Banyan Security wants to help with your conditional access strategy

This third-party platform seeks to integrate with your IDaaS, UEM, PKI, and other security tools, providing access that can even be revoked in real time.

By now, you’ve heard me mention conditional access in at least half of my articles for the past two years.

The thing is, while I think conditional access truly is one of the most important things to talk about right now, there are going to be growing pains when it comes to integrating all of the components, including IDaaS, UEM, security tools, access controls, and other sources of data and control points. Companies are going to face a lot of decisions.

Banyan Security

It’s into this context that Banyan Security is entering the market. Banyan has seed-stage funding, about 20 employees, and they’re based here in San Francisco. While they didn’t do a flashy exit from stealth, their product is generally available now.

I met with several members of the team, including Jayanth Gummaraju (co-founder), Tarun Desikan (co-founder), Asish Gupta (head of marketing), and Jacob Lee (head of sales). The third co-founder is Yoshio Turner.

Banyan’s product

The idea behind Banyan Security is that it’s a third-party service that can integrate with all of your existing tools. It works with your IDaaS, your EMM/UEM, your PKI platform, and other endpoint security products. They also have their own trust agent that you can install on devices (like what Kyle wrote about a few months back).

Banyan uses all of this information to create a trust score for the user and device side of the access decision. In demos that I saw, this trust score is exposed to the user, so that users can remediate any issues.

Access enforcement happens in identity-aware proxies that sit in front of all your resources. (So this is pretty similar to BeyondCorp architecture.) They have several types of proxies, covering HTTPS, SSH, RDP, and SAML; and they’re available in the big three public cloud marketplaces.

The identity-aware proxies are designed to be resilient, working in a distributed mesh architecture. If they go down, they can come right back up, check in, and get configured automatically.

Banyan encrypts traffic from devices and apps to the proxies using short-lived TLS certificate, which can be distributed via their app, or through your EMM or other means.

There’s a cloud service to tie everything together and build policies. Like with other conditional access products, you can group devices and users and resources in different buckets, or you can make things granular as you want.

Since Banyan is controlling access via the identity-aware proxies, they can also revoke app access instantly; for example, if an endpoint is found to have malware. The proxies can also cache policies, which helps with resilience.

To see how a typical access flow might work, see the slide below from Banyan—I found it to be the most helpful. (You can also see a broader diagram in the photo below, or at their website.)

Banyan Security conditional access
Access workflow with Banyan. Click for larger version

Here at, we generally think of conditional access in terms of users sitting in front of apps that are connecting to servers or SaaS. However, an equal (if not more prominent) part of Banyan’s strategy involves service-to-service connections. Their technology can encrypt traffic and manage access at the API level, and they target all of the latest container and microservices technologies. These may happen to be out of our purview, but many of the concepts carry over.


Two months ago, I posed the question When you have both IDaaS and UEM, where do you build your conditional access policies? Little did I know that I’d be learning about another potential option here.

Banyan Security wants to be a neutral third party helping you with conditional access, zero trust, and all that. Like other options (i.e., building policies directly in your IDaaS or EMM), you will still have to do some amount of due diligence to figure out exactly how all your different components will integrate.

For now, all I can say is that there’s going to be a lot of activity in this space, and it’s too soon to see how everything will shake out. However, it’s always good to have more options.

Banyan Security already has some initial paying customers, including SAP, BlueVoyant, and Veeva. They’re going to be at VMworld (which is now only four weeks away), so you can pick their brains there, too.

Banyan Security co-founder
Tarun Desikan mapped everything out on the white board.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.