Implementing BeyondCorp security with AWS Cloud’s Application Load Balancer
Over 60% of enterprises run applications in Amazon Web Services (AWS) for agility and scalability. For apps in AWS that are for internal corporate use only, access is typically managed with traditional VPNs. As Google famously brought to light with its BeyondCorp initiatives, VPN security is insufficient for today’s cloud, especially as sensitive enterprise workloads and regulated industries migrate there. Instead, every access should be explicitly authenticated, authorized and encrypted. In this article, we’ll show you how to use the Banyan Secure Service Mesh solution with the built-in-authentication feature in AWS Application Load Balancer to replace bulky VPNs with high-security access controls for your internal apps running in AWS.
Traditional VPN to BeyondCorp Security in AWS
A traditional VPN architecture for AWS is depicted below. Security is big concern around such architectures because of the lack of visibility, control and auditability on the broad network access that VPNs grant. In this diagram, once the perimeter is breached, an attacker has easy access to the company’s sensitive Oracle finance app.
Traditional VPN architecture
The Banyan Secure Service Mesh replaces your traditional VPN setup with a BeyondCorp-inspired security model, using the AWS Application Load Balancer as an access proxy. All access to enterprise resources is fully authenticated, fully authorized, and fully encrypted based upon device state and user credentials. Best of all, users get secure, performant, direct connectivity.
Banyan Secure Service Mesh architecture
In this walkthrough, we use the Okta Identity Provider and Airwatch Enterprise Device Manager to ensure only approved users from approved devices access internal apps in AWS. Banyan supports a variety of other Identity Providers, including Active Directory, GitHub and Google. If you don’t currently use an Enterprise Device Manager and need to restrict access to managed devices, Banyan also supports device self-registration workflows.
1) In your Banyan account, configure Banyan’s TrustProvider settings to integrate w Okta and Airwatch.
Banyan integrates with the Identity Provider and Enterprise Device Manager to create a meta-inventory that amalgamates and normalizes user and device information.
2) Use the Banyan Dashboard or APIs to register the Service you’re managing access to and add a basic Policy.
You can start with a broad policy that allows all trusted users and devices to have access. Later on, you can restrict access to just the Marketing team or just to CorporateOwned devices.
3) In your AWS console, set up OIDC Authentication on your Application Load Balancer with the Banyan configs.
Note that Banyan is a federated Identity Provider; that is, Banyan doesn’t manage users, it defers user authentication to your already established Identity Provider (Okta in this example).
4) That’s it! Use the Banyan dashboard for real-time access events and detailed historical usage patterns.
Behind the scenes, Banyan has taken care of the heavy lifting needed to roll out a BeyondCorp-like security model:
- Provision device certificates on all managed devices (via Airwatch)
- Authenticate users with an established Identity Provider (via Okta)
- Verify device identity using mutually-authenticated TLS
- Dynamically infer the level of trust to assign to a device or user
- Issue short-lived tokens to grant access to specific apps and services
In just a few easy steps, you can restrict access to a sensitive internal app to only trusted users and trusted devices. With Banyan, IT teams don’t need to maintain expensive network appliances and users don’t have to deal with slow connections due to multiple hops. Banyan’s Secure Service Mesh leverages native AWS ALB functionality to deliver transparent access control that is more secure and simpler to manager than incumbent VPN solutions.
How is Banyan different than Single Sign-On (SSO)? How is it related to an application’s native authentication mechanism?
Banyan replaces VPN network security appliances with a security layer that can be deployed across all apps and services. It is completely independent of how a user authenticates with the application, be it via Single Sign-On or the app’s native authentication.
Unlike SSO, Banyan requires no changes to application code and is designed to be managed by IT and Security teams. Apps do not need to be exposed to the internet and access can be restricted to specific approved devices. Banyan also provides first-class support for non-HTTP non-web protocols such as SSH and Kafka.
Some organizations do use Banyan to enable a single sign-on flow for corporate application that can’t be changed to support SSO. In these cases, the user still has to perform an additional authentication step with the application itself.
Can this security architecture be used to enable Zero Trust security anywhere in my cloud environments?
Yes, since Banyan delivers secure access for user-to-service communications as well as service-to-service communications, it can enable Zero Trust access controls anywhere in your cloud environment. Best of all, since Banyan inserts service mesh capabilities transparently into existing environments and supports multiple data planes, you need to make zero changes to your applications or network. Banyan’s approach to the service mesh is geared towards making cloud access controls simple AND secure for organizations of any scale and sophistication.
Extending the solution
IT and Security admins can easily extend this Service Mesh architecture for additional security and to other types of services.
- Update policies for a given app to enforce tighter access controls; for example, you could specify that only Finance users from CorporateOwned devices can access the Oracle finance app.
- Achieve reporting requirements for compliance; use Banyan’s detailed logging of every single access to audit usage patterns and identify security gaps
- Manage authorization policies for backend microservices; roll out granular policies for microservices-based applications without making any changes to application code
- Secure service-to-service communications; ensure app-to-app connectivity is also explicitly authenticated, authorized and encrypted, within and across clusters, without making any changes to network configurations
Interested in learning more? Read about the Banyan Private Access solution in our solution brief and whitepaper. You can also get started right away by signing up for a free trial. Or, contact us if you’d like to schedule an in-depth demo.