Americas

  • United States

ZTNA buyer’s guide: Who is selling Zero Trust network access and what do you get?

How-To
Aug 07, 202320 mins
Access ControlAkamaiCisco Systems

Vendors offer a variety of approaches, from the browser to the cloud

12 zero trust
Credit: AWS

Zero Trust network access (ZTNA) explained

The last few years have seen an explosion of interest in Zero Trust network access (ZTNA). The Zero Trust approach replaces the perimeter defense model with a “least privilege” framework where users authenticate to access specific data and applications, and their activities are continuously monitored.

ZTNA gained a boost in the wake of the COVID-19 pandemic, with more employees working remotely. The old perimeter defense model, exemplified by virtual private networks (VPNs), provides a secured internet connection that gives remote users privileges as if they were on an internal private network. This doesn’t match up with a Zero Trust mindset. And to make things worse, many organizations found that their infrastructure couldn’t handle the traffic loads created by large numbers of remote workers connecting via VPN.

[ Download our editors’ PDF Zero Trust network access enterprise buyer’s guide today! ]

In this buyer’s guide

  • Zero Trust network access (ZTNA) explained
  • What to look for in ZTNA products
  • Leading vendors for ZTNA
  • What to ask before buying ZTNA
  • Essential reading

What to look for in ZTNA products

Network and security vendors have responded by offering a suite of products and services that can complement or even replace VPN connectivity. These ZTNA tools use various network and application security techniques to apply Zero Trust principles to remote access. This involves monitoring user endpoints, either by agent or agentless techniques, to protect against illicit access.

But because Zero Trust is a framework (as described in a NIST publication) rather than a specific technology, what gets labeled as ZTNA may have more to do with marketing than technology, and different offerings have different approaches and strengths.

“The vendor community has been quick to promote Zero Trust via marketing, leading to a backlash against the hype,” says David Holmes, a senior analyst at Forrester Research. Many vendors have also chosen to build ZTNA features into their larger suite of security tools rather than offering them as a standalone product or service.

Zero Trust also requires buy-in from organizations implementing it. “Zero Trust isn’t just a shopping exercise, however much it helps unlock budget,” Holmes says. It’s not something you can simply buy and plug in. An enterprise still needs a cogent approach to data classification, and someone needs to audit employee and third-party privileges. “Both of these are nontrivial, and usually manual, tasks,” Holmes notes.

Leading vendors for ZTNA

Here’s a snapshot are some of the offerings from leading vendors. A deeper dive can be found in the IDC MarketScape report “Worldwide Zero Trust Network Access 2023 Vendor Assessment.”

Akamai Enterprise Application Access: With Akamai EAA, users can access protected applications via a browser. There’s also a client-based alternative. Device profiling is built into the product’s policy enforcement capabilities, although it does not include data loss prevention (DLP) or threat detection features.

Organizations can integrate Akamai EAA with their existing identity service providers and multifactor authentication (MFA) systems. They can also use Akamai EAA with Akamai’s own MFA solution, along with the company’s network access control and microsegmentation tools.

Appgate: An early entrant into the ZTNA market, Appgate sports several features, including single-packet authorization, cloaked applications and access points, and clientless access, along with direct routing, which further shields protected resources. The solution can be deployed in a variety of ways, from cloud-hosted to on-premises.

A particular strength is Appgate’s support for several specialized network protocols, which makes it a strong candidate for operational technology (OT), internet of things (IoT), and industrial rollouts. It lacks native tie-ins tools like DLP and the related set of technologies variously known as secure access service edge (SASE), secure service edge (SSE), and network edge security as a service (NESaaS), though third-party alliances can close those gaps. 

Broadcom Symantec ZTNA: Originally developed by Luminate and now owned by Broadcom, Symantec ZTNA can operate with and without agents (though the latter is preferred) and includes a capability called mirror gateway that uses reverse proxying and browser isolation to allow some users to access but not download data.

Developers can use the Symantec ZTNA API to integrate the tool into DevSecOps automated practices. The platform is part of Broadcom’s broad suite of SSE/NSaaS offerings and is targeted at large enterprises.

Check Point Harmony Connect Remote Access: Check Point Software’s offering encompasses not only the secure enclave and resource portal models of modern ZTNA, but also a VPN-as-a-service feature, which is key for many organizations that still rely on VPN connectivity for some legacy purposes. Check Point’s VPN includes a device posture check, along with intrusion prevention and DLP features. 

Harmony Connect Remote access is one of a suite for SSE/NSaaS tools from Check Point. The tool’s biggest drawback is that its cloud presence is still in its infancy: Check Point currently only partners with Amazon Web Services and Microsoft Azure.

Cisco Secure Client: Cisco Systems’ offering is a unified client that supports both VPN and ZTNA — which could be tempting to organizations still in transition or dependent on VPN connectivity. Cisco offers the flexibility to implement ZTNA App Connectors or backhaul VPN, and there’s also support for integration with third-party SD-WAN solutions.

Cisco Secure Client offers a unified dashboard for ZTNA and SSE/NESaaS management. There are plans for tighter integration with Cisco’s vast cybersecurity portfolio, though as of mid-2023 that’s still in progress. The offering as it exists today leans on other Cisco technologies, such as Duo and Umbrella Secure Cloud service, which could be a restraint for organizations that haven’t invested in Cisco kit — or a boon for those who have. 

Citrix Secure Private Access: Citrix Systems’ ZTNA technology is part of its larger remote access mission, and works with its VPN, virtual desktop, Citrix Enterprise Browser, and desktop-as-a-service (DaaS) offerings, with both cloud and on-premises options. It offers application discovery capability with workflows to automate application access definitions and policy rule creation, and it includes hundreds of templates for web applications with prefilled parameters and single signon for faster onboarding and configuration.

Citrix is one of few vendors offering native client user interface, native browser, and enterprise browser-based controls to support bring-your-own-device (BYOD), managed, and unmanaged devices. However, Citrix Secure Private Access is not part of a full SSE/NESaaS platform, and it does not offer formal integration with microsegmentation solutions.

Cloudflare Access: Cloudflare leverages its cloud content delivery expertise as part of its ZTNA offering: web application firewall, DDoS mitigation, and bot management join native threat detection capabilities based on machine learning algorithms trained across the company’s insights into internet traffic. The solution supports cloud and on-premises rollouts and managed or unmanaged user devices (including IoT), as well as strong support for Remote Desktop Protocol (RDP) applications.

Cloudflare Access doesn’t support some cloud-adjacent Zero Trust technologies, like microsegmentation, network access control, or MFA. Organizations can integrate with such tools via APIs, which may be beneficial for some shops but would be a learning curve for others.

Forcepoint One ZTNA: Forcepoint offers a cloud-native and cloud-routed ZTNA solution, with both agentless and agent-based deployment available. Forcepoint One has strong DLP integration and unique features like steganography.

Forcepoint’s SD-WAN and firewall products can serve as a ZTNA application connector, which makes it easy for existing customers to ramp up ZTNA. Its suite of offerings has a strong emphasis on compliance, offering predefined templates to help organizations achieve compliance and increase their security posture. On the downside, Forcepoint does not offer software-defined perimeter elements such as single-packet authorization, resource cloaking, or a dedicated microsegmentation solution.

Fortinet: Fortinet tightly integrates ZTNA into its FortiFabric ecosystems, which includes microsegmentation, identity management, MFA, security information event management (SIEM), security orchestration, automation, and response (SOAR), endpoint detection and response (EDR) , SD-WAN, and many other security and networking products. Fortinet’s ZTNA solution functions alongside its VPN through separate tunnels that can be open at the same time depending on which applications the user is using. If you’re not a Fortinet customer, the ZTNA solution is not available as a standalone offering.

The ZTNA offering is one of the most competitively priced solutions in the industry and includes quarterly software updates with new features and capabilities.

Google BeyondCorp Zero Trust Enterprise Security: You might be surprised to see Google on this list — but it makes sense that the search giant’s ZTNA offering is a component of the company’s widely used Chrome browser. Because no additional software or agents are required to run in the background for its ZTNA solution, Google reduces complexity and allows for fast rollout. The system works with Google’s worldwide managed network and thus benefits from strong network performance.

The flipside is that Google’s browser-based solution is restricted to the Chrome browser and does not include a dedicated endpoint agent — a deal-breaker for some organizations. ZTNA is part of Google’s SSE/NESaaS offering, which integrates with tools from Palo Alto Networks.

Iboss: Iboss provides network security as a service and Zero Trust principles baked into its offering. The Iboss ZTNA service is based on a containerized architecture to enable the full stack of network security functionality, concealing all applications and resources behind its cloud edge service to protect against scanning and probing. User browsers are the clients, streaming all functionality and data as pixels rather than data or code, so no data ends up on users’ devices.

Iboss solutions are designed for enterprise users who have the luxury of learning a complex management system. The solution is not complemented by a traditional firewall, although Iboss notes that its on-premises cloud gateways can be deployed as firewalls if need be.

Lookout Secure Private Access: Lookout’s ZTNA product offering supports several deployment models, including agent and agentless, as well as inline, and cloud- or direct-routed. It’s also capable of enforcing DLP and document management policies.

Lookout’s agents consolidate access to the company’s entire security product line, and Lookout Secure Private Access provide deep integration with other Lookout SSE/NSaaS products and SD-WAN functionality. New customers that have found their current on-premises security provider’s ZTNA and SSE/NESaaS capabilities lacking may find Lookout’s ZTNA appealing.

Netskope Private Access: Netskope’s ZTNA offering is part of a broader SSE/NSaaS suite that also includes data protection and threat prevention capabilities. Netskope leverages its DLP and user analytics capabilities — the latter using dozens of signals and machine learning models to build a User Confidence Index score, which then translates to adaptive access controls across its ZTNA solution.

The ZTNA Next offering fully replaces VPN connections for customers and support legacy applications, such as on-premises VoIP with specialized protocols that complicate existing ZTNA approaches. The original Netskope ZTNA product works with modernized web applications, but if legacy apps are important to you, you may need ZTNA Next.

Palo Alto Networks Prisma Access ZTNA: Palo Alto Networks’ ZTNA solution is part of its overarching security platform, which combines ZTNA, secure web gateway, and firewall as a service into a single product. The company has access to Google’s premium fiber network to ensure consistent quality of service across its portfolio. The solution benefits from integrations with the rest of Palo Alto’s SSE/NSaaS offering and will appeal to those considering other products and offerings from the company.

Prisma Access ZTNA provides support for all applications, current and legacy, and is very flexible when it comes deployment models: out-of-band, inline, proxy-based, cloud-routed, or direct-routed via an agent, agentless, on-premises gateway/self-hosted, and containerized rollouts are all possible. 

Skyhigh Private Access: Skyhigh Security provides a cloud-routed model for ZTNA that conceals and protects applications from unauthorized access or scanning. Skyhigh Private Access provides extensive DLP controls combined with advanced exact data matching (EDM), index document management (IDM), and optical character recognition (OCR). The offering also includes an inline sandboxing option that uses emulation to detect zero-day threats. It offers both agented and agentless access, supporting BYOD and mobile devices.

Skyhigh Security does not offer endpoint DLP natively; however, this functionality is included in the company’s larger suite, making Skyhigh Private Access an appealing add-on for their existing customers that have developed comprehensive DLP policies. The company offers several policy templates designed for highly regulated industries.

Sophos ZTNA: Sophos’s ZTNA is tightly integrated with the company’s endpoint solution. The two share an agent, along with threat telemetry and status and health information, to limit or revoke access rights in real time and protect against ransomware and other threats. Sophos’s ZTNA also integrates into the broader Sophos ecosystem, including its 24/7 managed detection and response service. 

Many of Sophos’s ZTNA advantages can be attributed to its tight integration with other Sophos products, so most Sophos ZTNA adoption is likely to stem from existing customers that are looking to strengthen end-to-end device security.

Zscaler Private Access: Zscaler is focused on cloud-based security services, and its ZTNA service is no different. All user and device traffic is passed through the Zscaler Zero Trust Exchange platform for comprehensive visibility and control and for a consistent security posture. The solution includes an AI-generated policy for automated segmentation of user-to-application access.

Zscaler performs its Private Access services in different data centers than Zscaler Internet Access. Zscaler builds its cloud to support low-latency applications, hosting Zscaler Private Access in additional data centers in Amazon Web Services locations, but not in certain remote geographies that don’t typically host business applications.

What to ask before buying ZTNA

Because every enterprise is different, you need to get a clear grasp on your specific needs, capabilities, and resources before engaging prospective vendors and then choosing specific solutions for ZTNA.

Remember: Zero Trust is not a product. It’s a framework, an architecture, a philosophy that can take many forms and requires quite a bit of time and effort to successfully implement.

Here’s a list of questions to ask vendors about how they can help your company embrace Zero Trust principles.

1. How can I leverage my existing security and networking infrastructure as part of a transition to ZTNA?

Enterprises have invested significant amounts of money over the years on security and networking hardware and software. One key challenge is making the transition to ZTNA while leveraging existing technology as much as possible.

Most companies already have pieces of the ZTNA puzzle in place, whether that’s identity management, access control, MFA, network segmentation, or policy management. But few have mastered all aspects of Zero Trust in a comprehensive, integrated, scalable, policy-driven manner.

2. What are the business goals the enterprise wants to achieve with Zero Trust and how can the vendor help make that happen?

Look for vendors that don’t launch discussions about Zero Trust by talking about technology, but that start out by asking you to define the business challenges you face and the benefits that you are seeking.

David Berliner, director of security strategy at SimSpace, a cyber-risk management company, say goals can include secure remote access or work-at-home employees, protecting sensitive data on premises and in the cloud, or boosting API security for software developers.

Companies need to identify how the vendor will tailor their solution to the business needs of their organization.

3. What’s the plan for managing identity and applying it to security controls across the enterprise network?

ZTNA vendors should level with customers and acknowledge that applying identity controls across an enterprise network is easier said than done, says Tim Silverline, vice president of security at Gluware, a network automation vendor. For example, many companies neglect to apply granular identity management in scenarios such as employee access to web applications.

Silverline says, “There are too many gaps right now and too many point solutions (such as web application firewalls) that try to fill in those gaps, but that don’t integrate well enough to be a single solution for all identity use cases.”

On the plus side, Silverline says more mature security organizations are leveraging tools or extended detection and response (XDR) to try and smooth over integration complexities as much as possible.

4. How will the vendor help us prioritize what’s important so we can create an initial victory with Zero Trust and gain the confidence of staff and top management?

Den Jones, chief security officer at Banyan Security (not to be confused with the now-defunct Banyan Systems), advises enterprises to look for vendors that make the user experience a priority. Companies need to make Zero Trust as frictionless as possible, or else workers will find a way to get around any new security controls.

One approach is to deploy authentication based on digital certificates and phase out those annoying user names and passwords. When users are accessing their productivity apps via the cloud or other internet-facing apps and are doing so in a way that’s passwordless and backed up by multifactor authentication, they will be more accepting of other steps in the Zero Trust process that may affect their lives.

In addition, Jones says that upper management will take notice of this early success and will be more receptive to funding more complex Zero Trust projects, such as automating the continuous monitoring of user activity on the network.

Jones recommends that when an IT exec is explaining Zero Trust to top management, it’s best to keep it simple. He boils it down to three simple outcomes: People want to hear that Zero Trust will cost less, be easier for users, and improve overall security.

5. How will the vendor help us prioritize what data needs to be protected and help us continuously manage data across the enterprise from a Zero Trust perspective?

Dan Weiss, senior vice president of application and network security services at pen testing company GRIMM, says the industry has gone from “defining the network” in the old perimeter-centric world to “defining the data” as companies run today’s remote and hybrid networks.

Weiss says companies must start by performing asset discovery to find out what data the company has on the network, where it is stored and how it gets tracked. Then, identify which specific data assets are most sensitive, set up data classification policies, and automate the management and tracking of the assets.

6. How can we set up granular access controls for each user?

To implement ZTNA, companies need to understand their users. Who should log in and what should each user be allowed to do? For example, an accounts receivable person should only have access to certain folders once a month when bills get paid.

“The whole point of Zero Trust is for companies not to trust until the user is sufficiently verified,” Weiss says. “They have to be confident that this is the person they think it is, doing what they should be doing.” Setting up and enforcing access control throughout the user session is where many companies fall down, he says.

7. How will the vendor help us set up microsegments so we can shrink the attack surface and reduce gaps in the network?

Network segmentation has been around a long time, but Zero Trust takes the concept a step further to an extremely granular approach called microsegmentation.

In a Zero Trust network, companies can create a segment around a single endpoint or a single server with very restricted access. For example, traditionally, the HR department may have been on its own network segment, but now the director of HR might have their own segment with very defined firewall rules as to what they can and cannot do.

Under a microsegmentation approach, a payroll person could be allowed to access the payroll app, but not salary data. “It’s a lot more demanding on network configuration and network control,” Weiss says.

8. What is the vendor’s breach notification policy and does it have a backup plan if our main identity management platform goes down?

Enterprise execs might not have asked this question of vendors ten years ago, but SimSpace’s Berliner says that in the wake of a recent Okta breach in which a major identity vendor was infiltrated, companies really do have to push back and ask the vendor what will happen in the event of a breach. And Okta is hardly alone in having been breached.

Enterprise customers need to consider not just the point failure; they must also think about the broader ramifications. Companies need to ask the following questions: What systems and users were exposed? What data was accessible? Was there lateral movement from a bad actor that could have bypassed our layers of defense? What’s my remediation strategy.

“In some cases, it’s a rip-and-replace depending on the severity,” Berliner said. “In others, it might be a limited breach that takes a single terminal or employee offline by revoking further access privileges.”

Berliner says ideally enterprises have teams that consistently practice dealing with the compromise of an identity solution — or a similar system in their Zero Trust architecture — so that they have the muscle memory for how to respond. It’s really important for companies to have teams set up for when the “big one” hits, whether it’s a breach of the identity system, a nation-state attack, or common breaches caused by employee user errors.

Essential reading