Table of Contents
Virtual private networks (VPNs) have long been the default method of securing remote access. VPNs provided a way to prevent exposing internal systems’ remote access protocols, like SSH and RDP, to the internet where anyone in the world could attempt a connection. With a VPN, organizations had a layer of control that limited who could gain access to these remote access protocols.
However, VPNs are limited with respect to the level of control they can provide. Typically, VPNs are provisioned in a way that gives an authorized user too much access to internal networks and resources. Moreover, VPNs are unable to take into consideration the context in which legitimate users are accessing resources.
This is the scenario zero-trust network access (ZTNA) is able to resolve. While ZTNA and VPNs can appear similar, upon close inspection the advantages of ZTNA become obvious. For example, ZTNA is built on the zero-trust model, meaning that trust isn’t established once and never reviewed again. Under ZTNA, a system establishes a trusted relationship with each user each time a connection is requested. ZTNA considers both the user’s identity and the context of the connection request. This is a powerful capability that mitigates many risks left unappreciated as ongoing threats by a VPN.
The GigaOm Key Criteria and Radar reports provide an overview of ZTNA, identify capabilities (table stakes, key criteria, and emerging technologies) and evaluation metrics for selecting a ZTNA solution, and detail vendors and products that excel. These reports will give prospective buyers an overview of the top ZTNA solutions in the market and can help decision makers evaluate platforms and decide where to invest.
How to Read this Report
This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:
Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.
GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.
Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.
2. Market Categories and Deployment Types
For a better understanding of the market and vendor positioning (Table 1), we assess how well solutions for ZTNA are positioned to serve specific market segments.
- Small-to-medium business (SMB): In this category we assess solutions on their ability to meet the needs of organizations ranging from small businesses to medium-sized companies. Also assessed are departmental use cases in large enterprises, where ease of use and deployment are more important than extensive management functionality, data mobility, and feature set.
- Large enterprise: Here offerings are assessed on their ability to support large and business-critical projects. Optimal solutions in this category will have a strong focus on flexibility, performance, data services, and features to improve security and data protection. Scalability is another big differentiator, as is the ability to deploy the same service in different environments.
In addition, we recognize two deployment models for solutions in this report: cloud-only or hybrid solutions.
- Cloud-only: These are available only in the cloud. Often designed, deployed, and managed by the service provider, they are available only from that specific provider. The big advantage of this type of solution is the integration with other services offered by the cloud service provider (functions, for example) and its simplicity.
- Hybrid: These solutions are meant to be installed on-premises or on-premises with a cloud component. They are more flexible, the administrator usually has more control over the technology stack, and they may be easier to conform to compliance or business requirements. These solutions can be deployed in the form of virtual appliances or a software component that can be installed on a VM.
Table 1. Vendor Positioning
|Palo Alto Networks|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
3. Key Criteria Comparison
Building on the findings from the GigaOm report, “Key Criteria for Evaluating ZTNA,” Table 2 summarizes how each vendor included in this research performs in the areas that we consider differentiating and critical in this sector. Table 3 follows this summary with insight into each product’s evaluation metrics—the top-line characteristics that define the impact each will have on the organization. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.
Table 2. Key Criteria Comparison
|IAM & MFA Vendor Integrations||Cloud & SaaS Integrations||UEBA-Like Capabilities||Unmanaged Device Support||Legacy Application Support||Session Monitoring Capabilities|
|Palo Alto Networks|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
Table 3. Evaluation Metrics Comparison
|Extensibility||Licensing Model||Integration Maturity||Technical Innovation|
|Palo Alto Networks|
|Exceptional: Outstanding focus and execution|
|Capable: Good but with room for improvement|
|Limited: Lacking in execution and use cases|
|Not applicable or absent|
By combining the information provided in the tables above, the reader can develop a clear understanding of the technical solutions available in the market.
4. GigaOm Radar
This report synthesizes the analysis of key criteria and their impact on evaluation metrics to inform the GigaOm Radar graphic in Figure 1. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and feature sets.
The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation, and Feature Play versus Platform Play—while providing an arrow that projects each solution’s evolution over the coming 12 to 18 months.
Figure 1. GigaOm Radar for ZTNA
As you can see in the Radar chart in Figure 1, the market space is competitive and offers many solutions to choose from. Of particular note is that all solutions in this report are categorized as Fast Movers when typically there are also some Outperformers and Forward Movers. But keep in mind that our Radar reports act as a snapshot in time. In this market, at this time, both buyers and vendors know this is a hot space and because of that, buyers are supplying the funding (through sales) while vendors have almost uniformly prioritized research and development in their ZTNA products with this influx of spending. Thus, a surprising number of Fast Movers.
Beginning the review of the Radar graphic, starting in the Mature, Platform-Play quadrant, the longtime dominant players in the network security space—like Cisco, Citrix, Fortinet, Palo Alto Networks, and Zscaler—all provide a capable ZTNA solution.
Fortinet and Palo Alto Networks are both network security giants that bring that experience to the ZTNA space. With expertise in network security comes knowledge of security control on the network, and both vendors demonstrate their sophistication with advanced controls that include malware identification, data loss prevention (DLP), and user and entity behavior analytics (UEBA) features. Cisco follows with a well-rounded ZTNA solution that can serve many organizations but is better suited to those already invested in Cisco.
Citrix and Zscaler are both prominent in the ZTNA space, with elegant solutions. Citrix brings additional benefits, including its all-in-one workspace client and advanced security controls like anti-keylogging and screenshotting.
Also included are ZTNA solutions from cloud protection vendors like CloudFlare and Akamai, a natural fit for them because their massive edge infrastructure lends itself to core ZTNA principles. These solutions are a great choice for organizations that may already use their other products. However, a certain depth of features, like the application of security controls to ZTNA traffic, is lacking in these solutions.
Within the Innovation, Feature-Play quadrant, a clear trend is the focused development of ZTNA solutions from up-and-coming vendors like Appgate and Perimeter 81, whose solutions will provide coverage for several ZTNA core capabilities, to varying degrees.
Moving into the Mature, Feature-Play quadrant, Banyan Security offers a mature solution with a narrow focus on solving challenges created by VPNs, and with the expectation of ubiquitous, secure, remote access to software as a service (SaaS) and legacy applications, on-premises or in the cloud. Banyan Security is a standout Feature Play because of its emphasis on simplicity for both administrators and users.
In the Innovation, Platform-Play quadrant are Forcepoint and Menlo Security. Forcepoint’s novel application of an AJAX-VM in a remote browser marries simplicity for the user with effective ZTNA for the administrator. Menlo’s platform, in turn, offers an innovative solution with immense security capabilities built in and a seamless managed and unmanaged user experience.
Inside the GigaOm Radar
The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.
The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.
The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.
Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.
5. Vendor Insights
Akamai Enterprise Application Access
Akamai, a U.S.-based tech company founded in 1998, is best known for its content delivery network (CDN). That isn’t its only focus, though. Akamai recognized that ZTNA solves many of the security challenges facing modern organizations today and, with its established cloud infrastructure, developed a successful ZTNA solution called Akamai Enterprise Application Access (EAA).
The EAA solution leverages Akamai’s existing network infrastructure, meaning it resides entirely in the cloud, with no on-premises option.
However, for applications or resources that are on-premises, EAA provides a connector that acts as a local aggregation point where secure tunnels to the Akamai cloud are created. It is these secure tunnels that enable the ZTNA solution to exist in the cloud, while still providing on-premises access. The same method is leveraged for infrastructure as a service (IaaS), while an API integration is established for platform as a service (PaaS) and SaaS resources.
Akamai provides out-of-the-box integrations with EAA Cloud Directory, an Akamai identity provider, Active Directory (AD), Okta, Google, OneLogin, and other common identity providers. This robust list should enable easier integrations with an organization’s existing infrastructure, as it is likely already using one of these solutions. The option to create a custom Security Assertion Markup Language (SAML)-based connection to an identity provider exists as well.
The Akamai EAA delivers ZTNA for cloud and on-premises resources, but lacks additional security features like UEBA capabilities or enhanced analysis of connection and security logs. EAA provides analytics of the connection logs via the dashboard and reports, located in the Akamai Control Center.
Because the ZTNA solution can be delivered through a browser-based portal, unmanaged devices are allowed easy access to secured resources, just as a managed device would be. Unmanaged devices, such as those running Windows, Mac, Linux, Android, and iOS, are all supported.
Also worth mentioning is the EAA’s user diagnostic portal, which gives administrators a simple method for investigating and troubleshooting user-reported issues with EAA. The portal provides a way for administrators to input incident-specific data (like user identity, resource request, source IP address, and port), then run a diagnostic on the given scenario. The results are easily converted into policy changes. This workflow greatly simplifies the administrative workload.
Strengths: Akamai’s solution has phenomenal SaaS, identity and access management (IAM), and multifactor authentication (MFA) integrations, and generally good support for common ZTNA features.
Challenges: Akamai lacks UEBA-like analyses of data as well as any cutting-edge innovation; it offers a SaaS deployment model only.
Headquartered in Miami, Florida, and founded in 2017, newcomer Appgate has quickly established itself as a serious player in the cloud-security space, especially for ZTNA. Appgate refers to its ZTNA solution as a software-defined perimeter (SDP), but it still meets the table stakes for this report and, therefore, is included with other ZTNA solutions.
The Appgate solution is available as a service or self managed; both models leverage the gateway component of the Appgate architecture, which can reside on-premises or in one of three popular public clouds. The self-managed option includes a physical appliance and a VM for self-hosting on-premises or in Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
The Appgate ZTNA solution has three components: the Controller, which is the policy decision point; the Gateway for policy enforcement, which handles the creation and management of the secure client tunnels; and the LogServer, which creates and stores the logs generated by the solution.
While the LogServer can act as a monitoring tool for the ZTNA solution, it’s preferable to send the logs to a security information and event management (SIEM) solution to garner deeper insights. Like most other vendors in this space, built-in security functions like UEBA and DLP are not yet built into the solution and are instead available through integrations with third parties like Crowdstrike.
A unique feature is Single Packet Authorization, which is a mutually encrypted “hello” mechanism leveraged by clients to streamline authentication and eliminate DDoS and other network-based attacks on ZTNA solutions. Single Packet Authorization effectively hides infrastructure from scanning activities and is managed by the customer. In addition, Appgate provides what it calls “micro-perimeters” or session-based microsegmentation. This allows an organization to create small zones between authorized users and applications, dynamically, to allow for greater control of access.
Dynamic features are a common theme throughout the Appgate solution. For example, since cloud workloads (or hybrid workloads) are dynamically created and moved, Appgate’s ZTNA solution monitors for these changes and dynamically adjusts user entitlements, granting and revoking access to match the constant shifts that are common to cloud environments. This is a feature that ensures tighter security controls are maintained, without creating additional burdens on the operator.
Integrations with identity providers occur via the Controller. At present time, out-of-the-box integrations are available for Okta, Ping, LDAP, RADIUS, or SAML-based identity providers. Appgate includes a native MFA solution with the product.
Strengths: Appgate offers flexible deployment options (physical, VM, as a service) and integration with Crowdstrike, along with Single Packet Authorization features and protections.
Challenges: Appgate presents a steep learning curve for administrators and lacks enhanced security features like DLP and UEBA.
Founded in 2015 in San Francisco, California, Banyan Security entered the zero-trust marketplace with a singular focus on solving remote access security problems. It’s no coincidence that one of Banyan Security’s seed round investors was a former VP at Google, where zero-trust architecture (aka BeyondCorp) started. This focus continues today and because of it, Banyan Security offers a strong solution. Note that while Banyan Security offers three tiers of service, our research focused exclusively on the Enterprise tier.
The Banyan Security ZTNA solution, often referred to as just “Banyan” in support documentation, offers two deployment models: a self-hosted “Private Edge” where an organization installs and maintains the access tier component of the ZTNA solution; and a “Global Edge” in which a connector component is installed on individual servers in an organization’s private network to connect them to the Banyan-managed access tier component (as part of the SaaS solution). Both models leverage the Banyan Cloud Command Center (a SaaS service) for administration and operation of the platform.
In addition to the two deployment models, the solution is offered in three license tiers, two paid and a full-featured, no-cost (free) tier that supports up to 20 users.
IAM and MFA integrations can be configured with Okta, Azure AD, G Suite, OneLogin, and other SAML-based identity providers. This configuration step is performed entirely from within the Command Center GUI, a much simpler experience than that of some competitors. Of note here is the innovation evident in the integration of early access technologies, like Okta’s IDP factor feature, which allows administrators to leverage device trust and posture as an authentication factor.
The Banyan Security solution’s simplified deployment process is managed in the Command Center, where administrators can deploy the Banyan Access Tier to their on-premises infrastructure via tarball installers, Docker images, or an RPM package. If cloud deployment is needed, Banyan Security provides out-of-the-box AWS provisioning and supports Terraform deployments for other clouds. So while Banyan doesn’t provide out-of-the-box provisioning for Azure, GCP, OCI, and other cloud providers, it suggests leveraging the Terraform deployment model to fill this gap.
Additionally, Banyan provides a “Discover & Publish” feature that automatically discovers private applications and resources, which it can then provide secure access to.
Devices, whether they are managed or unmanaged, are the way users will access resources secured by the Banyan Security solution, which identifies two modes of access: via either registered or unregistered devices. A registered device is a Windows, macOS, Linux, Android, or iOS device that holds the certificate trusted by the Banyan Security solution, while an unregistered device is one that does not have this certificate. Banyan Security recognizes that there are use cases for which resources need to be available to unregistered devices, so it provides a way to selectively control (through policy) how and when resources can be accessed by unregistered devices.
A unique aspect of the Banyan Security ZTNA solution is the Banyan TrustScore. This feature gathers and correlates data about the identity of the person requesting access to a resource, including device identity and security posture, recent activity, time of day, geographic location, and IP address, to obtain a score that reflects the appropriate level of access for that user. Two different identities with the same level of policy-generated access could have different levels of access based on the data the TrustScore provides to the policy engine. This feature is valuable in a landscape filled with dynamic threats.
Following Banyan Security’s simplified approach to ZTNA, integrations with EDR solutions like CrowdStrike (as well as other security solutions) can incorporate additional security context for use during the user authorization process. Banyan Security’s solution, however, offloads all DLP and endpoint detection and response (EDR) capabilities to third parties. This isn’t unusual in the space, especially for a vendor that focuses solely on ZTNA. And though logging from the solution is provided through the Command Center, it’s limited to logs that are useful for diagnostics and solution troubleshooting, not for security analysis.
Strengths: Banyan has excellent unmanaged device support capabilities, Banyan TrustScore automates security decisions, and freemium licensing for small teams and large organization testing is available.
Challenges: The Banyan solution lacks DLP and UEBA functionality as well as out-of-the-box access tier provisioning for Azure and GCP, among other cloud providers.
Founded in 1984—the same year the domain name system (DNS) was introduced—San Jose, California-based Cisco is the earliest entrant to almost all networking domains including ZTNA. Cisco’s ZTNA is a cloud-delivered solution that comprises four modules: The Secure Client, Umbrella, and Duo services cover the infrastructure to deliver the ZTNA solution, while the Cisco Defense Orchestrator provides a unified management platform.
The Cisco solution leverages its VPN agent, the AnyConnect Secure Mobility Client (agent) installed on managed Linux, Mac or Windows endpoints. Using this agent in conjunction with Duo, which is Cisco’s own multifactor authentication application, and Umbrella, which acts as the secure access point for protected resources behind the ZTNA solution, administrators are able to provide complete control over user access. While Cisco’s integration with Duo is an obvious choice, the company includes additional identity provider integrations with popular solutions like Okta, OneLogin, and AWS. Missing from this solution, however, is support for System for Cross-Domain Identity Management (SCIM), which can be leveraged to automate identity management.
Most organizations are neither fully cloud-based nor completely on-premises. A typical organization will have a mixture of SaaS, IaaS, or PaaS, and on-premises infrastructure. Regardless of infrastructure type, the ZTNA solution should be able to provide secure access. Cisco’s offering comes with an abundance of out-of-the-box integrations for SaaS and cloud solutions like AWS, Azure, Salesforce, and Adobe Cloud. In addition, the solution can provide secure remote access for on-premises or legacy solutions that require the HTTP(S), RDP, or SSH protocols. Missing from this supported list are other protocols like SMB and VoIP, which some other vendors do provide.
Where Cisco’s ZTNA solution truly excels is in the application of practical security control within the solution. For instance, full network-based data loss prevention is a feature, and Cisco’s UEBA capabilities are class-leading when compared to other ZTNA vendors. While most vendors offload UEBA duties to a dedicated system via integrations, Cisco provides it as part of the integrated Duo solution. The UEBA capabilities include machine learning (ML)-based threat detection, enhanced and maintained by Cisco Duo’s data science team.
Strengths: Cisco offers excellent security control integrations (UEBA and DLP), an out-of-the-box MFA solution (Duo), and broad support for SaaS and on-premises resources.
Challenges: This solution has only average support for IAM and MFA vendors, it lacks SCIM for automation, and support for legacy applications is adequate but not as robust as what some solutions offer.
Founded in 1989 in Texas and now headquartered in both Fort Lauderdale, Florida, and Santa Clara, California, Citrix has long been a player in the enterprise virtualization space and has expanded into other fields through development and acquisitions. With the acquisition of Netscaler in 2005, Citrix was primed to move into the ZTNA space. This report focuses on its ZTNA solution.
The Citrix ZTNA solution consists of various components. Citrix Secure Private Access is the backbone of secure endpoint communication for all IT-managed SaaS, web, and client-server apps with adaptive security controls; Citrix Endpoint Management provides unified endpoint management for devices used in the organization; and Citrix Secure Internet Access protects against threats from users directly accessing the internet. As with other Citrix offerings, the entire ZTNA solution can be managed from the Citrix Cloud management console.
The solution supports both on-premises and cloud applications. Both involve the use of a Citrix Cloud Connector, a small component that initiates outbound communication to the ZTNA solution when clients request access.
A key differentiator is how ZTNA is delivered to and used by its users. The solution can be delivered by the ZTNA agent to allow users to access applications natively or via the Citrix Workspace application, which can be thought of as an all-in-one portal for users. Once installed, Workspace delivers all of a user’s applications via clickable icons. When a user clicks an icon to access an application, contextual authentication occurs (via parameters defined by administrators) and the application is launched inside of the Workspace portal. This allows the solution to limit actions such as copy and paste functionality, printing, and file upload and download, even as it includes watermarks with the user’s name and IP address to provide attribution for screenshots. In addition, the included Citrix App Protection feature set also provides the ability to block screen sharing of ZTNA-protected applications, and anti-keylogging capabilities that effectively scramble any keyboard input.
Another key differentiator is Citrix’s strategy to combine holistic security with a great user experience. One way it does this is by supporting all applications, such as legacy client server and connectionless User Datagram Protocol (UDP)-based apps, while most other solutions support only web applications. Citrix also supports both client and clientless access options.
The Citrix ZTNA solution provides user and usage analytics, which allows it to adjust authentication dynamically based on the context in which the user accesses resources behind the ZTNA solution. The Citrix solution also has integrated holistic endpoint analysis capabilities for adaptive and contextual access to reduce cost and complexity, but can also integrate with other ecosystem partners’ endpoint analysis capabilities.
Unmanaged device support is a highly desired feature as the remote workforce and BYOD culture continue to flourish. The Citrix ZTNA solution leverages a core capability of the Citrix virtualization solution to create a remote, isolated browser that BYOD or unmanaged devices use to access secured applications. The device itself doesn’t interact directly with the application; instead, all interaction occurs through the remote browser, so many concerns such as malicious interaction with an application and controlling sensitive data flows (like a data loss prevention solution) are effectively mitigated.
Because of Citrix’s long experience in the virtualization space, it has developed mature integrations with many identity providers, as well as with other peripheral technologies, like MFA (though Citrix’s ZTNA solution does have native MFA capabilities built-in). This maturity is especially evident in its ZTNA solution, where it’s leveraged to facilitate simple integrations with a broad range of identity and MFA vendor solutions. Despite these advantages, this solution is not without challenges, one of which is its complexity, which may be difficult for smaller organizations to manage alone.
Citrix’s ZTNA offering combines years of experience from the virtualization space with clever use cases and practical security controls. The result is a solution that scores well on most of the key criteria and evaluation metrics, but may be on the higher end for overall cost and complexity when compared to other solutions in this space.
Strengths: Citrix offers a complete ZTNA solution with very strong, well-thought-out features, unmanaged device support through a remote browser, robust data loss prevention technologies, and simple, mature integrations with other technologies.
Challenges: The overall cost is reported to be higher than other solutions, and the solution may be too complex for smaller organizations.
Founded in 2009 in San Francisco, California, Cloudflare is famous for its DDoS protection service but it also offers additional web security and performance services, including a ZTNA solution called Cloudflare Access.
If you’re unfamiliar with Cloudflare, it’s important to know that all of its services are cloud native and delivered via its cloud, which means there’s no on-premises option. If that’s not a requirement of your organization, you may well find utility in Cloudflare’s cloud-native services. For example, being cloud native has helped Cloudflare Access deliver ZTNA for IaaS, PaaS, and SaaS resources, with granular application-level access controls and the ability to scale to meet the requirements of large organizations.
The Cloudflare Access solution takes an identity provider-agnostic approach, meaning it supports identity providers that leverage both SAML and OAuth methods. This category includes Centrify, Okta, Active Directory, PingIdentity, and Citrix ADC. Identity providers can be configured either through the operator’s portal or via the API for custom solutions. All configuration options, along with examples, are provided through the Cloudflare support website, which is very easy to navigate.
Given that the Cloudflare ZTNA solution is agentless, support for unmanaged devices is easily achieved. This includes support for Windows, Mac, Linux, iOS, or Android devices accessing any supported resource through Cloudflare solutions. In addition to a browser-based ZTNA experience, Cloudflare Access provides other unmanaged device support methods, including DNS over HTTPS or over TLS, and this can be configured in local DNS servers to apply broad coverage to unmanaged devices.
The Cloudflare Access solution supports both HTTP(S) and non-HTTP(S) application integrations. When brokering access for either, the process is the same. Leveraging a small daemon that runs within your infrastructure (on-premises or in the cloud), a secure tunnel from the resource in your infrastructure to the Cloudflare edge is established. At that point, access to the resource can be brokered via policies that are created in the Cloudflare Access portal. Again, as with the other configurations from Cloudflare, this entire process is very well documented in its support portal.
There are two areas in which the Cloudflare Access solution falls short: There’s no support for UEBA-lite capabilities at this time, and the session monitoring is limited to typical network data like source and destination IP addresses, connection times, and the identities involved. To score higher here, the Cloudflare solution would need to provide deeper analysis of the connection data to identify threats.
Strengths: Cloudflare has a simple ZTNA solution with mature features and design; it has good overall support for legacy applications, great IAM, MFA, and cloud-integration support.
Challenges: Cloudflare lacks UEBA features, has modest session monitoring capabilities, and is available only in a SaaS model.
Headquartered in Austin, Texas, Forcepoint—first named NetPartners in 1994, then rebranded Websense in 1999, then rebranded Forcepoint in 2016—is a user and data protection cybersecurity company with a long history in this space.
The Forcepoint ZTNA solution is a part of the Forcepoint ONE platform, which provides granular access control, threat protection, and DLP for public corporate SaaS and IaaS tenants. These services are supplied via a cloud access security broker (CASB), for any public website via a secure web gateway (SWG), and via ZTNA for private web applications. Forcepoint ZTNA also provides access control to non-HTTP(S) applications such as SSH and RDP. This is technology that came to Forcepoint with its acquisition of Bitglass in October 2021 and it replaces Forcepoint’s legacy private access solution.
ZTNA solutions are impressive in their ability to reduce the attack surface in traditional VPN solutions. This is possible due to the use of MFA in both VPN and ZTNA, but the Forcepoint ZTNA solution provides a method to detect “impossible travel” to dynamically require MFA for user authentication. This feature, along with SAML-based identity provider integrations, provides adequate support for identity-based authentication schemes. The Forcepoint ONE platform can also sync users and groups with Azure AD using the SCIM API, and with Active Directory using an included AD sync agent.
A major consideration in choosing a ZTNA solution is how it will handle unmanaged devices. The Forcepoint ZTNA solution is able to apply ZTNA principles to HTTP(s) applications that your organization maintains, either in-cloud or on-premises. This includes granular access control, DLP, and threat protection for data in motion. However, for private non-HTTP(S) applications (like SSH, RDP, and so forth), the Forcepoint agent must be present on the endpoint, and only granular access control is supported.
This solution provides simple integrations with many identity providers, such as Okta, Cyberark, and Google, as well as integrations with SIEMs, security orchestration, automation, and response (SOAR), data classifiers, and threat intelligence feeds from Crowdstrike, BitDefender, and Webroot.
Strengths: Forcepoint offers built-in DLP and threat protection for HTTP(S) apps, UEBA capabilities for any app, and many integrations out of the box; its novel technologies ensure compatibility, granular control, and ease of use.
Challenges: Unmanaged device support lags behind the competition; it offers only limited legacy application support (SSH and RDP).
Fortinet is known for its first product—the FortiGate firewall—as well as its robust solutions for common network security issues. Fortinet was founded in 2000 in Sunnyvale, California, by the Xie brothers, Ken and Michael. Since then, Fortinet has expanded its portfolio to include over 60 solutions, including ZTNA as an integrated capability within the FortiGate firewall solution and the FortiSASE SaaS solution.
The Fortinet ZTNA solution is delivered in two models: self-managed, wherein the customer acquires the FortiGate hardware, VM, or cloud image, and administers it; and a SaaS model that allows a customer to leverage the FortiSASE solution, which can be thought of as a firewall as a service (FWaaS) that includes ZTNA capabilities. Both models leverage the FortiClient endpoint software, which can be installed on Windows, Linux, and Mac devices to obtain contextual information.
Fortinet is a dominant player in the firewall space, and many organizations seeking a ZTNA solution may have FortiGate firewalls already installed. For such organizations, the Fortinet solution may be more rapid to deploy and offer the lowest TCO option available because ZTNA capabilities are included in FortiGate licensing by default. Further, because the ZTNA solution is based on FortiClient, which is often already deployed, the transition to ZTNA from VPN takes very little work.
ZTNA solutions need to provide access for devices of all types, both managed and unmanaged. The Fortinet ZTNA solution falls short of some of its competition in mobile device support. This is acknowledged and the company expects to have a working solution in the near future.
Now, focusing on some of the key criteria for the Fortinet ZTNA, the ZTNA solution leverages the Fortinet Security Fabric, which, in short, correlates data from participating Fortinet solutions while also standardizing third-party connections. This means the ZTNA solution is able to leverage the numerous IAM and MFA integrations (Okta, Ping, Centrify, and others) that are part of an extended Fortinet ecosystem.
An area where the Fortinet ZTNA solution excels is in the integration of UEBA-like features, as well as additional advanced security capabilities like DLP. Because the FortiGate firewall is the basis of the ZTNA solution, the ZTNA solution is able to incorporate FortiGate UEBA and DLP functionality. This enhanced focus on practical security solutions integrated with ZTNA should not be undervalued.
Legacy application support is another strong suit for the solution, both on-premises and in the cloud. Support for legacy applications includes RDP, SSH, Telnet, FTP, SMB, and other TCP-based protocols, and there’s a continuing effort to add additional protocol support.
Finally, the ZTNA solution includes superb session-monitoring capabilities because of its features derived from the FortiGate platform. Session monitoring includes not just source and destination information but also any security events that have occurred, as well as exceptions. To obtain the best session-monitoring outcomes, an additional investment in FortAnalyzer is suggested, although (depending on the FortiGate model) it’s possible enough recent event data could already be stored.
Strengths: Fortinet has excellent practical security integrations (UEBA, DLP, session monitoring); it offers easy deployment methods, good support for legacy applications, and enhanced capabilities derived from a mature Security Fabric solution.
Challenges: This solution lacks mobile device support; unmanaged devices (those without agents) lose some of the capabilities.
Founded in 2013 to address the growing concerns associated with cloud security, Menlo Security is now based in Mountain View, California, and has grown its reputation based on its flagship product that isolates endpoints from internet-borne web and document malware.
Menlo joins the ZTNA space with its Menlo Private Access (MPA) solution, which enables zero-trust network access via a simplified cloud-enabled platform with seamless access across both managed and unmanaged devices.
MPA focuses on simplicity for both users and IT teams. For example, a zero-touch deployment method covers all devices and many use cases. This approach reduces the overhead associated with other ZTNA solutions during the deployment phases. Integrations with IAM and MFA solutions—like Okta, Duo, or PingIdentity—can be achieved with out-of-the-box integrations. For integrations with IaaS providers like AWS and Azure, MPA enables ZTNA coverage for these workloads. SaaS applications, such as Google Workspace or Office 365, can be managed by ZTNA or via the more traditional approach of a CASB, which is licensed separately from the ZTNA solution used by all Menlo solutions.
MPA’s zero-touch deployment method makes providing secure access to applications for unmanaged devices nearly effortless. The method does not require importing an SSL certificate, nor does it require using custom DNS records like some solutions do.
Though MPA’s unmanaged device solution is quite remarkable, applications hosted on-premises require a client on the endpoint. While this isn’t uncommon, some solutions in this space are able to deliver on-premises applications without that requirement for agents. Despite this drawback, the MPA solution offers exemplary performance with its built-in security controls such as DLP, sandboxing of malicious code, and content scanning. However, UEBA capabilities, a key functionality found in at least one other ZTNA solution, are lacking. Integrations with a separate UEBA platform are possible, but that capability is not native to the solution.
The Menlo security platform has a lot of capabilities, which, in addition to ZTNA and other solution modules, include CASB, SWG, phishing protections, sandboxing, and DLP. It also has some drawbacks, such as its legacy application support.
Strengths: Menlo Security’s solution has strong DLP and other security features, zero-touch deployment, simplified administration and user experience, and other features available within the platform for additional license cost.
Challenges: Legacy non-browser-based applications require a client; no built-in UEBA-like capabilities; SaaS applications can be supported through MPA; however, for applications exposed on the internet, the Menlo CASB provides better security.
Palo Alto Networks
Palo Alto Networks, a long-time power player in the networking space, found a natural fit in the ZTNA market with its Prisma Access solution. Prisma Access is a part of the larger Prisma platform, which focuses on cloud security. This includes posture management, workload protections, and network security.
Prisma Access is a cloud-delivered service that provides secure access to both the internet and your applications, hosted either on-premises or with a cloud IaaS provider. This solution sits between all user and application traffic, so it’s able to provide robust security services like DNS security, DLP, and application security for both managed and unmanaged endpoints. Prisma Access has two primary architectures, one that leverages the GlobalProtect agent and one that is agentless; they can be deployed and operated in tandem for different ZTNA use cases.
All detections and actions, from both users and applications, are logged and all logs are sent to the Cortex Data Lake (included) for additional analysis and historical review. Missing from this solution are UEBA-like capabilities, although UEBA is available with additional licensing through the Prisma platform.
A vital feature of a ZTNA solution is its extensibility. Determining how well the solution will work in conjunction with existing technology can be a critical component of an organization’s decision-making process. Prisma Access provides both a fully documented RESTful API and integrations with other firewall and ZTNA vendors through the adoption of industry-standard protocols. In addition, Palo Alto Networks customers using Panorama to manage their devices can use it to manage this solution as well.
Support for legacy applications is provided through the solution’s Private App Access feature, leveraging the service connection component. This component creates a secure tunnel between on-premises or IaaS locations and the Prisma Access cloud, where access to legacy applications is controlled the same way it is for other applications.
The solution is licensed using a four-tiered model with features increasing as tiers scale, starting with Business (the lowest-cost option), moving up to Business Premium, then ZTNA (mobile only), and finally Enterprise. If an organization needs to provide legacy application connections through the solution, the Enterprise license with the add-on for that feature is the only choice. DLP, IoT, and SaaS application security are additional licenses that can be added to the other license tiers.
Strengths: Security controls like DLP are built in; unmanaged device support is simplified; extensibility and licensing provide great flexibility.
Challenges: Legacy application support may not provide broad enough coverage; no built-in UEBA features.
Founded in Tel Aviv, Israel, in 2018, Perimeter 81 has grown from a startup into a successful player in the ZTNA solution space. Perimeter 81 focuses on delivering cybersecurity solutions in a “radically simple” way. Its solution portfolio includes ZTNA and FWaaS. All Perimeter 81 solutions are SaaS models.
Like its competitors, the Perimeter 81 ZTNA platform has a heavy emphasis on simplicity. This is immediately evident from the intuitive interface that greets administrators, listing a handful of common areas in which ZTNA solutions require configurations. Actions available on the main menu with guided instructions include managing administrator teams and onboarding users, adding applications and devices, and creating policies. This method of delivery is a refreshing departure from the usual, not just for security solutions, but most IT solutions.
The solution makes integrating with IAM and MFA providers easy. While it’s possible to use built-in IAM, leveraging a user’s email and password, the solution offers simple integrations with Google Workspace, Okta, Microsoft Azure AD, and other SAML 2.0 identity providers. In fact, a full identity provider integration can be achieved in as little as three steps. Integrations with IaaS resources are just as straightforward and allow the solution to be rapidly deployed when compared to its competition.
Do note that integrations exist only for identity providers, MFA solutions, and resources that need secure remote access provided. Currently, there’s no integration with a threat intelligence service, endpoint security platform, or other security feature. Moreover, this solution is currently unable to provide ZTNA to SaaS solutions like G Suite and Microsoft Office 365, though Perimeter 81 has indicated it will be releasing a CASB add-on at some point in 2022 that will provide this functionality.
A standout feature of the solution is its ability to automate user provisioning and deprovisioning through the SCIM protocol. Simplicity and automation have never been as important as they are today, given the realities of the security labor market.
As with most other vendors in the space, additional practical security technologies like UEBA and DLP are not available within the solution itself. And while Perimeter 81 has UEBA-like features on its long-term roadmap, it did not assign a quarter for delivery of those services. In addition, while session-monitoring capabilities provide plenty of help for the administration of the platform, they are only adequate in terms of security utility.
A plus is the solution’s ability to secure most legacy applications and protocols, like HTTP(S), SSH, RDP, and VNC. Additionally, the solution provides ZTNA for VoIP protocols, a standout feature in this space.
Perimeter 81’s ZTNA solution is not only simple and intuitive, but it’s clear that great effort has been put into selecting, testing, and implementing integrations with third parties like Okta and AWS. This level of integration maturity is achieved only by a few vendors in this space, possibly none of which have executed on the idea as well as Perimeter 81. Licensing is simple and based on the number of users and the number of gateways. This makes costs predictable, which also helps in comparing vendors.
Strengths: Simple administration facilitates rapid deployment; easy-to-understand licensing; SCIM protocol support for automation; a well-rounded solution with plenty of features.
Challenges: No UEBA or other advanced security controls and currently unable to provide ZTNA for SaaS solutions (CASB will bring this feature into the platform soon).
Zscaler Private Access
Founded in 2008 and based in San Jose, California, Zscaler is known for its secure web gateways and proxy functionality. Both of these technologies leverage its core platform, the Zero Trust Exchange (ZTE). The ZTE enables fast, secure connections and allows employees to use the public internet as though it’s an extension of their corporate network. Based on the zero-trust principle of least-privileged access, it provides comprehensive security using context-based identity and policy enforcement. This core platform serves as the basis upon which the Zscaler ZTNA solution, called Zscaler Private Access (ZPA), is built.
Because ZPA is a SaaS solution that leverages a connector on-premises or in IaaS services, legacy or bespoke application support is generally good. Support includes the ability to handle both HTTP(S) and non-HTTP(S)-based application traffic.
An interesting feature of the ZPA solution not found in other vendors’ products is the application discovery capability. This feature discovers and inventories applications as they are identified in the network traffic, which provides deep insights into an organization’s infrastructure beyond what’s normally available.
A browser-based ZTNA offering is a critical component of a successful ZTNA solution for most organizations. The Zscaler solution supports browser-based access, which doesn’t need an agent installed. Additionally, support for SAML and SCIM allows deeper integrations into existing authentication infrastructure. This in turn creates a simplified experience for users on unmanaged devices.
The Zscaler ZPA solution is capable of logging typical ZTNA data like user IDs, connection sources, resources requested, and time of request. Additionally, the ZPA provides a pipeline through which to send event data into a SIEM for enhanced analyses or potential correlation. This integration capability enriches SIEM data and provides valuable context information that could lead to improved security operations. However, a focus on security analytics of the data within the ZPA solution is lacking, so organizations will rely on external solutions like UEBA and SIEM to perform these functions. The ZPA solution also lacks features like enhanced security controls with UEBA-like capabilities.
ZPA uses a capability-tiered approach for licensing. There are three tiers. The bottom tier provides ZTNA to applications but with a limit on the number of application segments that can be created (effectively limiting the level of control you can exert over your remote connections) and no support for unmanaged devices. The middle and top tiers build on the core capabilities and add additional features, like unmanaged device support, additional application segments, app-to-app segmentation for hybrid and multicloud environments, integrated app protection to stop compromised users and insider threats, native app deception to detect sophisticated attackers, privileged remote access for admin access over RDP/SSH, user-to-device segmentation for IIoT/OT devices, and identity-based microsegmentation.
Strengths: ZPA includes great support for legacy applications and unmanaged devices, and its licensing model can be customized to each organization.
Challenges: ZPA has modest session-monitoring capabilities and no built-in UEBA functionality.
6. Analyst’s Take
Zero-trust network access is a technology sector that’s nearly equal parts marketing bravado and raw capability. It can be difficult to parse what features an organization can expect to derive the most value from, but there are certain features most organizations will need. For starters, the ability to control access from both managed and unmanaged devices will continue to be important as the BYOD and work-from-anywhere trends continue to predominate. Moreover, reducing the required administrative overhead through clever automation (like the SCIM protocol) will reduce the impact a ZTNA solution has on your organization’s security staff.
Adopting a ZTNA solution not only reduces risk when compared to an over-provisioned VPN, it can also be a way to reduce the workload on security staff. That said, however, some features that are commonly associated with ZTNA depend on an organization already using an identity provider. If that’s not the case in your organization, an effort should be made to prioritize the selection of one with an eye toward those that can facilitate your zero-trust journey. Though most ZTNA solutions can proceed without a modern enterprise IdP, these technologies are best deployed together.
As with most technology decisions, looking first at vendors already inside an organization’s technology stack can make the selection process simpler. Akamai, Cloudflare, Cisco, Citrix, Fortinet, Palo Alto Networks, and Zscaler are all vendors with broad solution portfolios. If a solution from one of these vendors already exists in your organization, this could be a great opportunity to streamline the deployment process and keep administrative overhead to a minimum.
There are times, however, that platform solutions from such vendors don’t meet your needs or are simply too complex or expensive. Vendors like Appgate, Banyan Security, Forcepoint, Menlo, and Perimeter 81 offer focused ZTNA solutions delivered from a cloud-first perspective, and they may better suit your requirements.
7. About Chris RayChris Ray
Chris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing & tech. More recently he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.
8. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.