply the most powerful thing in this whole user-centric approach to security.
JD: There’s a subtlety that often gets lost here around trust, because that word also gets thrown around a lot. As Carlos pointed out, the security posture of the device that a user is attempting to use is important. And that’s what people just immediately gravitate toward.
But there’s another half of device trust, which is device identity. We talk about how important user identity is, and it’s absolutely a cornerstone of a well-functioning system. But the device identity is equally important.
Because if you’re also enforcing device identity, it means that even if someone steals credentials without physically having the device as part of that, it’s useless. And so that device identity becomes a really powerful force in the system.
Who are Banyan Security’s typical customers for these secure access and device identity solutions?
CM: Banyan has customers ranging from smaller start-ups to Fortune 50, large enterprises. That said, our focus right now is midsize enterprises ranging from about 200 to 5,000 employees in size.
And are those challenges around securing user and device identities fairly consistent across organization sizes, or do you see more specific trends?
CM: There are some consistencies around dealing with a diverse workforce. It could be that they’re looking to take control over how vendors access certain resources.
They’re typically coming from vendor-owned assets, so, how do you determine the trustworthiness of that device, as John pointed out earlier? Those are the common challenges.
Some of the larger enterprises are thinking: “Hey, we have this newly acquired company – how do we ensure secure access from day one, without having to deploy costly network infrastructure?” That’s something I’ve dealt with, and we continue to see this with some of the larger customers.
One of the big common issues is around the diversity of devices and operating systems. As I mentioned, there may be some corporate-owned assets, but you may also want to allow users to access resources from their personally owned phones. And so, how do you manage that? How do you provide different sorts of policies for not just different types of devices, but also those resources, etc.? I would say those are some of the commonalities.
The last piece is: How do you deploy this ZTNA solution in a complex infrastructure? I’ve never seen two similar environments. There’s always a hybrid of this or that. One might look at on-premises with data centers, protecting resources there. Another may be a hybrid or multi-cloud infrastructure.
So, how does a solution plug into their existing environments without having to rip and replace or alter the core network infrastructure?
JD: The other thing that often gets overlooked is people often come to this conversation from a perspective of the VPN, which historically was used when your salespeople were out on the road, or someone was choosing to work from home. And obviously, post-pandemic, we have huge percentages of people working from all over the place, whether that’s home or Starbucks.
But that legacy VPN was always strictly remote. When you were on campus, you were gaining access to applications and resources through completely different systems than the VPN. Or, if you were forced to use the VPN, your traffic was being routed out of the building and back in for the purposes of security.
And so, a lot of the earlier ZTNA vendors mimicked the VPN. They said: “This is for remote access.” And we’ve been really careful from day one to aim at what they call “universal ZTNA”, which is making sure that there’s exactly one system that controls access to those applications and resources, regardless of location, whether you’re on campus, on-premises, at home, or Starbucks or whatever.
And what is the security benefit of this approach over the traditional approach of using a VPN?
JD: There are two big benefits. One is simply the administrative overhead; you’re not managing two different systems. Oftentimes, as Carlos mentioned, you want to have your third parties, your contractors, your consultants, to have different access than, say, your full-time employees.
But historically, once people are physically in the building, as contractors often are, they’re on the same network. They jack into an Ethernet port, and boom, they now have access to everything. And doing anything other than that was exceedingly difficult, as it put a lot of overhead on the admins in terms of whether that was segmentation or whitelisting. It was a management burden, creating complexity and fragility in our networking infrastructures.
If you reduce that down to a single system, it means you have one policy to manage and pay attention to it works identically, no matter where you are. It’s a great user experience because you know what to expect. It always works the same way. And then the management overhead is obviously less if you’re managing one system, not two.
You also end up with richer analytics because now you have a one-stop shop to go and see who’s accessing what, from what device.
How important is that aspect of user experience when it comes to ZTNA, ensuring connections are seamless and provide quick protection?
CM: One of the most rewarding things that came out of implementing ZTNA across two different enterprises was users saying how productive they are when they don’t have to think about whether or not they’re connected to the network.
And this was especially true as the whole work from home mandate took place. So, from an end user perspective, they really bought into the productivity gains, the seamless method of access, where you reduce the need for users having to provide their credentials. That was always a huge challenge. And as part of Banyan’s ZTNA solution, we’re able to improve that user experience. That’s one area: the productivity gains.
The other is that there’s always been standards and policies that exist in any organization. But as you’re starting to enforce them as part of a Zero Trust initiative, you’re including the user in that conversation. You’re empowering them to do the right thing: “Hey, we know that you need this certain software, or solution installed. It’s not installed, let’s go and install it, or let’s go and update it.” Users are now more keenly aware of that conversation and are doing the right thing.
JD: So often, when we increase the security of almost any system, usability is at the other end of that seesaw. Security gets better, and usability goes down. You made it easy to use? Well, now it’s no longer secure.
A good Zero Trust Network Access solution, honestly, is one of those few things in our security careers where both can get better. We can dramatically improve the level of security, and we can actually make it easier and better for end users at the same time.
It’s not one at the expense of the other. I think a lot of times people don’t realize that that’s a very real possibility.
CM: That’s a good point John. I’ve been in those meetings with both the CISO and the CIO, who have a different set of priorities. The CIO is going to say, “Wait, the users are going to get an improved experience?” and the CISO is just excited to get that granular enforcement.
You get smiles on both sides, which is very, very unique. This really addresses both user experience and the security gaps.
Finally, what advice would you give to organizations that are perhaps currently using a VPN, or who are considering implementing a Zero Trust Network Access solution—what are the best steps to get started?
CM: In talking to folks as they’re looking to get started in their Zero Trust journey, there’s a few reasons why they haven’t quite got that initiative going.
Number one is cost or budget. Another is that they’re afraid of the time that it will take to get to that end state of full device and user trust enforcement. And then the last piece is people just don’t know where to get started, where to introduce some of these principles.
What I like to share all the time is that you start small, gain experience, and expand. And that’s really what it takes. Find a use case; find a scenario where it makes sense to introduce this to your workforce.
The other thing is, there’s no need to go in and rip and replace some of the key components and existing investments you have out there. Any good ZTNA solution will plug into your existing investments, and will work with your other products, like your EDR solution, your SIEM, etc.
And so really, my big thing to folks getting started is to start somewhere. Start small and incrementally expand. Banyan Security offers a lot of the right sort of components to support the transition to a model where you’re providing full Zero Trust enforcement.
JD: I couldn’t agree more with what Carlos said. One of the things people often have apprehension about isthat they don’t want to talk to a vendor yet. We recognize all these kinds of forces that go against the tide of people wanting to step into the water, if you will.
So late last year, we actually created a completely free offering. People can come to the website, not pay anything, not have to go through a sales call, and are able to deploy Zero Trust in their environment for a team of up to 20 users. See for yourself!
We’ll help you do it if you need it, but most folks can get started in under 15 minutes. And we found that to be a really powerful tool because, that way, we’re not having them go through meetings and they don’t have to do a proof of concept, but they can see it in their environment.
And so hopefully, we’re successfully starting to remove some of these barriers, as Carlos said, for people to get into the pool and reduce their risk to both themselves, professionally, and their organization, and make forward progress for whatever their Zero Trust strategy might be.
Find out more about Banyan Security here: https://www.banyansecurity.io