Vendors jump on the ZTNA bandwagon but offerings vary
The surging interest in Zero Trust has pushed many security vendors into offering products that are all labeled as Zero Trust, but often have different capabilities. "The vendor community has been quick to promote ZT via marketing, leading to a backlash against the hype," says Holmes.
"What IT leaders need to know is that Zero Trust isn’t just a shopping exercise, however much it helps unlock budget," he says. It’s not something you can simply buy and plug in. An organization still needs a cogent approach to data classification, and someone needs to audit employee and third-party privileges. "Both of these are non-trivial, and usually manual tasks," Holmes notes.
Here is a roundup of the types of ZTNA offerings that are available from some of the leading vendors (in no particular order):
Akamai: Cloud-based secure remote access
Akamai's Zero Trust offerings stem directly from the vendor’s own experience implementing a ZTNA model for its more than 7,000 workers. Akamai’s core offerings in the ZTNA category are Enterprise Application Access (EAA) and Enterprise Threat Protector (ETP).
Akamai EAA is designed to enable secure remote access to internal resources from anywhere at any time. It is an identity-aware proxy targeted at companies that want to replace or augment their VPNs and other legacy remote access technologies.
Akamai says EAA enables organizations to provide the right users with the right level of access to the right apps when needed and from anywhere. Akamai ETP is a secure web gateway (SWG) for protecting apps in the cloud against phishing, malware, zero day attacks, and other threats.
Gartner lists Akamai among its top five vendors by way of revenues in the ZTNA market. Forrester identifies it as a good fit for organizations that want managed services around ZTNA.
Integration is one area that the analyst firm believes Akamai can improve. "Like many vendors, the Akamai endpoint agent for ZTNA is needlessly separate from Akamai’s other endpoint agents," says Forrester.
Zscaler: Cloud-based application isolation and protection
Zscaler, another of Gartner's top vendors by ZTNA revenue, focuses on isolating application access from network access to reduce risk to the network due to compromised and infected devices.
Zscaler Private Access is a cloud-native service based on a security service edge framework. It is designed to provide direct connectivity to enterprise applications running on premises or in the public cloud. The service includes capabilities for protecting against unauthorized access and lateral movement by ensuring that applications can only be accessed through the platform. Access to enterprise apps is restricted to users who are authorized and authenticated to access a particular app or service.
Like many other ZTNA vendors, Zscaler has positioned its services as designed for organizations ready to shed VPNs, firewalls, and other conventional approaches to securing remote access to apps and services.
Forrester considers Zscaler's service as highly scalable and particularly well suited for organizations already using its technologies for outbound security. One area where Forrester believes Zscaler can add more support is around server-initiated applications such as VoIP and SIP.
Cloudflare: Managed service for authentication and access control
Cloudflare's ZTNA offering is a managed service that is designed to give organizations a way to replace VPN connections with universal policies that grant users access to internal applications based on identity and context. The service allows organizations two ways to connect to corporate resources. One is via a client-on-device model for access to non-HTTP applications, routing to private IP addresses IP addresses and remote desktop protocol (RDP) connections.
The other model is clientless, meaning a web browser is used for connections to web, secure shell protocol (SSH) and virtual network computing (VNC) applications.
Requests for access to corporate resources are privately routed through Cloudflare's Anycast network where they are evaluated against Zero Trust rules, using telemetry about the user's identity, device, and other context-based data.
For user authentication, Cloudflare Access supports multiple identity and access management platforms including Azure Active Directory, Okta, Citrix, Centrify and Google Workspace. Cloudflare Access can use telemetry from endpoint protection technologies such as those from CrowdStrike, Carbon Black, SentinelOne and others when evaluating device posture against an organization's Zero Trust rules.
Gartner identified Cloudflare as a representative vendor in the ZTNA-as-a-service category back in 2020. Forrester has lauded Cloudflare Access' integration with multiple identity and access providers. But one area the analyst firm believes that Cloudflare can improve is integration with endpoint security controls.
Appgate: Offers self-hosting option for access control
Appgate's ZTNA offering is called AppGate SDP. Like other Zero Trust access technologies, AppGate SDP uses device, identity, and context-based information—such as where an access request might be originating from—to provision least privileged access to enterprises resources. The Appgate SDP architecture is designed for hybrid, multi-cloud and on-premises enterprises and comprises of two core components that can be consumed either as a service or as self-hosted appliances.
One of them is the Appgate SDP Controller, which serves as the policy engine and policy decision point. The SDP Controller manages tasks such as user authentication, access policies and entitlements for users seeking access to enterprise resources. A separate Appgate SDP Gateway serves as the policy enforcement point and controls access to resources based on the SDP Controller's decisions.
Appgate offers additional, optional, components such as such as a Connector for IoT and branch office requirements, as well as a portal for enabling clientless, browser-based access to enterprise assets. Appgate SDP includes a single packet authorization (SPA) feature that ensures that an organization's Internet-facing resources are visible only to an authorized user.
"Appgate is one of the few vendors in this space specializing in ZTNA without taking on the entire Zero Trust edge (ZTE/SASE) security model directly," Forrester has noted. The analyst firm sees the technology as a fit for especially for companies that want to self-host their ZTNA capability.
Cisco: Three ZTNA options depending on use cases
Cisco has broken up its Zero Trust offerings into three separate categories: Cisco Zero Trust for the workforce; Cisco Zero Trust for workloads; and Cisco Zero Trust for the workplace.
The workforce offering is designed for organizations looking for a way to ensure only trusted users and devices have access to enterprise applications regardless of the location of the access request. The workload component is for organizations looking to implement Zero Trust model for all APIs, microservices and containers that access enterprise applications on-premises, in the cloud and across virtual environments. Cisco Zero Trust for the workplace lets organizations enforce ZTNA policies for IT endpoint clients and servers, IoT and OT devices and Industrial Control Systems that need access to the enterprise network.
Cisco Zero Trust for the workforce is the component that is closest to the ZTNA offerings of other vendors. It is aimed at organizations that want to enable secure access to enterprise applications for employees and other third parties such as contractors, business partners and vendors. The technology enables security administrators to verify and authenticate user identities for each access request, identify risky devices and enforce contextual polices governing user access and device access to applications.
Gartner has ranked Cisco among its top five vendors by revenue in the ZTNA market. The core of Cisco's Zero Trust portfolio is based on technology from its acquisition of Duo Security and is therefore a good fit for organizations that have already brought into Duo technology, according to Forrester.
Citrix: Application-layer access controls for tighter security
Citrix' Secure Private Access is a cloud delivered ZTNA offering for organizations that want a VPN alternative for enabling secure user access to corporate applications. Citrix has positioned the service as giving organizations a way to enforce adaptive authentication and access policies that control what users can access based on factors like location, behavior, and device posture.
For example, the technology is designed to automatically change what a user might be authorized to access if suspicious activity is detected, or to apply a watermark to a non-managed or personally owned device. Organizations can use the service to control user access to on-premises apps, web applications and cloud-hosted or SaaS applications.
Citrix Secure Private Access authenticates users at the application layer only, thereby preventing an attacker who might have gained access to the environment from using that foothold to move laterally on the network.
Like other ZTNA offerings, all application access is monitored continuously for suspicious activity or unexpected changes in device posture or behavior. Forrester has assessed Citrix as having a mature network gateway technology for securing access to on-prem applications because of its heritage as a virtual desktop and remote access provider. Organizations that have already invested in an on-premises Citrix infrastructure are well positioned to take advantage of its ZTNA offering, according to the analyst firm.
Netskope: Excels at fast rollout and ease-of-use
Netskope's Private Access (NPA) ZTNA is a component of the company's broader Security Service Edge technology portfolio. Organizations can use it to connect authenticated users to enterprise applications in on-premises data centers and public cloud environments. The technology offers organizations a way to separate application access from network access and ensure that users only have access to the specific resource to which they have been authorized. It allows security administrators to enforce granular access policies based on device posture, user identity and the group to which the user belongs. Netskope Private Access supports clientless browser access for organizations that want to enable secure remote access to private web applications or for third-party access to internal applications.
There are two deployment components to Netskope Private Access: a lightweight client that is installed on devices; and a so-called Private Access Publisher that initiates outbound connections from the enterprise to the Netskope cloud to mitigate the risk posed by inbound access requests. "Netskope excels at device posture security, and customers cite a fast, easy rollout taking weeks where others take months," according to Forrester. One area where the vendor can improve is support for more identity providers, the analyst firm has noted.
Forcepoint: Integrates ZTNA with broader SASE platform
Forcepoint's ZTNA offering is part of its broader Forcepoint ONE platform that also includes Forcepoint's Cloud Access Security Broker (CASB) technology and its Secure Web Gateway (SWG) service.
The technology offers organizations a way to enable agentless access to private apps in on-premises data centers and in the cloud. Users with managed and unmanaged devices can connect to enterprise apps either via browser shortcuts or via single sign-on portals like Ping Networks and Okta. Forcepoint also offers an agent-based option for organizations with legacy architectures and thick clients.
Organizations have the option of adding on Forcepoint's CASB and SWG to bolster their ZTNA implementation. The CASB component can help secure and simplify access to SaaS and IaaS tenants, while protecting against threats like malware and exfiltration of sensitive data. Organizations can tap Forcepoint's SWG to monitor interactions with websites based on factors like risk and suspicious activity.