Table of Contents
1. Executive Summary
Secure remote access provides numerous benefits to organizations, making it an essential component of their business operations. One of the primary advantages is that it enables employees to work from home or any location outside the office while maintaining secure access to company resources.
This feature has become increasingly popular in recent years, especially with the rise of remote, hybrid, and other flexible work arrangements. Moreover, secure remote access ensures that employees have continuous access to critical data and applications needed for their work, even after regular working hours. This guarantees that employees can respond promptly to urgent requests or alerts and work on important projects without being constrained by geographical or time limitations.
In the past, VPNs have been the conventional means of achieving secure remote access. VPNs offered an alternative to exposing internal systems’ remote access protocols, such as SSH and RDP, to the internet, where unauthorized individuals could attempt to establish a connection. By implementing a VPN, organizations gained greater control over who could access these remote access protocols.
However, VPNs have limitations in the control they offer since they often grant authorized users excessive access to internal networks and resources. Furthermore, VPNs do not account for the context in which legitimate users access resources through the VPN.
Zero-trust network access (ZTNA) addresses the limitations of VPNs by implementing an access model based on the user’s identity as well as the context of the connection request. For example, each time a connection is requested, the system establishes a trusted relationship with the user, unlike VPNs, which establish trust once and do not review it again. This approach ensures that access to internal networks and resources is restricted only to authorized users in specific contexts—such as location, time of day, and device type—providing enhanced security and control. By taking into account these contextual factors, ZTNA can effectively mitigate many risks that are left behind by VPNs.
This is our third year evaluating the ZTNA space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.
This GigaOm Radar report examines 23 of the top ZTNA solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading ZTNA offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.
GIGAOM KEY CRITERIA AND RADAR REPORTS
The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.
2. Market Categories and Deployment Types
To help prospective customers find the best fit for their use case and business requirements, we assess how well ZTNA solutions are designed to serve specific target markets and deployment models (Table 1).
For this report, we recognize the following market segments:
- Small-to-medium business (SMB): SMBs are smaller, often locally focused companies with simpler IT requirements and limited resources. These organizations often value simplicity, ease of use, and all-inclusive approaches more than large enterprises.
- Large enterprise: Large enterprises are organizations with significant size and complex IT needs, often with global operations and diverse user bases. These organizations often value advanced features and integrations more than SMBs.
In addition, we recognize the following deployment models:
- Cloud only: All resources, including applications, data, and infrastructure, are hosted in the cloud, with no on-premises components.
- Hybrid: A mix of cloud and on-premises resources, allowing organizations to leverage the benefits of both, often used to support legacy applications.
Table 1. Vendor Positioning: Target Market and Deployment Model
Vendor Positioning: Target Market and Deployment Model
TARGET MARKET |
DEPLOYMENT MODEL |
|||
---|---|---|---|---|
Vendor |
SMB | Large Enterprise | Cloud Only | Hybrid |
Absolute | ||||
Akamai | ||||
Appgate | ||||
Barracuda | ||||
Block Armour | ||||
Bowtie | ||||
Broadcom | ||||
Check Point | ||||
Cisco | ||||
Citrix | ||||
Cloudflare | ||||
Cradlepoint | ||||
Forcepoint | ||||
Fortinet | ||||
InstaSafe | ||||
Ivanti | ||||
Menlo Security | ||||
Nile | ||||
Palo Alto Networks | ||||
Portnox | ||||
SonicWall | ||||
Sophos | ||||
Zscaler |
Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1).
“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.
3. Decision Criteria Comparison
All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:
- Identity verification
- Encrypted communication protocols
- Least privilege access
- Resource request context evaluation
- Centralized policy management
- Inspection and logging
- Cross-platform compatibility
Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.
- Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a ZTNA solution.
- Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months.
- Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.
These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating ZTNA Solutions.”
Key Features
- Cloud and SaaS integrations: Cloud and SaaS integrations enable ZTNA solutions to extend secure access to cloud-based applications and services, ensuring seamless and protected connectivity for users regardless of the application’s deployment model. This integration capability is essential for organizations adopting cloud technologies and SaaS solutions.
- Device posture assessment: Device posture assessment evaluates the security posture and health of user devices before granting access to resources, ensuring that only trusted and compliant devices are allowed. This capability helps enforce consistent security policies across all devices accessing sensitive data.
- Risk-based authentication: Risk-based authentication adapts authentication requirements based on contextual factors such as user behavior, device trust, and network location, providing an additional layer of security that goes beyond static authentication methods. This dynamic approach enhances security while improving user experience.
- Unmanaged device support: Unmanaged device support enables secure access for users on their personal devices, ensuring they can work productively without compromising security. This capability is essential for organizations embracing remote work and bring-your-own-device (BYOD) policies.
- Legacy application support: Legacy application support ensures that organizations can protect and control access to older, on-premises, or custom-built applications, providing a bridge to modern security frameworks without disrupting existing workflows.
- Session monitoring: Session monitoring provides continuous visibility and control over user sessions, enabling security teams to detect and respond to suspicious activities or policy violations in real time.
- Security policy customization: Security policy customization allows organizations to tailor access controls to their specific needs, ensuring that security policies align with their unique risk profiles and compliance requirements.
Table 2. Key Features Comparison
Key Features Comparison
Exceptional | |
Superior | |
Capable | |
Limited | |
Poor | |
Not Applicable |
Emerging Features
- SCIM protocol support: Basic System for Cross-domain Identity Management (SCIM) support includes the ability to provision and deprovision user accounts in cloud applications based on changes in the central identity store. More advanced solutions will offer real-time synchronization of user attributes, group memberships, and role assignments across multiple cloud services. The best solutions will provide extensive SCIM integration with a wide range of cloud applications and the ability to customize synchronization rules to meet specific business needs.
- Advanced DLP: Good data loss prevention (DLP) capabilities include basic content inspection and blocking of sensitive data based on predefined patterns or dictionaries. Better solutions will offer context-aware DLP, considering factors like user role, device type, and location to apply dynamic data protection policies. The most advanced solutions will provide ML-based content inspection, user behavior analytics, and adaptive data protection policies that automatically adjust based on real-time risk assessments.
Table 3. Emerging Features Comparison
Emerging Features Comparison
Exceptional | |
Superior | |
Capable | |
Limited | |
Poor | |
Not Applicable |
Business Criteria
- Scalability: Scalability refers to the solution’s ability to accommodate growth and changing demands without sacrificing performance or availability. It ensures that the ZTNA solution can handle growing numbers of users and resource requests as the organization expands.
- Cost: Cost considers the total expense of owning and operating the ZTNA solution, including initial implementation, ongoing maintenance, and potential hidden costs. Transparent and justifiable costs are essential for long-term budgeting and planning.
- Flexibility: Flexibility refers to the solution’s ability to adapt to diverse deployment models, integration requirements, and customization needs, ensuring it aligns with the organization’s unique structure and strategies.
- Vendor ecosystem: A rich vendor ecosystem enhances the ZTNA solution’s capabilities and interoperability through partnerships and integrations with leading security and cloud providers.
- Ease of use: Ease of use focuses on intuitive and user-friendly solutions, reducing administrative overhead and ensuring rapid user adoption.
Table 4. Business Criteria Comparison
Business Criteria Comparison
Exceptional | |
Superior | |
Capable | |
Limited | |
Poor | |
Not Applicable |
4. GigaOm Radar
The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.
Figure 1. GigaOm Radar for ZTNA
As you can see in Figure 1, this Radar chart depicts a dynamic and rapidly evolving market with vendors employing diverse strategies to establish their positions. The market is dynamic, with vendors enhancing cloud and SaaS integrations, device posture assessment, and risk-based authentication.
- Vendors in the Maturity/Platform Play quadrant, such as Zscaler and Fortinet, offer robust security features, flexible deployment options, and strong cloud and SaaS integrations. These vendors consistently enhance their solutions, showcasing their commitment to stability and consistent user experience.
- Vendors in the Innovation/Platform Play quadrant are quicker to release novel features or solve for use cases overlooked by some of the incumbent vendors. For example, Bowtie is delivering a ZTNA solution that requires no traffic to be routed through networks it controls and instead allows customers to control network traffic.
- Vendors in the Innovation/Feature Play quadrant are focusing on specific use cases such as BYOD zero-trust access or internal network zero-trust access. For example, InstaSafe is focused on flexibility and strong security capabilities, ensuring protection across diverse environments.
- There’s one vendor in the Maturity/Feature Play quadrant—Block Armour. This vendor emphasizes stability and continuity, but takes a unique approach to solving ZTNA challenges with blockchain technology
At a glance, the Radar shows that the majority of vendors in this space are in the Maturity/Platform Play quadrant due to their broad application to enterprise use cases and the slow overall cadence of evolution and feature change year over year. This concentration of vendors indicates a market with a strong emphasis on a methodical, conservative approach to feature development.
The number of vendors in the Leaders circle indicates a highly competitive landscape with established players setting the benchmark. However, the distribution of Leaders across different quadrants also underscores the diversity of successful strategies in this market.
This Radar chart paints a picture of a market in flux, with vendors striving to differentiate themselves through innovative features, comprehensive platforms, or a blend of both. The distribution of vendors across quadrants and the year-over-year changes indicate a competitive landscape where continuous innovation, adaptability, and a customer-centric approach are key to success. As the market matures, it will be interesting to observe how vendors navigate the challenges and opportunities that lie ahead.
In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.
INSIDE THE GIGAOM RADAR
To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.
Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.
For more information, please visit our Methodology.
5. Solution Insights
Absolute: Absolute Edge
Solution Overview
Absolute Software delivers a ZTNA solution that enables organizations to safeguard access to both cloud-based and on-premises applications. Absolute Edge offers ZTNA as part of a suite of features including a secure web gateway (SWG) and other software-defined edge services. While Absolute offers an endpoint security solution, the ZTNA solution is the focus of this research.
The core of Absolute’s ZTNA offering is its self-healing endpoint technology, which facilitates dynamic and context-aware application access. By continuously assessing and enforcing stringent security standards, this feature ensures that only authorized users and secure devices can interact with sensitive resources, thereby bolstering overall security and minimizing potential vulnerabilities.
Its depth of integration capability with cloud and SaaS services like Okta, Azure AD, MaaS 360, and Intune is a notable strength.
Strengths
Absolute Edge competes well in several key areas. Its strong scores in cloud and SaaS integrations ensure it will be applicable for most organizations that rely on popular cloud and SaaS platforms like AWS, Azure, and Salesforce. The risk-based authentication feature adapts authentication decisions based on user behavior, which is not a common feature in this space.
Legacy application support is a notable strength, with Absolute’s agent-based architecture providing protocol-agnostic connectivity to legacy systems, ensuring that zero-trust principles can be applied as long as an agent can be installed on the host operating system.
The solution is designed for horizontal scaling—the customer simply deploys more agents while Absolute automatically scales their cloud-delivered component. This ensures low latency and high availability, making it adaptable to fast-growing and performance-critical environments. The solution is also easy to use, offering an intuitive management interface that simplifies administration tasks.
Challenges
The device posture assessment feature is currently limited to Windows devices, which may be a consideration for organizations with a diverse range of endpoints. Expanding device support to include macOS and Linux could provide a more comprehensive security posture across various platforms.
While Absolute has a decent vendor ecosystem, there is room for improvement—for example, for unified endpoint management (UEM) solutions, identity providers (IdPs), and endpoint security solutions, there is only a modest selection of ready-to-use integrations for each category. SCIM support isn’t included, which can add to the burden of administration tasks for larger organizations or those with particularly short-staffed teams.
Purchase Considerations
Absolute offers flexible pricing suitable for both large enterprises and SMBs. While standard support is included, dedicated technical account managers and professional services may require additional costs. The control plane (where administrators log in and data is stored) is cloud only, while the solution leverages an agent that can be deployed on-premises/anywhere. Cloud-only deployments can be advantageous for organizations seeking a streamlined, cloud-based approach and eliminate the need for on-premises infrastructure maintenance. However, for those with business drivers or regulatory requirements that necessitate on-premises control of networks and resources, this solution will not be a good fit.
Absolute’s ZTNA solution is well-suited for organizations seeking to secure access to cloud, SaaS, and on-premises applications, particularly those with legacy technologies and diverse device ecosystems. The solution’s dynamic risk-based authentication and comprehensive device posture assessment capabilities make it ideal for organizations prioritizing adaptability and security.
Given its broad protocol support and flexibility, the solution caters to a wide range of industry verticals, including finance, healthcare, and government, providing a robust and adaptable zero-trust framework.
Radar Chart Overview
Absolute is positioned as a Challenger in the Innovation/Platform Play quadrant, thanks to its unique take on the challenges in the ZTNA landscape such as its focus on adaptive risk features and integrated DLP functions. Absolute’s dedication to enhancing cloud and SaaS integrations, along with its focus on improving risk-based authentication, highlights its ability to adapt to market needs and stay ahead of the curve. Its steady release schedule, bringing feature updates and new features to the market, shows that it can keep pace with the ZTNA market. However, it earns a Fast Mover ranking and not Outperformer because significant feature releases are less common.
Akamai
Solution Overview
Akamai, known for its content delivery network (CDN), offers a ZTNA solution that leverages its global edge network, ensuring superior scalability and security. Akamai’s Enterprise Application Access (EAA) ZTNA product enables secure and seamless application access, harnessing the power of its vast edge server network.
Over the past year, Akamai has persistently enhanced its ZTNA solution, focusing on improving its cloud and SaaS integration catalog by adding new technologies and vendors. It also has added risk-based authentication, which is a popular feature just starting to gain adoption in the market. In the past year, Akamai has further refined its offering by introducing directory versioning, a safeguard against common administrative mistakes, adjusted single sign-on (SSO) capabilities to include adaptive multifactor authentication (MFA), and added quality-of-life features like the ability to tune the number of concurrent connections to align more closely with the realities of each organization.
Strengths
Akamai’s EAA ZTNA solution stands out for its performance and scalability, leveraging its global edge network to deliver seamless and secure access to applications. The solution offers smooth connectivity to cloud and SaaS applications, ensuring a positive user experience.
The solution’s device posture assessment capabilities are also strong, verifying software versions, OS updates, and security patches to ensure endpoints meet security requirements. Risk-based authentication adapts authentication challenges based on user behavior, location, device posture, and context, enhancing dynamic security.
Unmanaged device support is another key strength, securely enabling BYOD and remote work scenarios through comprehensive device posture assessments and conditional access. Akamai’s EAA ensures that personal and unmanaged devices meet security standards, extending secure access beyond traditional corporate boundaries.
High scores in legacy application support demonstrate Akamai’s ability to extend secure access to on-premises data centers and protect older systems without introducing network complexity.
Challenges
Advanced DLP is currently part of a separate Akamai solution and incurs additional costs, resulting in an average score. While some organizations may want an all-inclusive solution, this can be viewed as a positive for organizations that want to be selective about feature inclusion.
Additionally, with an average score in risk-based authentication, the feature is available as an add-on to the base EAA ZTNA solution. Most organizations today would benefit from this advanced feature.
Purchase Considerations
When considering Akamai’s ZTNA solution, organizations must assess their specific requirements for professional services, training, and ongoing support. Akamai’s products offer ongoing support as part of the base price, but training and professional services are limited and cost extra.
This solution offers great flexibility for its deployment models which, when combined with its global presence, makes it easily adaptable to most organizations.
Akamai’s EAA solution is tightly integrated with the other portions of the Akamai platform, making it easy to move between capabilities. The user experience is centered on menu-driven navigation. This reduces the learning curve and simplifies management tasks, making it accessible to organizations of all sizes. Licensing is straightforward, but some advanced features like DLP or risk-based authentication require additional costs or packages.
Akamai’s ZTNA solution is well-suited for organizations with global reach and a distributed workforce. The solution’s strength in cloud and SaaS integrations makes it ideal for securing access to cloud-based applications, ensuring a fast and reliable user experience.
With strong unmanaged device support, the solution is also well-aligned with the rise of BYOD and remote work trends, ensuring secure access for personal devices. Given its ability to secure legacy applications and extend access to on-premises data centers, the solution caters to organizations with hybrid environments.
Radar Chart Overview
Akamai is positioned in the Maturity/Platform Play quadrant. The company’s dedication to enhancing its ZTNA solution, particularly in cloud and SaaS integrations and unmanaged device support, demonstrates its commitment to meeting customers’ evolving needs. Akamai’s global edge network and high scores in critical areas such as scalability and legacy application support establish it as a strong Challenger. The solution’s user-friendly interface, flexibility, and robust security features, coupled with competitive pricing and consistent improvements, make Akamai a compelling choice for organizations seeking a reliable and high-performing ZTNA solution from a vendor with a proven track record of innovation.
Appgate
Solution Overview
Appgate is a cybersecurity company specializing in software-defined perimeter (SDP) and zero-trust solutions. In the past year, the company has focused on expanding its ZTNA offerings.
Appgate’s ZTNA solution takes a similar approach to its peers, emphasizing risk-based access control and broad protocol support to secure access to applications and resources. However, the company places a strong emphasis on its direct-routed ZTNA model, which delivers cloud-based secure access and dynamic, context-aware access controls without the requirement of traffic routing through its infrastructure.
Appgate’s ZTNA solution comprises two main components:
- Appgate SDP: An SDP solution that provides secure access to on-premises and cloud-based resources.
- Zero-Trust Platform: A cloud-based platform that offers advanced risk analysis capabilities, enabling organizations to implement risk-based access controls and secure access to sensitive environments.
Using both of these components, the solution operates by creating secure (yet isolated) network segments for each use and application request. Access to these segments is granted based on various risk factors and decision criteria. This granular approach to access controls is key to understanding how Appgate approaches this space.
Strengths
Appgate’s ZTNA solution stands out for its flexibility and adaptability. With great scores in cloud and SaaS integrations, the solution offers secure access solutions across major cloud providers like AWS, Azure, and Google, integrating identity, device posture, and IP reputation. Appgate’s risk-based access control, leveraging external IdPs like Okta and Azure AD, ensures dynamic and context-aware authentication and authorization. This combination of context and intelligence helps secure identities and access effectively.
The solution’s unmanaged device support also provides risk-based access control via clientless methods. This solves an important use case based on third-party access to sensitive systems or even BYOD corporate access. In these cases, enterprises don’t have administrative access to the third-party devices and therefore must rely on np-clientless approaches to secure access.
Legacy application support is a key strength, with Appgate securing access to legacy systems across on-premises and cloud environments. Their solution employs risk-based controls, broad protocol support, and injected MFA. The injected MFA is a standout feature that allows the application of MFA even to applications that cannot natively support it.
High scores in security policy customization highlight Appgate’s ability to enable highly customizable risk-based access policies. By leveraging predefined and custom claims from IdPs, devices, networks, and integrated third-party sources via APIs, organizations can tailor access controls to their specific needs.
Challenges
Appgate doesn’t support the SCIM protocol and advanced DLP currently, so organizations seeking comprehensive data protection and streamlined administration with IdPs will need to consider how important these features are to them.
Additionally, while Appgate provides risk-based access control and device posture assessment, there is room for enhancement in the depth of these capabilities.
Purchase Considerations
Appgate offers competitive pricing, including the option for the Zero Trust Platform cloud services, which deliver additional risk analysis capabilities. The solution’s flexibility in deployment models allows it to adapt to almost any use case, ensuring a tailored fit for diverse organizations. For organizations that have legacy infrastructure or systems, this is a particularly important factor when surveying solutions.
The robust vendor ecosystem, with built-in integrations, partnerships, and customizable integration scripts, expands the solution’s capabilities while also making it easy to integrate into an organization. This is particularly beneficial for organizations that are strapped for time or skill. Appgate also supports a RESTful API, enabling further integrations to suit specific organizational needs in those instances when the catalog of ready-to-use integrations falls short.
Appgate’s ZTNA solution is well-suited for larger organizations seeking flexible and adaptable secure access solutions. With strong cloud and SaaS integrations, the solution is ideal for organizations leveraging multiple cloud providers. The solution’s risk-based access control and broad protocol support make it well-aligned with dynamic and complex environments, ensuring secure access for diverse users and devices. Small to midsize organizations may find that this solution doesn’t suit them well simply because of Appgate’s emphasis on supporting large organizations.
With excellent legacy application support, Appgate is particularly well-suited for organizations with legacy systems and unmodified legacy applications. The solution’s ability to secure access to these older systems without disrupting existing infrastructure is a key advantage.
Radar Chart Overview
Appgate is positioned in the Maturity/Platform Play quadrant. Appgate’s focus is on stability over rapid innovation that may invite disruption. It is making slow but consistent enhancements in directly routed secure access and risk-based access control and is classified as a Forward Mover. Although Appgate’s year-over-year improvements are slow and steady rather than rapid, its security features, legacy application support, scalability, flexible deployment options, and growing vendor ecosystem cement its position as a Leader in this year’s evaluation.
Barracuda: SecureEdge Access
Solution Overview
Barracuda, a provider of cloud-based security and data protection solutions, presents a ZTNA solution that stands apart for its user-friendly nature and comprehensive security features. Barracuda’s SecureEdge ZTNA offering enables secure and seamless access to applications, ensuring dynamic and context-aware security postures. SecureEdge, which Barracuda positions as a secure access service edge (SASE) solution, can be deployed via SaaS, self-hosted, or through Azure’s virtual WAN.
Barracuda SecureEdge has demonstrated rapid enhancements to its ZTNA solution with a particular focus on improving cloud connectivity and device posture assessment capabilities.
Strengths
Session monitoring is a key strength, with Barracuda providing a customizable ZTNA dashboard that offers real-time visibility into user sessions. The solution provides security and compliance details as well as specific ZTNA information and user actions at the network level, which is almost unheard of in this space. The Report Creator tool enhances visibility further, offering customizable application usage reports covering up to three months.
Barracuda’s SecureEdge excels in cloud and SaaS integrations. The solution provides secure ZTNA access to applications using TINA encryption tunnels. (TINA is a Barracuda proprietary protocol, an extension of the IPSEC protocol.) Barracuda’s solution distinguishes between public endpoints and internal resources, ensuring that traffic inspection is applied in a granular manner, where and when needed.
The solution’s device posture assessment capabilities are also strong, with various policies available, including blocking jailbroken devices, enforcing screen lock controls, and verifying the presence of a firewall, antivirus software, OS updates, and disk encryption.
Challenges
Risk-based authentication and advanced DLP are currently not included in the solution but are expected to be added later in 2024.
Additionally, with an average score in unmanaged device support, the solution supports BYOD devices but could enhance its capabilities to provide more comprehensive security for unmanaged endpoints.
Purchase Considerations
Barracuda offers exceptional value with competitive pricing, selling the solution per seat with a 25-seat minimum.
The platform integrates ZTNA, SD-WAN, secure web gateway (SWG), and firewall as a service (FWaaS) into a single cloud-delivered solution, simplifying security management. This makes it look and feel like an all-in-one solution, which should appeal to organizations facing staff and skill shortages. The solution also supports internet of things (IoT) and industrial control service (ICS) devices, ensuring secure ZTNA connectivity through the SD-WAN connector or Barracuda’s separate Secure Connector offering.
The solution is particularly attractive to SMBs and midsized enterprises, offering good scalability and performance as well as features normally reserved for large enterprises. Its ease of use from an administrative perspective is key, as these organizations often don’t have the time to devote to becoming experts in one specific area and instead rely on the solution to offer a guided experience.
Additionally, the solution’s strength in cloud connectivity and device posture assessment makes it ideal for organizations embracing cloud services and seeking dynamic security that can be easily configured.
With support for legacy applications and TCP/IP-based systems, Barracuda ensures that older systems can be securely accessed through its ZTNA services.
Radar Chart Overview
Barracuda is positioned as an Outperformer in the Maturity/Platform Play quadrant, reflecting its recent development pace. As an established vendor, Barracuda focuses enhancements on improving cloud connectivity and device posture assessment capabilities. High scores in critical areas such as cloud and SaaS integrations, session monitoring, and scalability contribute to Barracuda’s position. Its comprehensive security package, encompassing SD-WAN and web security features, sets it apart in the highly competitive SMB space. Barracuda’s cost efficiency, flexible deployment options, and strong vendor ecosystem, coupled with its consistent performance, make it a strong Challenger. The solution’s ease of use, robust security capabilities, and adaptability make it a compelling choice for organizations seeking a capable and affordable ZTNA solution.
Block Armour: Secure Shield
Solution Overview
Block Armour, a cybersecurity company specializing in SDP technology, offers the Secure Shield ZTNA solution that provides encrypted connectivity and robust access controls for cloud applications. The solution adheres to the NIST SP 800-207 “Zero Trust Architecture” whitepaper.
This solution is a single product, built on a tamper-proof blockchain that records configurations for authorization and authentication. In this way, its unique approach to the ZTNA space blends in ultra-modern blockchain technology to solve an existing challenge with some other ZTNA solutions.
Block Armour has demonstrated a commitment to innovation, enhancing its ZTNA solution at a pace that keeps up with peers in this space. Year-over-year changes include enhancements to its SCIM protocol support as well as features designed to shift it closer to becoming a full SASE solution.
Strengths
The solution includes device posture assessment capabilities to verify the security posture of endpoints before granting access. It checks various parameters, such as software versions and security patches, to ensure secure connectivity from any device. This is on par with other vendors in the space.
Block Armour’s solution offers policy-based access controls that can be tailored based on factors like user identity, device posture, geolocation, and time-based restrictions. This allows organizations to implement risk-based zero-trust policies and adapt security measures to changing contexts.
The solution provides support for legacy applications, including TCP-based applications and UNIX systems. This enables organizations to extend zero-trust access controls to older systems and applications that are often considered “too old” to blend with newer technologies like ZTNA.
Block Armour’s solution offers session monitoring capabilities, including blockchain-based tamper-proof session logging. This feature provides visibility into user sessions, supporting security and compliance efforts. The solution can forward session data to security information and event management (SIEM) systems like Splunk, IBM QRadar, and the Elasticsearch, Logstash, and Kibana (ELK) stack using the common event format (CEF) syslog protocol, enabling centralized security event management.
Challenges
With a below-average score in advanced DLP, organizations looking to take advantage of the access and visibility ZTNA often gives into individual data flows will not be able to use this solution for that purpose.
Additionally, Block Armour can provide SCIM integration through bespoke API integrations, but ready-to-use integrations are not available. Organizations relying on SCIM for identity management purposes will need to evaluate how this will impact existing operations or planned improvements to processes.
Block Armour’s vendor ecosystem is quite limited, with integrations with on-premises Active Directory (AD) and Azure AD for SSO, general-purpose SMTP for notification configuration, and the ability to send CEF logs to SIEMS. This is in contrast with other solutions that have complete catalogs of simple, ready-to-use integrations.
Purchase Considerations
Block Armour offers competitive pricing and flexible deployment options. The solution is sold globally through partners and cloud marketplaces, ensuring accessibility and support for diverse customer needs. Block Armour has slowed its development of significant new features and instead is focusing on improving existing features that are popular with its existing customers.
The solution’s flexibility (above average) is enhanced by its ability to provide unified ZTNA across on-premises, cloud, and remote user environments. Block Armour integrates with AD and Azure AD for SSO, ensuring a seamless user experience.
Block Armour’s solution makes the most sense for large organizations that have the desire to deploy zero-trust access to applications while providing insight into the current configuration and access decisions. This unique quality is enabled by the blockchain-based storage of configuration and authorization decisions. With its cloud- and hybrid-based deployment model, it can be applied to various scenarios.
Its limited vendor ecosystem will present hurdles to organizations that are looking to deploy ZTNA broadly and quickly since simple, ready-to-use integrations are not common in this solution yet. No requirement exists for professional services to deploy the solution, and support is included with the base cost of the solution.
Radar Chart Overview
Block Armour is positioned as a Challenger in the Maturity/Feature Play quadrant, reflecting its strong market presence and emphasis on stability and continuity. Block Armour is close to straddling the dividing line between innovation and maturity because of its unique approach to solving ZTNA challenges with blockchain technology. High scores in areas such as cloud and SaaS integrations, legacy application support, and session monitoring contribute to its classification as a Challenger.
Bowtie: Bowtie Private Access
Solution Overview
Bowtie is a startup focused on providing a unique approach to ZTNA, offering a distributed security platform that delivers SASE capabilities including ZTNA and SWG solutions. Bowtie’s ZTNA solution, called Bowtie Private Access, is part of its broader distributed security platform.
Unlike traditional solutions, Bowtie does not require customers to use its network or infrastructure, allowing users to connect directly to resources without being processed through a central cloud. This approach claims to reduce the attack surface and improve performance for end users. Bowtie can potentially scale effectively without the constraints of traditional architectures.
While Bowtie may not currently cover the breadth of use cases and features offered by more established players in the ZTNA space, its unique approach and focus on innovation position it as a potential disruptor.
Strengths
Bowtie demonstrates a notable strength in its scalability. The solution’s unique architecture, which does not require customer traffic to be routed through the Bowtie infrastructure, is a key differentiator that contributes to its scalability. This design involves deploying controllers within private networks and agents on end-user devices. The agents automatically connect to controllers and firewalls controlling access. Agents can be deployed via mobile device management (MDM) or manually, minimizing user involvement and streamlining the process.
However, it’s important to note that as a young startup, Bowtie currently has average capabilities in areas such as cloud and SaaS integrations and unmanaged device support. While controllers can be deployed within cloud service providers, the integrations are currently agnostic to the vendor itself. Unmanaged device support is limited to Windows, macOS, and Linux, with ChromeOS, Android, and iOS support still in beta.
Challenges
SCIM protocol support and advanced DLP are not currently part of the solution. Lack of SCIM support may hinder integration with existing identity and access management systems, while the absence of advanced DLP capabilities could be a concern for organizations with stringent data protection requirements.
Session monitoring capabilities are currently limited, with the solution providing only basic device-aware connections and decision-making based on this data. Robust session monitoring and user behavior analysis are not yet fully implemented.
Security policy customization is basic, allowing organizations to stack policies based on user groups, device types, and conditional rules. However, advanced customization options may be lacking compared to more mature solutions.
Device posture assessment and risk-based authentication are not yet available in the current solution but are planned for future releases in 2024.
Purchase Considerations
When considering the Bowtie ZTNA solution, organizations should evaluate their in-house expertise and resource availability. As a young startup, Bowtie may require development services and administration training to ensure proper deployment and ongoing management, especially for organizations with limited cybersecurity expertise.
The solution’s unique deployment model, involving controllers within private networks and agents on endpoint devices, may require careful planning and potentially additional resources for efficient implementation.
Furthermore, organizations should assess Bowtie support offerings and licensing models to ensure alignment with their long-term needs and budget expectations, as these aspects may still be evolving for a relatively new vendor in the market.
Bowtie is well-suited for organizations seeking dynamic and secure access to applications, particularly those with modern workforces and diverse environments. The solution’s strength in cloud and SaaS integrations and legacy application support make it ideal for enforcing consistent security across diverse endpoints.
Bowtie ensures secure and controlled access on unmanaged devices, providing flexibility for BYOD scenarios—within the constraints of devices and OSes currently supported.
Radar Chart Overview
Bowtie is designated in the Innovation/Feature Play quadrant. Bowtie focuses on solving the challenges of this space through innovative approaches, like not routing customer traffic through its infrastructure, but has lower scores across some of the decision criteria we evaluated, landing it in the Entrant ring. Because of its relatively small size and early stage of its life as a startup, it’s likely that Bowtie will develop and release features at a slower pace than those in the market and thus has earned the Forward Mover designation.
Broadcom: VeloCloud SD-Access
Solution Overview
Broadcom is a global technology company that offers a ZTNA solution as part of its VeloCloud SD-Access product, which is part of the larger VeloCloud SASE platform. However, the ZTNA solution can also be purchased as a standalone product.
Broadcom’s ZTNA solution aims to provide secure and adaptable access controls, enabling organizations to grant access to resources based on contextual factors, such as user identity and device posture. The solution is designed to mitigate security threats and enhance data protection by ensuring that only authorized users and verified devices can access sensitive resources.
The solution’s security policy customization capabilities are also very good, enhancing security by evaluating the authentication used by the user (SSO, MFA), then device posture (such as patching status, antivirus state, and encryption), and finally ensuring the access requested aligns with expected and historical behavior for the user. Broadcom has plans to expand device support, including diverse operating systems, Windows registry analysis, and broader antivirus compatibility.
Broadcom has focused on enhancing its ZTNA solution by improving its cloud and SaaS integration capabilities, as well as its device posture assessment features.
Strengths
One of the key strengths of Broadcom’s ZTNA solution lies in its robust session monitoring capabilities. The solution records all remote connections and their associated activities, including any denied access attempts due to policy restrictions. This comprehensive session visibility enables organizations to effectively monitor and analyze user behavior, enhancing security and compliance efforts.
Another notable strength is the solution’s scalability, which has earned a top score of 5. Broadcom’s ZTNA solution boasts a distributed architecture with a cloud-hosted management plane and a data plane (Relays) that facilitates rapid deployment. This architecture enables the solution to support various authentication policies and deployment scenarios.
Broadcom’s ZTNA solution benefits from a strong vendor ecosystem. The solution offers out-of-the-box posture checks for popular security solutions, such as Microsoft Defender, Sophos, Carbon Black, Hysolate, Cybereason, and OPSWAT. Additionally, APIs are available for integration with the SD-Access solution and monitoring capabilities, allowing organizations to seamlessly incorporate the ZTNA solution into their existing security infrastructure.
Challenges
Broadcom’s ZTNA solution currently lacks risk-based authentication capabilities. However, the vendor has plans to introduce this feature within the next 12 months.
Additionally, the solution’s unmanaged device support received an average score of 3, which may pose challenges for organizations heavily reliant on unmanaged or BYOD policies. Robust unmanaged device support is crucial for organizations with remote or hybrid workforces, as it ensures secure access and policy enforcement regardless of the device’s ownership or management status.
Purchase Considerations
Broadcom offers flexible licensing options, including user-based and machine-based licenses, ensuring cost efficiency for diverse deployment scenarios. The solution supports various use cases, including remote workers, business continuity, and specialized access needs.
Organizations evaluating Broadcom’s ZTNA solution should carefully assess their specific needs for risk-based authentication and unmanaged device support. If these features are critical requirements, it may be beneficial to explore alternative solutions.
VeloCloud SD-Access stands out for its ability to unify branch and remote access networks and deliver remote access as a service, providing a comprehensive security framework. The solution’s distributed architecture, with a cloud-hosted management plane and data plane, ensures quick deployment and scalability.
Broadcom’s ZTNA solution is well-suited for organizations seeking seamless connectivity and robust security. The solution’s strength in cloud and SaaS integrations makes it ideal for diverse access needs, including remote workers and contractors.
With strong legacy application support, Broadcom facilitates TCP/IP application access, ensuring remote user access contingent on policy compliance. The solution’s flexibility caters to a wide range of use cases.
Radar Chart Overview
Broadcom is positioned in the Innovation/ Platform Play quadrant. As an innovative vendor, Broadcom has delivered a solution that solves ZTNA challenges in a fundamentally different way than traditional solutions in this space. Broadcom’s exceptional scores in critical areas such as cloud and SaaS integrations, security policy customization, and advanced DLP capabilities contribute to its classification as a Leader. The company’s comprehensive security features, including seamless connectivity, robust policy customization, and DLP capabilities, set it apart as a standout in the ZTNA space.
Check Point
Solution Overview
Check Point is a cybersecurity company that offers a ZTNA solution as part of its broader product portfolio. The ZTNA solution is integrated with Check Point’s SASE offering, providing secure access to applications while aiming to maintain performance levels. This feature set comes by way of the Perimeter81 acquisition last year. This ZTNA solution can be purchased separately from the rest of the SASE offering.
Check Point’s ZTNA solution is designed to enable context-aware access control, allowing organizations to grant access to resources based on various factors, such as user identity, device posture, and environmental conditions. The solution aims to enhance security across different deployment environments, catering to the needs of organizations undergoing digital transformation and cloud adoption.
Check Point has focused on enhancing its ZTNA solution by improving its cloud connectivity and device posture assessment capabilities.
Strengths
One of the key strengths of Check Point’s ZTNA solution lies in its robust device posture assessment capabilities, earning a top score of 5. The solution’s Device Posture Check mechanism evaluates various context criteria, such as antivirus software, browser versions, registry keys, and disk encryption status, to ensure secure access. This comprehensive posture assessment enables organizations to enforce stringent security policies and mitigate risks associated with unauthorized or non-compliant devices.
Check Point’s risk-based authentication allows organizations to implement risk-based access policies based on factors like geolocation, time of day, and heuristic scores. Heuristic scores are particularly noteworthy, as they provide a sophisticated risk assessment based on user behavior and contextual factors, enabling dynamic and adaptive access controls (in direct opposition to how VPNs typically function).
Check Point’s ZTNA solution also offers strong unmanaged device support. The solution supports web-based, agentless access for unmanaged devices over a wide range of protocols, including HTTPS, Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), and SSH. This feature is particularly valuable for organizations with remote or hybrid workforces, ensuring secure access regardless of device ownership or management status.
Finally, the solution boasts a robust vendor ecosystem, earning a top score of 5 in this area. The solution seamlessly integrates with leading IdP solutions, supports the SCIM protocol, and is compatible with major public cloud platforms. Additionally, Check Point provides APIs for third-party orchestration tools and SIEM solutions like Splunk, IBM QRadar, and the ELK stack, enabling seamless integration into existing security infrastructures.
Challenges
Check Point’s ZTNA currently exhibits room for improvement in terms of cloud and SaaS integrations, as well as legacy application support. Although the solution enables secure tunnels for connecting traffic to public cloud or SaaS platforms, and supports protocols like RDP, VNC, and SSH, organizations with extensive cloud or legacy application dependencies may find these capabilities insufficient for their specific use cases.
The lack of advanced DLP capabilities could be a significant challenge for organizations with stringent data protection requirements. While Check Point has plans to introduce DLP features later in 2024, organizations evaluating the solution should carefully assess their current and future DLP needs.
Purchase Considerations
Check Point offers flexible subscription-based pricing, including the ZTNA solution as part of a broader SASE offering, providing the option for a unified remote access and remote connection management solution that other solutions don’t offer.
The solution is available as a software-only deployment model or a SaaS offering, enabling organizations to choose the deployment option that best aligns with their infrastructure and operational preferences. Licensing is based on a per-user model with tiered pricing, and an additional add-on is available for a SWG package, providing enhanced web security capabilities.
The solution’s deployment model includes dedicated customer instances within Check Point’s points of presence (PoPs), ensuring scalability and performance. Agents are deployed on managed devices, and each instance supports a large number of user connections.
Check Point’s ZTNA solution caters to a broad range of use cases, making it a versatile offering for organizations across various industries. It addresses remote user access to company resources, whether on-premises or in the cloud, which is a feature particularly beneficial for businesses that are migrating to the cloud but still have an on-premises presence. The solution also enhances network and cloud access security, as well as SaaS access security, making it suitable for organizations that rely on SaaS platforms and not just hosted applications.
Check Point’s ZTNA solution supports performance optimization for cloud-based resources, enabling organizations to leverage the benefits of cloud computing while maintaining security and compliance. With its deployment flexibility, unified security framework, and management consolidation capabilities, Check Point’s solution is well-suited for organizations seeking comprehensive, scalable, and adaptable access control across their IT infrastructure.
Radar Chart Overview
Check Point is positioned in the Maturity/Platform Play quadrant. As an established vendor, it has developed its feature set with an emphasis on device posture assessment and risk-based authentication, both features that are growing in popularity. Check Point’s exceptional scores in critical areas such as device posture assessment, security policy customization, and a robust vendor ecosystem contribute to its classification as a strong Challenger. The company’s comprehensive security features, including flexible policy customization and strong vendor integrations, set it apart as a standout in the ZTNA space.
Cisco
Solution Overview
Cisco offers a ZTNA solution called Secure Access. It is integrated within Cisco’s broader security portfolio, aiming to provide secure and dynamic access to applications across different environments.
Cisco’s ZTNA solution is designed to enable context-aware access control, allowing organizations to grant access to resources based on various factors such as user identity, device posture, and environmental conditions.
Strengths
A notable strength of Cisco’s ZTNA solution lies in its comprehensive feature set, delivering robust capabilities across multiple decision criteria and earning high scores in several areas. This well-rounded approach sets Cisco apart, as it offers a cohesive and holistic ZTNA solution.
Diving deeper into individual key strengths, the solution provides robust legacy application support through protocol tunneling and proxy services, enabling secure access without requiring application modifications.
The solution provides exceptional flexibility in security policy customization, allowing for granular, context-aware access controls tailored to various use cases. This level of customization enables organizations to adapt their security posture to specific requirements and risk profiles.
The solution offers advanced DLP capabilities. It provides content inspection, classification, and customizable policies to detect and block unauthorized data transmission, providing an additional layer of data protection and compliance assurance.
Cisco’s ZTNA solution is also highly scalable, earning a top score of 5. It can support large-scale deployments across distributed environments, handling large numbers of users, devices, and applications. This scalability makes the solution suitable for organizations of all sizes, from small businesses to large enterprises.
Finally, Cisco boasts a robust vendor ecosystem, scoring a 5 in this area. This ecosystem facilitates seamless integration with other Cisco solutions, as well as third-party products and services.
Challenges
While Cisco has a robust offering, there are areas for improvement. With an average score in device posture assessment, Cisco provides a good spread of options, but there is room for more granular controls to enhance security posture.
Unmanaged device support is also basic, providing reduced control and visibility for unmanaged devices. While the solution offers security policy enforcement and temporary access methods, Cisco could enhance its capabilities to provide more comprehensive support for unmanaged endpoints.
Purchase Considerations
The ZTNA solution offers service tiers including a basic and an advanced tier. Licensing is based on a per-user model, allowing organizations to align their licensing costs with their specific user base requirements.
Cisco offers a good balance between features and cost. While initial implementation costs can be high, the solution provides long-term cost efficiency, making it suitable for organizations seeking a reliable and cost-effective ZTNA solution. When evaluating Cisco’s ZTNA solution, organizations should consider its suitability for their size and requirements. While the solution is primarily aimed at large enterprises, it may not be the most cost-effective choice for smaller organizations with more modest needs.
Cisco’s robust ecosystem facilitates seamless integration with its own products and third-party services, ensuring a comprehensive security framework. The solution’s flexibility and adaptability enhance its value proposition.
The solution is designed to seamlessly support large-scale deployments across distributed environments, making it well-suited for organizations of all sizes, from small businesses to large enterprises.
As part of Cisco’s broader SASE and SWG offerings, organizations should assess the potential benefits of integrating the ZTNA solution with their existing Cisco infrastructure and security stack. This approach can provide a cohesive and unified security posture, albeit at a potentially higher cost for organizations without a significant Cisco footprint.
The solution aims to provide competitive pricing and flexible deployment options, complemented by a robust ecosystem of technology partners and integrations. These factors position Cisco’s ZTNA solution as a viable option for organizations seeking a very well-rounded and adaptable access control solution from an established security vendor with a track record of continuous innovation and platform maturity.
Radar Chart Overview
Cisco is positioned as a Leader in the Maturity/Platform Play quadrant. As an established vendor, Cisco continuously refines its ZTNA solution, with a keen emphasis on enhancing risk-based authentication capabilities. Cisco’s ZTNA offering demonstrates strong performance in several critical areas, including security policy customization, advanced DLP, and robust vendor ecosystem integration. These capabilities contribute to its positioning as a comprehensive and feature-rich solution in the ZTNA space.
Citrix: Secure Private Access
Solution Overview
Citrix is a major player in virtualization and networking, known for its digital workspace offerings. The company provides tools for secure remote access with a strong focus on hybrid solutions. Citrix addresses ZTNA through its Secure Private Access solution, a key offering within the Citrix platform, providing efficient and secure application access to both self-hosted apps and SaaS apps. Secure Private Access offers a modern alternative to traditional VPNs.
The solution employs a connector appliance, which creates an outbound control channel to the organization’s Citrix Cloud tenant, enabling VPN-less access to on-premises web apps. With these components, Citrix Secure Private Access provides an efficient and user-friendly solution for remote work, enhancing security and performance.
Strengths
One of the key strengths of Secure Private Access is its ability to be cloud-delivered as well as on-premises, making it easy to set up and providing a positive user experience. Organizations seeking a seamless and swift implementation process will find this solution particularly appealing. It boasts risk-based authentication, earning a high score for its advanced analytics and dynamic, risk-adaptive authentication requirements, which provide context to authentication decisions that is often left out by weaker ZTNA solutions and most traditional VPNs.
Secure Private Access also stands out for its robust support for unmanaged devices, receiving high marks for its clientless access, granular controls, and secure browsing and virtual desktop infrastructure (VDI) options. This flexibility enables users to access applications securely from a range of devices, enhancing productivity without sacrificing security.
The solution’s security policy customization is another standout feature, offering granular and highly customizable security policies. With inheritance, automation, and scalable orchestration capabilities, organizations can tailor security measures to their specific needs, ensuring a perfect balance between security and usability.
Scalability is a key advantage, efficiently handling high traffic volumes with horizontal scaling, flexible deployment options, and high-availability configurations. This strength is enabled by its experience delivering applications remotely through its flagship products, like its VDI solutions.
Challenges
Device posture assessment received a lower score: while it offers policy-based access control, advanced checks may require customizations that will entail significant development time. Some solutions solve this by offloading device posture checks to endpoint detection and response (EDR), endpoint protection platform (EPP), and similar solutions.
Scoring poorly for SCIM protocol support, Citrix has room for improvement in ensuring a consistent and widely applied implementation of SCIM, which is a requirement for automating user lifecycle management.
The solution provides a customizable experience with deployment options, granular controls, and legacy app support. However, room for improvement exists in unmanaged device support and device posture assessment, ensuring these features cater to a broader range of use cases.
Purchase Considerations
Secure Private Access is a cloud-delivered solution, offering easy deployment and a straightforward purchasing process. With basic and advanced feature tiers as well as a platform license, pricing is simple and transparent, based on a per-user basis with volume discounts. This makes it suitable for both large enterprises and SMBs, as reflected in the decision criteria scores.
No requirement for professional services exists, as the solution is designed for simplicity and ease of use. Organizations can quickly get started with Secure Private Access, leveraging its intuitive nature to streamline the implementation process.
With support for both cloud-only and hybrid deployment models, the solution caters to a wide range of infrastructure needs.
With its cloud-first approach and support for both cloud-only and hybrid environments, it serves organizations seeking a modern and agile solution. The solution is particularly well-suited for organizations with a diverse range of applications, including SaaS and on-premises web apps, ensuring secure access from various endpoints.
While Secure Private Access has a broad focus, it is an excellent fit for industries with stringent security requirements, such as finance and healthcare. The solution’s risk-based authentication and granular security policies make it ideal for sectors needing dynamic and adaptable security measures. Additionally, the solution’s support for legacy applications makes it a viable option for organizations undergoing digital transformation.
Radar Chart Overview
Citrix Secure Private Access is positioned in the Maturity/Platform Play quadrant. It is a comprehensive solution that reliably delivers its core feature set. It is classified as a Leader, owing to high scores across decision criteria, its ease of deployment, valuable features, and exceptional scalability. Secure Private Access stands out for its ability to quickly deliver a feature-rich and secure ZTNA solution, providing immediate value to organizations.
Cloudflare: Cloudflare Access
Solution Overview
Cloudflare, a company known for its cybersecurity and CDN services, offers a ZTNA solution as part of its broader security portfolio. The ZTNA solution, called Cloudflare Access, can be purchased separately from Cloud One (the SASE offering) and Cloudflare Zero Trust (SSE).
Cloudflare positions its ZTNA offering as a solution to assist organizations in navigating digital transformation and cloud adoption challenges. The solution is designed to enable context-aware access control, allowing organizations to grant access to resources based on factors such as user identity, device posture, and environmental conditions.
Cloudflare has focused on enhancing its ZTNA solution by improving risk-based authentication capabilities and continuing to expand support for unmanaged devices, which is something it has already done well.
Strengths
One of the key strengths of Cloudflare’s ZTNA solution lies in its robust risk-based authentication capabilities, earning a top score of 5. The solution adapts authentication requirements based on user behavior, device posture, and network location, leveraging machine learning for anomaly detection and dynamic authentication. This approach ensures that access controls are continuously adjusted based on real-time risk assessments, enhancing overall security posture.
Another notable strength is the solution’s exceptional scalability, also scoring a 5 in this area. Cloudflare Access benefits from a global network, cloud-native architecture, multiregion support, and autoscaling capabilities. These features allow the solution to seamlessly scale to support large-scale deployments, handle high volumes of traffic, and accommodate rapid growth in users or resources, making it suitable for organizations of all sizes.
Cloudflare’s ZTNA solution prioritizes ease of use. The solution features a streamlined management interface and a seamless, user-friendly experience, enhancing both administration and user adoption. This focus on usability can translate into reduced overhead, improved operational efficiency, and a smoother transition to a zero-trust security model.
Challenges
While Cloudflare’s ZTNA solution demonstrates strengths in several areas, it receives average scores in device posture assessment, cost, and flexibility criteria.
The average score for device posture assessment indicates good but not exceptional capabilities in this area, which may be a consideration for organizations with stringent device security requirements.
The solution’s cost and flexibility are rated as average, suggesting that while Cloudflare offers competitive pricing and supports diverse use cases, it may not provide the most cost-effective or flexible options compared to other vendors in the market.
Purchase Considerations
When evaluating Cloudflare’s ZTNA solution, organizations should carefully consider their requirements for device posture assessment (which relies mostly on integrated MDM or UEM solutions) and deployment flexibility. Cloudflare’s average scores in these areas may pose constraints for organizations with stringent device security policies or unique deployment scenarios.
Cloudflare’s enormous global network and delivery of applications is a primary consideration for the selection of Cloudflare’s ZTNA solution. It is very likely to have some of the best uptimes in the market, with performance to match, because of this global presence.
Cloudflare’s ZTNA solution is well-suited for organizations seeking flexible and secure access to cloud and SaaS applications. The solution’s strength in risk-based authentication and unmanaged device support makes it ideal for dynamic and complex environments. Additionally, its global point of presence footprint makes it a good choice for organizations with a globally distributed workforce.
With strong legacy application support, Cloudflare ensures that older applications are securely accessed through agent-based or agentless options, providing flexibility during digital transformation journeys.
Organizations looking for a ZTNA solution with a global presence, a proven enterprise background, and the ability to expand into a broader SASE platform will find this solution enticing.
Radar Chart Overview
Cloudflare is positioned in the Maturity/Feature Play quadrant. As a mature vendor, Cloudflare continues to refine its ZTNA solution, with a particular focus on improving risk-based authentication and support for unmanaged devices. With top ratings in key areas like cloud and SaaS integrations, security policy customization, and session monitoring, Cloudflare is recognized as a strong Challenger that is close to the Feature Play/Platform Play line. This is because of its average flexibility which reduces the number of use cases it can be applied to when compared to some other solutions which are highly flexible and dynamic.
Cradlepoint
Solution Overview
Cradlepoint focuses on wireless and hybrid networking solutions, including SD-WAN and zero-trust security services. Cradlepoint recently launched NetCloud SASE, its unified SASE solution that converges NetCloud Exchange with Ericom’s SSE suite.
Cradlepoint’s ZTNA solution is available through two deployment options: customer-hosted and as-a-service. The customer-hosted model requires the NetCloud Exchange Service Gateway and ZTNA user licenses, which include access to a client. Additionally, the solution offers a fully converged firewall and SD-WAN feature set. The as-a-service model leverages Cradlepoint’s global cloud network consisting of 50 distributed PoPs and is SLA-based.
Cradlepoint’s ZTNA solution is designed to provide secure access to applications and resources, regardless of their location. The solution’s integration with Cradlepoint’s routers reduces the need for multiple clients and app connectors, simplifying deployment and management for IT teams. Additionally, the recently launched NetCloud SASE solution will incorporate Ericom’s SSE technology, including secure web gateway, cloud access security broker, remote browser isolation, and web application isolation, with integrated content disarm and reconstruction (CDR) and DLP controls.
The solution’s adaptability, user-friendly interface, and solid security foundation make it an attractive option for organizations in search of a reliable and dynamic ZTNA solution.
Strengths
One of the notable strengths of Cradlepoint’s ZTNA solution is its robust unmanaged device support. The solution leverages web application isolation to protect corporate web-based applications from risky unmanaged devices. Through authentication, if a user is determined to be using a BYOD device or from a third-party company, the session is isolated to prevent any malware or virus spread from the unmanaged device to corporate systems.
Cradlepoint also excels in device posture assessment. Administrators can define a device posture profile for each device type (for example, macOS or Windows) to ensure managed devices meet a minimum set of security requirements (antivirus, OS version, or valid certificate) before granting access to resources.
Another strength lies in Cradlepoint’s legacy application support. The solution offers reliable and secure remote access to legacy applications, utilizing any port or protocol accessible via IP address.
High scores in security policy customization highlight Cradlepoint’s comprehensive security features such as geo-location services, traffic IDS/IPS scanning, privileged remote access management, MFA support, security audits, and vulnerability assessments, ensuring system integrity and data confidentiality.
Challenges
While there is no current support for the SCIM protocol, it is on the roadmap for future enhancements. Organizations seeking automated user provisioning and management may need to consider this in their evaluation.
Additionally, with an average score in cloud and SaaS integrations, Cradlepoint provides a secure virtual appliance for controlled access to on-premises and cloud resources, which is typical for the space. Enhancements in cloud integration could further enhance the solution’s flexibility.
Purchase Considerations
When considering Cradlepoint’s ZTNA solution, organizations should evaluate the deployment model that best suits their needs: customer-hosted or as-a-service. The customer-hosted model requires purchasing a NetCloud Exchange Service Gateway for on-premises or virtual private cloud deployment, along with user-based ZTNA licenses. The as-a-service model offers user-based licensing without the need for additional hardware.
Cradlepoint’s ZTNA licenses are available in two tiers: essentials and advanced. While the essentials tier provides core ZTNA functionality, the advanced tier adds firewall, IDS/IPS, and advanced AIOps/virtual expert capabilities.
The solution supports virtual appliance, public cloud image, and SaaS deployment models, catering to both larger enterprises and SMBs with diverse infrastructure requirements.
Cradlepoint’s ZTNA solution is well-suited for organizations seeking flexible and secure access to diverse environments, including IoT, vehicle fleets, and remote workers. A leading use case for this solution is secure, reliable remote access to air-gapped operational technology (OT) networks (often a difficult feat to accomplish). The solution’s strength in unmanaged device support and legacy application access makes it ideal for dynamic and complex scenarios.
With strong security policy customization, Cradlepoint ensures that organizations can tailor access controls to their specific needs, including geo-location services and privileged remote access management.
Radar Chart Overview
Cradlepoint is positioned as an Outperformer in the Innovation/Platform Play quadrant, highlighting its exceptional security capabilities and continuous advancements. A strong emphasis on features like device posture assessment and support for unmanaged devices showcases its commitment to leading its sector of the market. Scoring high marks in crucial areas such as security policy customization, unmanaged device support, and advanced DLP, Cradlepoint is classified as a Challenger. Its ZTNA solution stands out for its comprehensive security offerings, including geo-location services, privileged access management, and DLP.
Forcepoint: Forcepoint ONE ZTNA
Solution Overview
Forcepoint offers a ZTNA solution known for its ability to detect, monitor, and block sensitive data movements within an organization. Forcepoint ONE ZTNA is sold standalone but can be purchased alongside other pieces of the Forcepoint SASE product suite.
Forcepoint has established itself as a partner in assisting organizations with digital transformation and cloud adoption challenges. Their ZTNA solution focuses on providing adaptable, context-aware access control to enhance security in diverse environments.
In the past year, Forcepoint has enhanced its ZTNA solution in various areas, including device posture assessment and risk-based authentication, aligning with market demands.
Strengths
Forcepoint ONE ZTNA offers robust device posture assessment capabilities, earning excellent scores in this area. It provides policy-based access control and integrates with various MDM and UEM solutions such as Microsoft Intune, VMware Workspace ONE, and MobileIron to ensure that only compliant devices with up-to-date security postures can access sensitive resources.
The solution’s risk-based authentication capabilities leverage advanced analytics and dynamic, risk-adaptive authentication requirements. It employs contextual factors such as user location, device posture, and behavior patterns to continuously evaluate risk levels and adapt authentication requirements accordingly. This adaptive approach enhances security by ensuring that users with higher risk profiles or anomalous behavior are subjected to more stringent authentication measures.
Forcepoint ONE ZTNA offers seamless cloud and SaaS integrations, facilitating secure access to leading cloud providers such as AWS, Microsoft Azure, and Google Cloud Platform (GCP). The solution integrates with various SSO and MFA solutions including Azure AD, Okta, and Duo Security to strengthen security and simplify user experiences.
Forcepoint’s ONE ZTNA solution excels in security policy customization, offering extensive and granular capabilities. It provides hierarchical policy management, allowing organizations to define and enforce consistent security policies across diverse environments, including on-premises, cloud, and hybrid deployments.
Challenges
With an average score in legacy application support, the solution may require workarounds or third-party tools for optimal experiences. Enhancements in this area could streamline access to older systems.
Additionally, with an average score in unmanaged device support, Forcepoint provides good capabilities with clientless access, granular controls, and secure browsing. However, there is room for enhancement to provide more comprehensive security for unmanaged endpoints or alternative architectures that result in better security for unmanaged devices.
Purchase Considerations
Forcepoint’s ONE ZTNA solution is suitable for both large enterprises and SMBs, with competitive pricing options. However, organizations should factor in the potential costs of premium support and additional professional services, which can increase the overall investment.
The solution is offered through a cloud-only deployment model, leveraging its cloud-native architecture and multiregion support to ensure scalability and reliable performance.
While the solution benefits from a strong vendor ecosystem with official partnerships, organizations should evaluate their specific integration requirements and consider the potential need for deeper integrations or customizations to ensure seamless compatibility with their existing IT infrastructure.
Forcepoint’s ZTNA solution is well-suited for organizations seeking robust security and flexible deployment options. The solution’s strength in device posture assessment and risk-based authentication makes it ideal for dynamic and complex environments.
Existing Forcepoint customers will find this is an easy choice, while those who are not Forcepoint customers but are large enterprises or are in the public sector will still find the focus on enterprise-ready features valuable.
Radar Chart Overview
Forcepoint’s ONE ZTNA solution is positioned in the Maturity/Platform Play quadrant. It is trending toward an innovative approach to the space because of its strong emphasis on enhancing features such as device posture assessment and risk-based authentication capabilities. High ratings in key areas like device posture assessment, security policy customization, and cloud and SaaS integrations contribute to its position as a Leader. Forcepoint’s ZTNA solution is distinguished by its comprehensive security offerings, including detailed policy management and cutting-edge analytics, setting it apart in the ZTNA sector.
Fortinet
Solution Overview
Fortinet, a cybersecurity company, offers a ZTNA solution that is tightly integrated with its core security products, such as the FortiGate Next-Generation Firewall (NGFW). Rather than being a standalone service or hardware appliance, Fortinet’s ZTNA capabilities are embedded into the core functionality of its security solutions, with enhanced features that can be unlocked through additional licensing or subscriptions.
Fortinet’s ZTNA solution aims to provide secure and granular access controls to applications, leveraging the company’s extensive security expertise and product portfolio. The solution focuses on enabling context-aware access based on factors such as user identity, device posture, and environmental conditions, ensuring that only authorized users and compliant devices can access specific resources.
Fortinet has continued to enhance its ZTNA offering by improving capabilities related to cloud and SaaS integrations, as well as device posture assessment.
Strengths
A notable strength of Fortinet’s ZTNA solution is its robust session monitoring capabilities, earning a top score of 5. Leveraging the FortiOS operating system at its core, the solution provides detailed logging and monitoring of all user sessions and activities, regardless of the deployment architecture. This comprehensive visibility into user interactions and potential security events enables organizations to effectively monitor and analyze user behavior, enhancing security and compliance efforts.
Another key strength lies in Fortinet’s strong security policy customization capabilities, also scoring a 5. The solution offers firewall-like policy customization, allowing organizations to define and enforce granular security policies that can incorporate a variety of security services, such as intrusion detection and prevention (IDS/IPS), malware scanning, and web filtering.
Fortinet’s ZTNA solution excels in advanced DLP capabilities, which are missing from some other solutions. When deployed in conjunction with Fortinet’s SASE or FortiGate NGFW solutions, organizations can leverage powerful DLP features to monitor and control data flows, detect and prevent data exfiltration attempts, and enforce granular data protection policies across their IT infrastructure.
For organizations evaluating Fortinet’s ZTNA solution, these strengths in session monitoring, security policy customization, and advanced DLP capabilities position the offering as a robust and highly customizable choice for implementing secure access controls.
Challenges
In the area of risk-based authentication, Fortinet’s ZTNA solution receives an average score. While the solution can integrate behavioral and contextual factors into authentication decisions when deployed in conjunction with Fortinet’s Endpoint Protection Platform (EPP) or SASE solutions, this capability may be limited or require additional components for organizations not utilizing these complementary offerings.
This ZTNA solution currently does not support the SCIM protocol, although it can be added with the purchase and integration of FortiAuthenticator. This lack of built-in SCIM support could pose challenges for organizations seeking to streamline user provisioning and deprovisioning processes across their IT infrastructure.
Purchase Considerations
When considering Fortinet’s ZTNA solution, organizations should understand that it is not offered as a dedicated product or SKU. Instead, ZTNA capabilities are inherently integrated into Fortinet’s core security products, such as FortiGate NGFW and the FortiSASE solution. By purchasing these products, organizations gain access to Fortinet’s ZTNA features.
Organizations should evaluate their deployment requirements and assess whether Fortinet’s ZTNA solution aligns with their existing infrastructure investments. For example, new FortiGate customers, existing FortiGate users, or organizations adopting FortiSASE can benefit from the integrated ZTNA capabilities.
Additionally, organizations should consider their need for professional services, training, and ongoing support to ensure effective implementation and utilization of Fortinet’s ZTNA solution within their broader security infrastructure.
Fortinet’s ZTNA solution is well-suited for organizations seeking robust security and flexible deployment options. The solution’s strength in security policy customization and advanced DLP make it ideal for dynamic and complex environments.
Radar Chart Overview
Fortinet is positioned in the Maturity/Platform Play quadrant. As a seasoned vendor, Fortinet has built its ZTNA solution with a specific focus on areas like session monitoring. Fortinet has high ratings in critical aspects such as security policy customization, cloud and SaaS integrations, and advanced DLP, making it a strong Challenger in this report. Comprehensive security features including firewall-like policy customization and robust DLP capabilities distinguish it in the ZTNA sector.
InstaSafe: InstaSafe Zero-Trust Access
Solution Overview
InstaSafe is a startup focused on providing secure access solutions based on the zero-trust security model. The company enables remote employees and third-party contractors to access business applications securely and seamlessly.
InstaSafe’s approach combines user identity and device identity to authenticate users and provide least-privilege access. InstaSafe Zero-Trust Access (ZTA) combines secure access, MFA, IdP, and comprehensive reporting capabilities. The solution is based on a split-plane architecture, separating the control plane and data plane. This architecture results in reduced latency issues and significant cost savings by minimizing data ingress and egress charges.
InstaSafe’s ZTA solution provides a comprehensive approach to secure access, incorporating user and device identity, MFA, and granular access controls, while optimizing performance and reducing operational costs through its unique architecture.
Strengths
InstaSafe ZTA offers robust device posture assessment capabilities. The InstaSafe Agent performs a comprehensive security posture assessment of the endpoint, evaluating more than 15 parameters, including system MAC address, system domain name, system serial number, operating system build version, and installed antivirus software. This thorough assessment ensures that only compliant devices with up-to-date security postures can access sensitive resources, mitigating potential risks.
Another strength lies in InstaSafe’s strong security policy customization capabilities. The platform allows administrators to create granular rules and security policies for user groups, enabling fine-grained access controls tailored to specific organizational requirements and risk profiles. This level of customization ensures that access is granted based on the principle of least privilege, enhancing overall security posture.
InstaSafe’s ZTA solution offers some advanced DLP capabilities. The solution provides various endpoint controls, such as clipboard control, watermark protection, restricted file downloads, and screen capture prevention. These features help organizations maintain control over sensitive data and prevent unauthorized access or exfiltration, supporting compliance efforts and enhancing data security.
Challenges
While InstaSafe has a robust offering, there are areas for improvement. It has no current support for the SCIM protocol, and organizations seeking automated user provisioning and management may need to consider this in their evaluation.
Additionally, with an average score in unmanaged device support, InstaSafe provides clientless ZTNA through a browser plugin, performing basic device checks. Enhancements in unmanaged device security could enhance the solution’s overall posture.
Purchase Considerations
When evaluating InstaSafe’s ZTA solution, organizations should consider that the company is a Series A startup, which may raise concerns about long-term viability, scalability, and support resources. As a relatively new player in a space dominated by mature leaders, InstaSafe’s solution may not offer the same level of features, integrations, or proven track record as established vendors.
However, for organizations with specific requirements that align with InstaSafe’s strengths, such as robust device posture assessment, granular security policy customization, and advanced DLP capabilities, the solution could be a viable option. Organizations should carefully assess their needs, evaluate InstaSafe’s roadmap, and consider engaging professional services or training to ensure a smooth implementation and effective utilization of the solution.
Despite being an average performer in a highly competitive market, InstaSafe’s zero-trust Access solution may be a good fit for organizations seeking a focused and tailored approach to secure access controls, particularly in the areas where a lightweight deployment through a browser-like agent extends the use of ZTNA to applications that may otherwise be impossible.
The solution is designed for various use cases, including VPN replacement, third-party access, secure cloud access, and secure access to SSH/RDP. InstaSafe’s ZTNA solution is well-suited for organizations seeking dynamic and secure access to applications, particularly those with distributed workforces and remote access requirements. The solution’s strength in security policy customization and device posture assessment make it ideal for enforcing consistent security across diverse environments.
Radar Chart Overview
Positioned in the Innovation/Feature Play quadrant, InstaSafe demonstrates strong security capabilities and ongoing advancements. As a new player in the space, InstaSafe approaches the challenge presented by ZTNA buyers in a unique and innovative fashion. Impressive performance in key aspects such as security policy customization, device posture assessment, and advanced DLP integrations underpin its status as a Challenger. InstaSafe stands out for its adaptable policy customization, thorough device posture assessment, and compatibility with legacy applications in the ZTNA landscape.
Startups can have a difficult time keeping pace with the speed of change in some spaces simply due to resource constraints, and that is the case with InstaSafe. It earned a Forward Mover designation this year in a market that evolves rapidly. The solution’s user-friendly interface, solid security framework, and versatility make it an appealing option for organizations seeking a dependable and dynamic ZTNA solution.
Ivanti: Neurons for Zero-Trust Access
Solution Overview
Ivanti is focused on providing secure access solutions, endpoint management, and IT service management solutions. Ivanti recently partnered with Lookout to offer customers a seamless integration of SWG and cloud access security broker (CASB) capabilities within its ZTNA offering.
Ivanti’s approach aims to simplify the migration from traditional VPN solutions to a secure service edge (SSE) architecture, including ZTNA capabilities. The company targets large enterprises with complex application deployments and extensive infrastructure, where transitioning to a ZTNA model can be challenging.
Ivanti’s ZTNA solution is called Neurons for Zero-Trust Access. It is part of Ivanti’s broader security portfolio, which includes the Ivanti Connect Secure (formerly Pulse Connect Secure) VPN solution.
Neurons for ZTA works in conjunction with Ivanti Connect Secure, providing a unified cloud-based platform that offers both VPN and ZTNA access. Ivanti produces the ZTNA and VPN components, while the SWG and CASB functionalities are delivered through a partnership with Lookout, with controller and client-level integration to provide a seamless experience for end customers.
Strengths
One of the key strengths of Ivanti’s Neurons for ZTA solution lies in its cloud and SaaS integrations. Ivanti offers a cloud-managed ZTNA service that is tightly integrated with Lookout’s SWG and CASB technologies, providing a unified SSE solution. This integration ensures a seamless experience for customers, with the various components working together as a cohesive solution.
Ivanti’s solution also excels in risk-based authentication by leveraging user and entity behavior analytics, contextual controls such as location, login attempts, device posture, time of logins, and a software bill of materials running on the device. This risk-based approach enhances security by adapting access controls based on real-time risk assessments.
A notable strength is Ivanti’s legacy application support, earning a top score of 5. Ivanti’s value proposition centers around simplifying the migration from traditional VPN solutions to ZTNA, offering both VPN and ZTNA access under a unified cloud umbrella.
Neurons for ZTA demonstrates exceptional scalability, scoring a 5 in this criterion. It utilizes a distributed SDP architecture, with user traffic directly accessing ZTA gateways for specific applications. Customers can deploy multiple gateways for high availability without additional costs, ensuring continuous access during controller outages. It also provides built-in availability zone redundancy for its cloud controller.
Challenges
The solution does not currently support the SCIM protocol, and organizations seeking automated user provisioning and management may need to consider this in their evaluation.
Additionally, with an average score in unmanaged device support, Ivanti provides a typical browser-based secure remote access solution, leveraging HTML5 for seamless access. While effective, enhancements in granular controls and visibility for unmanaged devices could further improve security.
Purchase Considerations
When evaluating Ivanti’s Neurons for ZTA solution, organizations should consider the deployment model that best suits their infrastructure requirements. The solution supports virtual appliance, software-only, and SaaS deployment options, catering to diverse environments.
Ivanti offers a per-user pricing model with the option to purchase a unified access license (VPN and ZTA) or a ZTA-only license. The pricing structure allows users to access multiple devices and applications without additional costs.
Organizations should also assess their need for professional services, training, and ongoing support to ensure effective implementation and utilization, particularly for large enterprises with complex deployments. Ivanti’s solution prioritizes a seamless transition from traditional VPN solutions to a comprehensive ZTNA and SSE architecture.
Ivanti’s ZTNA solution is well-suited for organizations seeking dynamic and secure access to applications, particularly those with modern workforces and diverse access requirements. The solution’s strength in device posture assessment and risk-based authentication makes it ideal for enforcing consistent security across diverse environments. This solution is a good choice for organizations that want to migrate away from large, complex legacy VPN deployments in a measured way.
Radar Chart Overview
Ivanti is positioned in the Innovation/Platform Play quadrant. Ivanti has demonstrated notable improvements to its ZTNA platform with a particular focus on enhancing features such as device posture assessment and risk-based authentication. It is positioned as a Challenger due to its high scores in legacy application support (because of its ability to simplify VPN migrations), its scalability, and good scores for device posture assessment, risk-based authentication, and security policy customization.
Menlo Security: Menlo Secure Application Access
Solution Overview
Menlo Security offers a ZTNA solution as part of its cybersecurity product portfolio. Founded in 2013 with a focus on addressing cloud security concerns, Menlo Security has built a reputation around its flagship Secure Cloud Browser technology, which isolates endpoints from web and document-based malware threats.
To enter the ZTNA market, Menlo Security launched Menlo Secure Application Access (SAA), a cloud-enabled platform designed to provide seamless access to applications and resources across both managed and unmanaged devices. SAA aims to simplify security management and enhance the protection of user data and networks.
One of the key differentiators of SAA is its emphasis on simplicity for users and IT teams alike. The solution offers a zero-touch deployment method that covers a broad range of devices and use cases, reducing the overhead typically associated with other ZTNA solutions during the deployment phase. A key differentiator for the Menlo security solution is its approach to isolating users via network isolation. This approach ensures users never directly interact with applications, but actions are essentially carried out through a proxy of sorts, allowing Menlo to filter malicious or unwanted actions before they reach the application.
Menlo Security’s ZTNA solution leverages the company’s expertise in endpoint security and isolation technologies, aiming to provide organizations with a secure and user-friendly approach to accessing applications and resources while adhering to zero-trust principles.
Strengths
SAA includes exceptional unmanaged device support, earning a top score of 5 in this area. The solution ensures secure and controlled access on unmanaged devices through robust device posture assessment and containerization techniques. SAA’s zero-touch deployment approach simplifies the process of providing secure access for unmanaged devices, eliminating the need for manual steps such as importing SSL certificates or setting up custom DNS records, as required by many other solutions.
Another notable strength is SAA’s focus on ease of use, which also scores a 5. The solution offers an intuitive interface, comprehensive documentation, and automation capabilities, ensuring a seamless experience for both users and administrators. This emphasis on simplicity streamlines the deployment and management processes, reducing overhead and enhancing user adoption.
Furthermore, SAA demonstrates strong session monitoring capabilities. The solution provides real-time visibility into user behavior during ZTNA sessions, enabling effective anomaly detection and compliance assurance. This level of monitoring enhances an organization’s ability to identify and respond to potential security threats or policy violations.
Challenges
Legacy, non-browser-accessible applications will require an agent to access. Additionally, with an average score in advanced DLP, the solution provides capabilities with context- and content-aware inspection and flexible policy controls. However, native DLP capabilities would enhance the solution’s posture.
Additionally, with an average score in SCIM protocol support, Menlo Security offers some automated user provisioning and management. Enhancements in this area could streamline user lifecycle management.
Purchase Considerations
When evaluating SAA, organizations should consider the deployment model that aligns with their infrastructure requirements. SAA is offered as a cloud-only solution, catering to organizations that have embraced cloud computing or are transitioning to a cloud-first strategy. However, organizations with hybrid or on-premises environments may need to explore alternative solutions or consider integrating SAA with their existing security infrastructure.
Menlo Security’s ZTNA solution is well-suited for organizations seeking dynamic and secure access to applications, particularly those with diverse environments and remote workforces. The solution’s strength in cloud and SaaS integrations and unmanaged device support make it ideal for modern workforces.
With strong legacy application support, Menlo Security facilitates secure access to older systems, ensuring business continuity during digital transformation initiatives.
The solution is licensed on a per-user basis, with varying service tiers available to accommodate different feature and functionality requirements. Both large enterprises and SMBs can benefit from SAAs user-based pricing model, aligning costs with their specific user base.
Radar Chart Overview
Menlo Security is positioned in the Maturity/Platform Play quadrant. It’s recognized as a Leader because of its strong scores across the decision criteria we evaluated. The company has placed emphasis on enhancing capabilities such as unmanaged device support and device posture assessment, demonstrating its agility in addressing emerging market needs. Menlo Security has a consistent release cadence, delivering new features, improvements, and bug fixes at a pace that aligns with industry standards in this rapidly evolving market segment. The solution’s user-friendly interface, strong security foundation, and adaptability make it a viable option for organizations seeking a reliable and dynamic ZTNA solution.
Nile
Solution Overview|
Nile is a cybersecurity company that specializes in zero-trust solutions, with a strong focus on ZTNA offerings. The company takes a unique approach by emphasizing isolation-based security measures focusing on securing inside the perimeter, while most ZTNA solutions are focused on remote access. That said, Nile does have existing partnerships with ZTNA firms such as Palo Alto Networks and Zscaler to complement its LAN offerings with remote access solutions from these firms.
This solution leverages Layer 3 segmentation techniques to create secure, isolated environments for user sessions and application access. This approach aims to eliminate potential threats from spreading across the network or compromising sensitive resources. The solution incorporates advanced security controls, such as risk-based authentication, device posture assessment, and granular access policies, to ensure that only authorized users and devices can access specific applications or resources.
Nile positions its ZTNA solution as a tailored alternative to the traditional network architecture for organizations seeking a highly secure and risk-mitigating approach to implementing ZTA controls across their internal IT infrastructure.
Strengths
The Nile ZTNA solution excels in unmanaged device support, providing leading unmanaged device security. The solution employs identity and machine-based access boundaries and policies, ensuring per-device isolation and granular control via on-premises and cloud-based enforcement options.
Legacy application support is another key strength, with Nile Access Service supporting older solutions. The solution offers machine-based access boundaries, .1X authentication, and various authentication protocols, ensuring seamless device onboarding and secure access to legacy systems.
Cloud and SaaS integrations are facilitated through SSO, SCIM, and API capabilities, providing good integration capabilities, although this is typical for the space. The solution’s API feature set enhances flexibility for managing “east/west” and “north/south” traffic flow policies.
Device posture assessment is achieved primarily through EDR, UEM, and MDM integrations. Once connected, Nile provides comprehensive device visibility and recurring assessment, ensuring secure and compliant devices.
Challenges
The solution does not currently support risk-based authentication or session monitoring, so organizations seeking dynamic authentication and real-time visibility may need to consider this in their evaluation.
Additionally, with no advanced DLP capabilities in the solution, organizations seeking comprehensive data protection may need to consider additional solutions or wait for future enhancements.
Purchase Considerations
Nile offers subscription-based deployment with per-user or per-square-foot pricing, providing cost efficiency and flexibility. Isolation-based guest and DHCP services are available as add-ons, ensuring comprehensive security.
The solution’s hardware-based architecture presents scaling challenges typical of physical devices, and organizations should consider this in their planning.
The strong vendor ecosystem, integrating with modern firewall, cloud security, and legacy NAC/MDM vendors, ensures broad compatibility and enhances the solution’s functionality.
The Nile ZTNA solution is well-suited for organizations seeking dynamic and secure access to applications, particularly those with modern workforces and IoT devices. The solution’s strength in unmanaged device support and legacy application access make it ideal for diverse environments.
Radar Chart Overview
Nile is positioned in the Innovation/Feature Play quadrant. Nile focuses on areas such as unmanaged device support, legacy application support, and security inside the network perimeter. While Nile is strong in some areas, its lower scores across the decision criteria we evaluated positioned it in the Entrant circle. It is lacking execution on a few key and emerging features that may be detractors for some ZTNA buyers. Nile’s unique isolation-based approach, robust security posture, and compatibility with a wide range of vendors differentiate it within the ZTNA landscape. The solution’s user-friendly interface, security features, and adaptability make it an appealing choice for organizations seeking dynamic and dependable zero-trust access for internal networks.
Palo Alto Networks
Solution Overview
The Palo Alto Networks ZTNA solution, Prisma Access ZTNA 2.0, is a comprehensive offering that provides secure access to applications and resources based on the principles of least privilege and zero trust.
Palo Alto Networks takes a unique approach to ZTNA by positioning itself as a “ZTNA 2.0” visionary, suggesting that its solution goes beyond traditional ZTNA offerings. While this claim has yet to be fully proven, the company’s approach to ZTNA does address many of the key requirements for a robust ZTA solution.
Prisma Access ZTNA 2.0 is a standalone product that can be purchased separately or as part of the Palo Alto Networks SASE solution. It consists of several components that work together to provide secure access to applications and resources. The solution utilizes a cloud-based service, known as the Prisma Access Service, which acts as a central control plane for managing and enforcing access policies.
Prisma Access ZTNA 2.0 employs a range of techniques such as MFA, device posture checks, and continuous monitoring to ensure that only authorized users and trusted devices can access sensitive resources. It also provides granular access controls, allowing organizations to define fine-grained policies based on user identities, device attributes, and the context of access requests.
Strengths
Palo Alto Networks’ ZTNA solution excels in several key areas, making it an attractive choice for organizations evaluating ZTNA vendors. Its high score in ease of use indicates a streamlined management interface and a user-friendly experience, which simplifies deployment and ongoing management.
The solution’s robust DLP capabilities, combined with context and content-aware inspection as part of the broader SASE solution, provide comprehensive data protection and ensure that sensitive information remains secure during ZTNA sessions.
One of the solution’s standout strengths is its granular security policy customization, scoring 5. Organizations can tailor access policies based on role-based access, device posture, and MFA requirements, enabling a dynamic zero-trust approach tailored to their specific needs.
Additionally, the solution’s real-time session monitoring capabilities provide visibility into user behavior during ZTNA sessions, enabling anomaly detection and ensuring compliance with organizational policies and regulations.
Challenges
The solution does not currently offer support for the SCIM protocol, which organizations seeking automated user provisioning and management may need to consider their evaluation.
Additionally, with an average score in unmanaged device support, Palo Alto Networks provides clientless access with granular controls. While effective, enhancements in more comprehensive security for unmanaged devices would make it a better choice for unmanaged access use cases like contractors and third parties.
Purchase Considerations
For existing Palo Alto Networks customers, Prisma Access ZTNA 2.0 can be an attractive choice, as it integrates seamlessly with their existing security infrastructure, offering a capable ZTNA solution. However, new customers evaluating only ZTNA solutions might consider alternatives with higher scores in key ZTNA features. Those looking for a broader SASE portfolio should keep Palo Alto Networks in the running.
Palo Alto Networks offers competitive pricing with flexible subscription models and a transparent cost structure, making it easier for organizations to plan and manage their security budgets. The solution’s efficient horizontal scalability, leveraging Palo Alto Networks’ global network presence, ensures reliable performance for distributed environments.
Additionally, Palo Alto Networks’ strong vendor ecosystem, with integrations to leading cloud and security providers, enhances the solution’s functionality and ensures seamless user experiences, further contributing to its appeal.
Palo Alto Networks’ ZTNA solution is well-suited for organizations seeking dynamic and secure access to applications, particularly those with complex and diverse environments. The solution’s strength in cloud and SaaS integrations and risk-based authentication make it ideal for modern workforces.
The solution’s flexibility is a notable strength, as it can adapt to diverse organizational needs, providing granular access controls and supporting legacy applications and unmanaged devices. This versatility minimizes disruption during deployment and ensures compatibility with existing infrastructure.
With strong legacy application support, Palo Alto Networks facilitates secure access to older systems, ensuring business continuity during digital transformation initiatives.
Radar Chart Overview
Palo Alto Networks is positioned in the Maturity/Platform Play quadrant. It offers a comprehensive ZTNA solution that integrates with its broader security portfolio, making it a candidate for organizations seeking a holistic security approach. As an experienced vendor in the cybersecurity space, Palo Alto Networks has demonstrated stability and reliability. It has solid scores across the decision criteria we evaluated, making it a Challenger in this report.
Portnox: Portnox Cloud
Solution Overview
Portnox is a cybersecurity company that focuses on access control solutions. Portnox Cloud is a unified access control platform that provides services for both network and application access control. It combines traditional network access control (NAC) capabilities with conditional access for SaaS and on-premises applications, as well as Terminal Access Controller Access-Control System Plus (TACACS+) for simplified infrastructure administration.
Portnox Cloud consists of multiple integrated products:
- Portnox RADIUS-as-a-Service (RaaS) provides basic access control services.
- Zero-Trust NAC is a full-featured, cloud-native NAC solution.
- TACACS+ is a cloud-native TACACS+ solution for infrastructure administration.
- Conditional Access for Applications provides access control for SaaS and on-premises applications.
Portnox Cloud is a zero-trust platform consisting of several key access control solutions for networks, applications, and infrastructure. It allows organizations to purchase individual modules as standalone services or as a comprehensive access control platform, providing flexibility to address specific needs or implement a holistic access control strategy.
Strengths
Portnox Cloud excels in secure network and application access based on risk policies that evaluate endpoint posture, contributing to a high score for device posture assessment. This feature allows organizations to implement quarantine, denial, or automated remediation actions, ensuring that only compliant devices can access resources.
The solution’s risk policy engine scores devices based on their security posture, enabling organizations to take appropriate actions, such as denying access, allowing access, quarantining devices, or initiating automated remediation processes. This risk-based approach enhances overall security posture and contributes to a high score for this key feature.
For unmanaged device support, Portnox Cloud provides secure IoT access via MAC bypass and device fingerprinting. It also integrates with MDM solutions for risk scoring and compliance policy enforcement. Automated remediation actions can be taken based on the risk profile of unmanaged devices, ensuring comprehensive access control.
Another strength is cost. Portnox Cloud offers a modular platform, allowing organizations to purchase individual components as needed. Additionally, it provides flexible one- and three-year SaaS subscription options and transparent pricing with add-ons available on its website.
Challenges
The solution currently does not offer support for legacy applications, which may be a concern for organizations relying on older software or systems.
Portnox Cloud’s session monitoring capabilities are limited to RADIUS and TACACS+, logging generalized session metadata. Detailed session monitoring and user behavior analysis are not implemented, potentially hindering comprehensive security monitoring and compliance efforts.
The solution does not currently support the SCIM protocol, which could pose challenges for organizations seeking to integrate Portnox Cloud with their existing identity and access management systems.
While Portnox Cloud can enforce the installation, running, and up-to-date status of DLP software, it does not offer advanced DLP capabilities natively, potentially requiring additional third-party solutions for comprehensive data protection.
Purchase Considerations
Portnox Cloud’s cloud-native architecture ensures that customers always have access to the latest features and updates, without the need for on-premises upgrades or maintenance.
One of Portnox Cloud’s differentiators is its strong IoT device trust capabilities, which rely on fingerprinting via MAC addresses and DHCP gleaning, enabling an agentless and cloud-based approach to IoT device management. This agentless and dynamic approach makes Portnox Cloud particularly well-suited for organizations with a significant IoT presence or those with compliance requirements related to IoT devices.
Portnox Cloud’s modular design allows organizations to purchase individual components or the entire platform, depending on their specific needs. The company offers standard one- and three-year SaaS subscriptions, with pricing and packaging information, including add-ons, available on its website.
Portnox’s ZTNA solution is well-suited for organizations seeking dynamic and secure access to applications, particularly those with modern workforces and IoT devices. The solution’s strength in device posture assessment and risk-based authentication makes it ideal for enforcing consistent security across diverse environments.
Radar Chart Overview
Portnox is positioned in the Innovation/Feature Play quadrant. Portnox addresses the ZTNA space with a unique take on the problem set, providing good performance in areas like device posture assessment, risk-based authentication, unmanaged device support, and security policy customization. Portnox is distinguished by its flexible policy customization, strong IoT security measures, and automated remediation capabilities in the ZTNA landscape. Although strong in these areas, its lower scores across some of the decision criteria we evaluated land it in the Entrant ring.
SonicWall (Banyan Security): SonicWall Cloud Secure Edge
Solution Overview
SonicWall is a cybersecurity company known for its comprehensive security solutions, including firewalls, secure remote access, and cloud security services. SonicWall recently acquired Banyan Security, significantly enhancing its ZTNA solution offering. The SonicWall Cloud Secure Edge solution, powered by Banyan’s technology, provides a broad ZTNA feature set, enabling users to access applications dynamically and securely with thorough protection.
SonicWall Cloud Secure Edge consists of three main components inherited from Banyan’s ZTNA solution:
- App: The user-facing component for secure application access.
- Edge: The component responsible for securely connecting users to applications.
- Command Center: The centralized management and policy configuration component.
SonicWall’s ZTNA solution, previously known as Banyan Private Access, is designed to provide adaptive, context-aware access control, enhancing security across various environments. It excels in scenarios involving BYOD and mergers and acquisitions (M&A) due to its strong support for unmanaged devices and granular security policy configurations.
Strengths
SonicWall receives a high score for risk-based authentication, as Banyan’s technology enables authentication requirements to adapt based on real-time risk assessments, considering user behavior, device posture, location, and contextual signals. This adaptive approach enhances security and provides a dynamic ZTNA model.
Another strength is its session monitoring capabilities, which also score a 5. The solution offers real-time visibility, logging, and anomaly detection for user activities, enabling organizations to maintain security and compliance effectively.
The solution has average support for advanced DLP, with DLP for private applications being generally available, while DLP for public (SaaS) applications is expected to be released by the end of 2024.
Ease of use is another area where the solution excels. It enables rapid deployment in under 15 minutes, offers one-click access to infrastructure and applications, and utilizes WireGuard under the hood for simplicity and strength. Additionally, the service catalog eases administrative choices.
Challenges
The solution does not currently offer support for advanced DLP in public (SaaS) applications, and organizations seeking comprehensive data protection may need to consider this in their evaluation. DLP for private apps is generally available now, with public app support on the roadmap.
Additionally, with an average score in the vendor ecosystem, SonicWall has room for expansion in its partner network and deeper integrations with other technologies like SIEM, XDR, or even legacy VPNs and remote access solutions.
SCIM protocol support is limited to Okta right now, which can potentially impact the administration experience for organizations not using Okta as their identity provider.
Purchase Considerations
While SonicWall Cloud Secure Edge is part of SonicWall’s broader security portfolio, it can also be purchased as a standalone ZTNA solution, offering flexibility to organizations seeking to implement a zero-trust access model.
Licensing and pricing models should also be evaluated based on the organization’s size, projected growth, and specific requirements, as these factors may influence the overall cost of ownership and scalability of the solution.
SonicWall’s ZTNA solution is an attractive choice for SMBs and MSPs, as SonicWall operates through a 100% channel-based sales model. This approach makes the solution particularly suitable for organizations with small teams or those lacking specialized skills or resources. Ease of deployment is a major consideration, as the vendor promises rapid deployment within 15 minutes and a user-friendly experience.
Radar Chart Overview
SonicWall is positioned as an Outperformer in the Maturity/Platform Play quadrant. The SonicWall acquisition of Banyan appears to be progressing smoothly, demonstrating strong integration efforts that ensure this solution looks and feels like any other SonicWall solution. In addition, the resources SonicWall is devoting to accelerating the roadmap have earned it the Outperformer status. Impressive performance in crucial aspects like risk-based authentication, device posture assessment, support for legacy applications, and security policy customization underpin SonicWall’s classification as a Leader.
Sophos
Solution Overview
Sophos is a cybersecurity company that provides security solutions spanning firewalls, endpoint protection, and cloud security, as well as a managed detection and response service. The Sophos ZTNA solution is tightly coupled with the Sophos Firewall v20 offering, reducing hardware requirements and eliminating the need for additional platform licenses or hardware. It can be deployed in various environments including head offices, branch offices, and public clouds (Azure or AWS), utilizing any form factor supported by the Sophos Operating System (SFOS).
The Sophos ZTNA solution features rapid deployment (within minutes), support for high availability (HA) mode for resiliency and redundancy, and secure remote management capabilities for firewalls without exposing them to the WAN, reducing the attack surface. The ZTNA solution is offered as a built-in feature of the Sophos Firewall v20, with no change in licensing required, and it seamlessly works with existing ZTNA agents across various gateway platforms, including Sophos Firewalls.
While the ZTNA solution is integrated into the Sophos Firewall v20 platform, it can also be utilized as a standalone ZTNA solution, providing organizations with deployment flexibility.
Strengths
Risk-based authentication is a strength, as the solution adapts to authentication requirements by leveraging Sophos Endpoint’s behavioral engine, which uses context awareness of process interactions and origin to detect malicious behaviors. This dynamic approach enhances security by continuously evaluating user context and adapting authentication measures accordingly.
Security policy customization is another area where the solution excels, enabling granular controls including role-based access, device posture, and MFA. This flexibility ensures that organizations can tailor access policies to their specific needs, contributing to a dynamic zero-trust security model.
While advanced DLP capabilities are available in the broader Sophos Central platform, they are not included in the ZTNA solution itself, which may be a consideration for organizations with stringent data protection requirements that don’t want to purchase products from multiple vendors.
Challenges
It offers no current support for the SCIM protocol, and organizations seeking automated user provisioning and management may need to consider this in their evaluation.
Sophos has a decent partner network, but the breadth and depth of integrations could be improved to include integrations with other security tooling outside of the Sophos ecosystem, such as ticketing platforms like ServiceNow and Jira and cloud service providers like Oracle or Google.
Purchase Considerations
The Sophos ZTNA solution’s integration with the Sophos Firewall v20 is a notable aspect to consider. While a small number of full-featured free licenses are included with every firewall, should customers exceed that number they will need to purchase per-user ZTNA licenses. The firewall can be deployed as a virtual machine or a physical device, providing flexibility in deployment models. The ZTNA functionality is included by default with the firewall licensing, making it relatively straightforward for organizations to migrate from traditional VPN solutions to ZTNA, with the primary cost being the time and effort required for the migration process.
Sophos offers various support and training options, which should be considered as part of the overall deployment and operational costs. Additionally, organizations should assess the licensing models and pricing structures offered by Sophos, ensuring that they align with their projected growth and long-term requirements.
While Sophos supports enterprise customers, the ZTNA solution and the broader Sophos product portfolio may be particularly attractive to SMBs. The solution’s feature set and overall Sophos ecosystem are generally well-suited for the SMB market.
Radar Chart Overview
Sophos is positioned in the Maturity/Platform Play quadrant. As a mature vendor, Sophos values stability over innovation, and its release track record indicates that will continue to be the case. Good scores in areas such as security policy customization, risk-based authentication, device posture assessment, and legacy application support contribute to its classification as a Challenger. Average scores in vendor ecosystem, ease of use, legacy application support, and unmanaged device support keep it outside the Leader ring this year.
Zscaler: Zscaler Private Access
Solution Overview
Zscaler is a cybersecurity company focused on helping organizations navigate digital transformation and cloud adoption challenges. Zscaler offers a cloud-delivered ZTNA solution called Zscaler Private Access (ZPA). This ZTNA solution enables users to access applications dynamically and securely, providing comprehensive protection. It is known for its smooth user experience and leverages the cloud as its foundation, complemented by connectors and agents for various use cases, making it highly flexible.
The ZTNA solution is part of Zscaler’s broader SASE suite of products.
ZPA stands out for its app discovery feature, which enables seamless connections between users and applications regardless of the software being used. It is one of the few, if not the only, ZTNA solutions offering this capability.
The solution leverages the cloud as its foundation and employs connectors and agents for different use cases, providing exceptional flexibility in deployment and integration. ZPA is designed to provide adaptable, context-aware access control, enhancing security across diverse environments.
Strengths
Flexibility is a standout strength, as the solution’s robust feature set allows it to adapt to a wide range of use cases. For example, ZPA’s app discovery capability enables seamless connections between users and applications, regardless of the software being used, catering to diverse application environments.
Scalability is another strong point, facilitated by ZPA’s cloud-native architecture, global footprint, and partnerships. This scalability allows organizations to efficiently expand their ZTNA deployments as their needs grow without being constrained by infrastructure limitations.
Advanced DLP capabilities are robust, with ZPA offering context- and content-aware inspection, ensuring data security across various environments. This feature is particularly valuable for organizations handling sensitive information or operating in regulated industries.
Cloud and SaaS Integrations are seamless, with ZPA offering native integration with major cloud providers, SaaS platforms, and custom applications through an API-based approach. This capability ensures a consistent and secure user experience across cloud, hybrid, and on-premises environments.
Challenges
ZPA’s session monitoring capabilities are average, with some users reporting that the management interface can be counterintuitive and requires a learning curve to fully utilize its features effectively. This may pose challenges for organizations with limited in-house expertise or resources, as a certain level of expertise is required to select the appropriate options and configurations for an organization’s specific needs.
While ZPA excels in various other aspects, such as flexibility, scalability, advanced DLP, and cloud integration, the session monitoring experience may require more effort or additional resources to fully meet the organization’s expectations.
Purchase Considerations
When considering ZPA for ZTNA, organizations should carefully evaluate their in-house expertise and resource availability. While ZPA offers robust features and capabilities, it may require training and professional services to fully utilize its advanced functionality, particularly for organizations with limited cybersecurity expertise.
ZPA’s cloud-native deployment model and licensing structure based on user and bandwidth consumption may be cost-effective for organizations with distributed workforces or fluctuating user counts. However, organizations with stable user bases or on-premises infrastructure preferences should carefully assess the long-term costs and compatibility with their existing environments.
Overall, ZPA is an excellent fit for organizations with dedicated cybersecurity resources, cloud-centric strategies, and the need for highly scalable and flexible ZTNA solutions. The advanced DLP feature set makes easy work of tracking sensitive data access, a vitally important feature for some regulated industries.
Zscaler’s ZTNA solution is well-suited for organizations seeking dynamic and secure access to applications, particularly those with complex and diverse environments. The solution’s strength in cloud and SaaS integrations and risk-based authentication make it ideal for modern workforces.
With strong legacy application support, Zscaler provides good real-time visibility into behaviors, anomalies, and unusual events through event correlation, ensuring security and compliance.
Radar Chart Overview
Zscaler is positioned as an Outperformer in the Maturity/Platform Play quadrant. Operating as an experienced vendor in this space, Zscaler consistently releases major features for its ZTNA solution. Zscaler can solve many ZTNA use cases very well and has considerable depth of integrations, making adoption and deployment streamlined.
Strong performance across key features such as cloud and SaaS integrations, device posture assessment, risk-based authentication, and security policy customization contribute to its classification as a Leader. Zscaler is distinguished by its all-encompassing security features, encompassing API-based connectivity, dynamic risk assessments, and adaptable policy customization, positioning it distinctly within the ZTNA sector.
6. Analyst’s Outlook
The ZTNA market is dynamic and evolving rapidly, with organizations increasingly recognizing its importance in securing diverse environments. ZTNA solutions enable dynamic and secure access to applications, ensuring comprehensive protection. The market is characterized by strong competition, with vendors continuously enhancing their offerings to address the complex security challenges faced by modern workforces. An example of this is the depth to which endpoint security telemetry plays a role in authentication decisioning, as endpoints are able to provide unique insights into the state and behavior of users. Additionally, SCIM support, which reduces administrative burden by propagating users from identity sources (like Okta or Google) into the remote access solutions (like ZTNA), is continuing to grow in popularity, but is not uniformly supported by vendors.
Decision-makers should approach ZTNA adoption by first understanding their organization’s specific needs and requirements. Evaluating the diverse use cases and deployment models offered by vendors can help identify the most suitable solutions.
Organizations seeking dynamic and secure access to applications should consider solutions with strong cloud and SaaS integrations, ensuring seamless connectivity to leading cloud providers.
Risk-based authentication and device posture assessment capabilities are key to enhancing security. Vendors that continuously evaluate user context and device compliance ensure a dynamic security posture. Legacy application support is vital for organizations with older systems, ensuring business continuity during digital transformation.
The ZTNA market is expected to continue evolving rapidly, driven by the increasing adoption of cloud services and the need for comprehensive security. Vendors will further enhance their solutions, improving cloud integration, risk-based authentication, and unmanaged device support.
Organizations should prepare for the future by embracing a zero-trust security model, adopting a dynamic and context-aware security posture. The market will likely see more vendors offering flexible deployment options and strong security policy customization, ensuring adaptable solutions.
To learn about related topics in this space, check out the following GigaOm Radar reports:
- GigaOm Radar for Network Access Control
- GigaOm Radar for Identity Threat Detection and Response (ITDR)
7. Methodology
*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.
For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.
8. About Chris Ray
Chris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing, and tech. More recently, he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.
9. About GigaOm
GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.
GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.
GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.
10. Copyright
© Knowingly, Inc. 2024 "GigaOm Radar for Zero-Trust Network Access (ZTNA)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.