You’re not the only one holding back applause. You’re certainly not the only one wondering, “why would a zero trust company be announcing a VPN-like feature? It’s counterproductive to the goal of zero trust.” And your intuition may be correct: our research suggests that organizations are finding it challenging to justify legacy VPN infrastructure in the modern workforce and are looking to migrate to zero trust architectures.
So why did we build one?
At Banyan, we believe that zero trust is first and foremost a methodology, then a product that should help you achieve your zero trust goals. This belief echoes throughout the industry, with numerous articles discussing the concept of zero trust rather than a ‘zero trust product’. Even the White House has a hand in the zero trust cookie jar, referring to it as a “model”.
Organizations have welcomed the concept of zero trust, understanding that its actualization is a journey, rather than a turnkey solution that they can just buy and insert into their infrastructure.
However, we often find that an organization’s journey to zero trust is halted before it’s even started, since some common use cases aren’t solved with identity-aware, proxy-based zero trust solutions. These use cases include:
- Protecting access to ephemeral infrastructure
- Access to applications, despite multiple, regularly changing port numbers
- Securing thick client applications that are not HTTP-based
- Securing tools that rely heavily on network mounted file shares (e.g., Windows File Sharing)
When organizations begin their zero trust journey, it often generates more questions than answers, risking delayed progress. Such questions might include:
- How can we wean off of our VPN securely and gradually without supporting both products?
- How can we integrate applications that don’t support reverse proxies?
- How does this work with our existing security technology?
- How can we familiarize users with our services, without changing their current processes, to access resources?
Our methodology of layering on an identity-aware proxy on top of existing infrastructure (providing straightforward policy creation, and enabling targeted rollout functionality) allows Banyan to quickly answer questions 3 and 4. As mentioned, identity-aware proxies aren’t an all-encompassing zero trust solution, preventing complete adoption by organizations that are without strong answers to questions 1 and 2. By introducing Service Tunnel, a modern version of a VPN that incorporates zero trust principles, we’re able to help customers on their zero trust journey, regardless of their use case.
How Service Tunnel eases VPN migrations
At our core, we’re not trying to compete with traditional VPN providers. We feel that Service Tunnel is a necessary means to an end, like using training wheels when learning to ride a bike. Service Tunnel helps enable zero trust concepts, such as trust scoring, much like training wheels provide the safety of keeping balance.
Banyan assists in your journey to zero trust using a 3-step approach:
- Step 1: Continued migration of network sessions from your legacy VPN to Service Tunnel, allowing the legacy VPN to be decommissioned.
- Step 2: Publish trust-based access policies in monitoring mode only (we call it permissive mode) for Service Tunnel. Enabling permissive mode provides insight into current traffic patterns.
- Step 3: Enforcement, a natural follow-on to Step 2.
After accomplishing Step 3, Service Tunnel enforces least-privileged access and continuous authorization with device trust. Your environment is now prepared to transition to adopting Banyan’s zero trust architecture, while securing use cases for services not yet ready or able to apply the model.
What’s in a name?
We felt that referring to Service Tunnel as a VPN did not properly convey what we’re introducing today. This led us to a name that draws parallels to zero trust access (ZTA) – by focusing on services and drawing attention to the action we’re enabling for end users: tunneling.
Benefits of Service Tunnel over a traditional VPN
Without the baggage of a 20+ year code base, like traditional VPN vendors contend with, we are able to deliver other benefits on top of plugging Service Tunnel into our zero trust solution. As a next-gen VPN protocol, we relied on open source WireGuard to provide:
- An incredibly lightweight VPN protocol
- Speed, speed, and more speed
- Updated encryption protocols
- Reduced battery life consumption (comparatively)
- Better reliability – especially when roaming
- Ease of deployment, including integrations with Terraform and CloudFormation
These are just the highlights of our decision to adopt WireGuard as the backbone of Service Tunnel. If you don’t want to take our word for it, take a look at some independent reviews, such as this one by Sven at Restore Privacy.
As a zero trust company, we couldn’t introduce a product without interlocking our principles and features into the Service Tunnel. They are as follows:
- Support for continuous authorization with device trust, ensuring connectivity is blocked the moment a device becomes untrustworthy or fails to meet policy;
- Minimal infrastructure, as the Service Tunnel is packaged into our Access Tier;
- A targeted rollout strategy, relying on our robust policy engine in the Command Center (Say goodbye to rip and replace).
Where to go from here
Simple, try it out! Service Tunnel is generally available and included in Banyan’s Enterprise Edition. With our targeted rollout, you’ll avoid a complicated and time-consuming rip and replace, making it realistic to rapidly achieve real progress.
Here are some links that cover the finer details of Service Tunnel:
“And the Winner is, by Unanimous Decision…Service Tunnel!”
*** This is a Security Bloggers Network syndicated blog from Banyan Security authored by Andrew McCarter. Read the original post at: https://www.banyansecurity.io/blog/introducing-banyans-service-tunnel/