Vendors offer a variety of approaches, from the browser to the cloud
The last few years have seen an explosion of interest in Zero Trust network access (ZTNA). The zero trust approach replaces the perimeter defense model with a “least privilege” framework where users authenticate to access specific data and applications, and their activities are continuously monitored.
ZTNA gained a boost in the wake of the COVID-19 pandemic, with more employees working remotely. The old perimeter defense model, exemplified by VPNs, provides a secured internet connection that gives remote users privileges as if they were on an internal private network. This doesn’t match up with a zero trust mindset; and to make things worse, many organizations found that their infrastructure couldn’t handle the traffic loads created by large numbers of remote workers connecting via VPN.
[ Download our editors’ PDF Zero Trust network access enterprise buyer’s guide” today! ]
Zero trust is a framework, not a product
Network and security vendors have responded by offering a suite of products and services that can complement or even replace VPN connectivity. These ZTNA tools use various network and application security techniques to apply zero trust principles to remote access. This involves monitoring user endpoints, either by agent or agentless techniques, to protect against illicit access.
But because zero trust is a framework (described in a NIST publication) rather than a specific technology, what gets labelled as ZTNA may have more to do with marketing than technology, and different offerings have different approaches and strengths.
“The vendor community has been quick to promote ZT via marketing, leading to a backlash against the hype,” says David Holmes, senior analyst at Forrester Research. Many vendors have also chosen to build ZTNA features into their larger suite of security tools rather than offering them as a standalone product or service.
Zero trust also requires buy-in from organizations implementing it. “Zero Trust isn’t just a shopping exercise, however much it helps unlock budget,” Holmes says. It’s not something you can simply buy and plug in. An enterprise still needs a cogent approach to data classification, and someone needs to audit employee and third-party privileges. “Both of these are non-trivial, and usually manual tasks,” Holmes notes.
Here’s a snapshot are some of the offerings from leading vendors. A deeper dive can be found in the IDC MarketScape report, “Worldwide Zero Trust Network Access 2023 Vendor Assessment.”
Akamai Enterprise Application Access. With Akamai EAA, users can access protected applications via a browser. There’s also a client-based alternative. Device profiling is built into the product’s policy enforcement capabilities, although it does not include data loss prevention (DLP) or threat detection features.
Organizations can integrate Akamai EAA with their existing identity service providers and multifunction authentication (MFA) systems. They can also use Akamai EAA in conjunction with Akamai’s own MFA solution, along with the company’s network access control and micro-segmentation tools.
Appgate. An early entrant into the ZTNA market, Appgate sports a number of features, including single-packet authorization, cloaked applications and access points, and clientless access, along with direct routing, which further shields protected resources. The solution can be deployed in a variety of ways, from cloud-hosted to on-prem.
A particular strength is Appgate’s support for a number of specialized network protocols, which makes it a strong candidate for OT, IoT, or industrial rollouts. It lacks native tie-ins tools like data loss prevention or Network Edge Security as a Service (NESaaS), though third-party alliances can close those gaps.
Check Point Harmony Connect Remote Access. Check Point’s offering encompasses not only the secure enclave and resource portal models of modern ZTNA, but also a VPN-as-a-service feature, which is key for many organizations that still rely on VPN connectivity for some legacy purposes. Check Point’s VPN includes a device posture check, along with intrusion prevention and DLP features.
Harmony Connect Remote access is one of a suite for NESaaS tools from Check Point. The tool’s biggest drawback is that its cloud presence is still in its infancy: Check Point currently only partners with AWS and Azure.
Cisco Secure Client. Cisco’s offering is a unified client that supports both VPN and ZTNA—which could be tempting to organizations still in transition or dependent on VPN connectivity. Cisco offers the flexibility to implement ZTNA App Connectors or backhaul VPN, and there’s also support for integration with third-party SD-WAN solutions.
Secure Client offers a unified dashboard for ZTNA and NESaaS management. There are plans for tighter integration with Cisco’s vast cybersecurity portfolio, though as of mid-2023 that’s still in progress. The offering as it exists today leans on other Cisco technologies, such as Duo and Umbrella Secure Cloud service, which could be a restraint for organizations that haven’t invested in Cisco kit—or a boon for those who have.
Citrix Secure Private Access. Citrix’s ZTNA technology is part of its larger remote access mission, and works in conjunction with its VPN, virtual desktop, Citrix Enterprise Browser, and desktop-as-a-service offerings, with both cloud and on-premise options. It offers application discovery capability with workflows to automate application access definitions and policy rule creation, and includes hundreds of templates for web applications with prefilled parameters and single signon for faster onboarding and configuration.
Citrix is one of few vendors offering native client user interface, native browser, and enterprise browser-based controls to support BYOD, managed, and unmanaged devices. However, Secure Private Access is not part of a full NESaaS platform, and does not offer formal integration with micro-segmentation solutions.
Cloudflare Access. Cloudflare leverages its cloud content delivery expertise as part of its ZTNA offering: web application firewall, DDoS mitigation, and bot management join native threat detection capabilities based on machine learning algorithms trained across the company’s insights into internet traffic. The solution supports cloud and on-premises rollouts and managed or unmanaged user devices (including IoT), as well as strong support for RDP applications.
Cloudflare Access doesn’t support some cloud-adjacent zero-trust technologies, like microsegmentation, network access control, or MFA. Organizations can integrate with such tools via APIs, which may be beneficial for some shops but would be a learning curve for others.
Forcepoint ONE ZTNA. Forcepoint offers a cloud native and cloud routed ZTNA solution, with both agentless and agent-based deployment available. Forcepoint ONE has strong DLP integration and unique features like steganography.
Forcepoint’s SD-WAN and firewall products can serve as a ZTNA application connector, which makes it easy for existing customers to ramp up ZTNA. Their suite of offerings has a strong emphasis on compliance, offering predefined templates to help organizations achieve compliance and increase their security posture. On the downside, Forcepoint does not offer software-defined perimeter elements such as single-packet authorization, resource cloaking, or a dedicated microsegmentation solution.
Fortinet. Fortinet tightly integrates ZTNA into its FortiFabric ecosystems, which includes microsegmentation, identity management, multifactor authentication, SIEM, SOAR, EDR, SD-WAN, and many other security and networking products. Fortinet’s ZTNA solution functions seamlessly alongside its VPN through separate tunnels that can be open at the same time depending on which applications the end user is utilizing. If you’re not a Fortinet customer, the ZTNA solution is not available as a standalone offering.
The ZTNA offering is one of the most competitively priced solutions in the industry and includes quarterly software updates with new features and capabilities.
Google BeyondCorp Zero Trust Enterprise Security. You might be surprised to see Google on this list—but it makes sense that the search giant’s ZTNA offering is a component of the company’s widely used Chrome browser. Because no additional software or agents are required to run in the background for its ZTNA solution, Google reduces complexity and allows for fast rollout. The system works with Google’s worldwide managed network and thus benefits from strong network performance.
The flipside is that Google’s browser-based solution is restricted to the browser and does not include a dedicated endpoint agent—a dealbreaker for some organizations. ZTNA is part of Google’s NESaaS offering, which integrates with tools from Palo Alto Networks.
iboss. iboss provides network security as a service and zero trust principles baked into its offering. The iboss ZTNA service is based on a containerized architecture to enable the full stack of network security functionality, concealing all applications and resources behind its cloud edge service to protect against scanning and probing. User browsers are the clients, streaming all functionality and data as pixels rather than data or code, so no data ends up on end user devices.
iboss solutions are designed for enterprise users that have the luxury of learning a complex management system. The solution is not complemented by a traditional firewall, although iboss notes that its on-prem cloud gateways can be deployed as firewalls if need be.
Lookout Secure Private Access. Lookout’s ZTNA product offering supports a number of deployment models, including agent and agentless, as well as inline, and cloud or direct routed; it’s also capable of enforcing DLP and document management policies.
Lookout’s agents consolidate access to the company’s entire security product line, and Secure Private Access provide deep integration with other Lookout NESaaS products and SD-WAN functionality. New customers that have found their on-premises security provider’s ZTNA and NESaaS capabilities lacking may find Lookout’s ZTNA appealing.
Netskope Private Access. Netskope’s ZTNA offering is part of a broader NESaaS suite that also includes data protection and threat prevention capabilities. Netskope leverages its DLP and user analytics capabilities—the latter using dozens of signals and machine learning models to build a User Confidence Index score, which then translates to adaptive access controls across its ZTNA solution.
Netskope is developing an update to its ZTNA offering dubbed “ZTNA Next,” which aims to fully replace VPN connections for customers and support legacy applications, such as on-premises VoIP with specialized protocols that complicate existing ZTNA approaches. The current Netskope ZTNA works with modernized web applications, but if legacy apps are important to you, you may need to wait for the update.
Palo Alto Networks Prisma Access ZTNA. Palo Alto Networks’ ZTNA solution is part of its overarching security platform, which combines ZTNA, secure web gateway, and firewall as a service into a single product. The company has access to Google’s premium fiber network to ensure consistent quality of service across its portfolio. The solution benefits from integrations with the rest of Palo Alto’s NESaaS offering and will appeal to those considering other products and offerings from the company.
Prisma Access ZTNA provides support for all applications, current and legacy, and is extremely flexible when it comes deployment models: out of band, inline, proxy based, cloud routed, or direct routed via an agent, agentless, on-premises gateway/self-hosted, or containerized rollouts are all possible.
Skyhigh Private Access. Skyhigh provides a cloud-routed model for ZTNA that conceals and protects applications from unauthorized access or scanning. Skyhigh Security Private Access provides extensive DLP controls combined with advanced EDM, IDM, and OCR. The offering also includes an inline sandboxing option that uses emulation to detect zero-day threats. It offers both agented and agentless access, supporting BYOD and mobile devices.
Skyhigh Security does not offer endpoint DLP natively; however, this functionality is included in the company’s larger suite, making Private Access an appealing add-on for their existing customers who have developed comprehensive DLP policies. The company offers a number of policy templates designed for highly regulated industries.
Sophos ZTNA. Sophos’ ZTNA is tightly integrated with the company’s endpoint solution. The two share an agent, along with threat telemetry and status and health information, to limit or revoke access rights in real time and protect against ransomware and other threats. Sophos’ ZTNA also integrates into the broader Sophos ecosystem, including its 24/7 managed detection and response service.
Many of Sophos’ ZTNA advantages can be attributed to its tight integration with other Sophos products, so most Sophos ZTNA adoption is likely to stem from existing customers who are looking to strengthen end-to-end device security.
Symantec ZTNA. Originally developed by Luminate, Symantec ZTNA can operate with and without agents (though the latter is preferred) and includes a capability called mirror gateway that uses reverse proxying and browser isolation to allow some users to access but not download data.
Developers can use the Symantec ZTNA API to integrate the tool into DevSecOps automated practices. The platform is now part of Broadcom’s broad suite of NESaaS offerings and is targeted at large enterprises.
Zscaler Private Access. Zscaler is focused on cloud-base security services and its ZTNA service is no different. All user and device traffic is passed through the Zscaler Zero Trust Exchange platform for comprehensive visibility and control and a consistent security posture. The solution includes an AI-generated policy for automated segmentation of user-to-application access.
Zscaler performs Private Access services in different data centers than Zscaler Internet Access. Zscaler builds its cloud to support low-latency applications, hosting ZPA in additional data centers in AWS locations, but not in certain remote geographies that don’t typically host business applications.