Zero Trust Security, also referred to as Zero Trust Networks or Zero Trust Architecture, is a security concept with one basic principle: don’t automatically trust anything to access your data, whether it’s connecting from outside your organization or from within. Implementing Zero Trust involves a range of different technologies, policies and processes that help you to better respond to the sophisticated approaches cybercriminals are using to gain access to sensitive data.
The US National Institute of Standards and Technology (NIST) defines Zero Trust security as an “evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” Zero Trust Security is not something that organizations can implement by purchasing one solution, but rather something that is incrementally implemented with a combination of solutions and processes that are underpinned by Zero Trust principles.
As such, the Zero Trust security solutions included in this list comprise a range of different technologies and processes that authenticate user access, segment and manage access to data, and continuously monitor your network for malicious network activity; three of the most important features in any Zero Trust security model.
We’ve researched the top Zero Trust security solutions, considering key features including authentication methods, policies, and monitoring and reports. We’ve also considered pricing, target markets, and the deployment process, to help you find the right Zero Trust Security solutions for your organization.
Prove is a market leading identity proofing and affirmation vendor that helps organizations enable zero trust user access to applications and services. Prove’s Phone-Centric Identity Platform utilizes phone numbers as secure methods of user authentication. The platform allows users to log in, authenticate their identity and get access to account services all with just a cell phone and phone number. Prove is currently used by more than 1,000 organizations globally—including banks, financial services, insurance, healthcare, and e-commerce—to mitigate fraud, boost revenue, reduce operating costs, and improve customer experiences across all channels.
Prove Features
Prove’s Phone-Centric Identity model provides users with strong identity security and a frictionless login experience by ingesting billions of phone signals daily—including phone behavior, phone number changes and phone line tenure—in real-time, to verify user identities and allow customers or employees to create and access digital accounts.
Organizations can use Prove’s Pre-Fill solution to authenticate new identities and provide a quick, seamless onboarding process by automatically verifying new users based on the signals outlined above.
The Identity Management solution provides organizations with a registry of tokenized customer identities, giving them greater customer data accuracy and a more holistic overview of customer identities across their platform. This makes it easier to manage and update user access.
Prove also offers secure, risk-based authentication via their Identity solution, which assigns each login attempt a real-time “Trust Score” based on behavioral and phone intelligence signals. Users are automatically granted or denied access, or asked to verify their identity using MFA, based on the risk level of their login attempt. This increases security while enabling a frictionless login experience, by only require users to authenticate via a secondary method when needed.
Admins can leverage the wide range of authentication methods offered by Prove Auth—from traditional OTPs to sophisticated biometric authentication—to configure authentication requirements across low- to high-risk transactions to ensure security without negatively impacting customer experience.
Prove Summary
Prove’s Phone-Centric Authentication is a leading authentication solution in the banking, commerce, payments, gaming, insurance, and healthcare industries, enabling organizations to authenticate and verify user identities to prevent account breach and identity fraud. The platform enables secure, seamless authentication for users, and powerful controls and protection for service providers. Utilizing mobile networks and the phone number is a highly secure method of authentication, and Prove’s recent acquisition of mobile behavioral biometrics provider UnifyID promises to further enhance the security of the platform with added biometric controls. We recommend Prove for organizations looking for a seamless authentication experience for users that provides enhanced security and admin oversight.
Ping Identity is an identity and access management provider that offers solutions that ensure maximum security of account and application access across your organization. Utilized by 60% of Fortune 100 companies, PingOne for Workforce is a cloud identity solution that provides robust, adaptive user authentication with in-built single sign-on and a unified admin portal to create a seamless, secure login process for both employees and admins.
PingOne Features
PingOne offers adaptive authentication for users and devices across a wide range of SaaS, on-prem and cloud applications. The platform provides the ability to detect high-risk behaviors, such as unauthorized logins or malicious attacks. If such behaviors are detected, PingOne can require a user to reauthenticate or deny their login attempt, per predefined policies. If no anomalous behavior is detected, the user is granted access without . This gives admins greater assurance that users are legitimate, without adding unnecessary friction to all users’ login experiences.
The PingOne platform also provides in-built SSO across all applications, service providers and identity providers, meaning that users can sign in across each of these accounts with just one set of credentials, no matter now the accounts have been configured. PingOne’s SSO also works across mobile applications, ensuring a seamless login experience no matter from which device a user is connecting.
From the universal management console, designed with simplicity in mind, admins can generate useful insights into the state of authentication across their business and set up granular adaptive authentication policies in line with their zero trust principles. They can also automate and delegate certain administrative tasks, making it easier to keep on top of support tickets.
Alongside it’s MFA and SSO capabilities, PingOne offers a number of technology integrations with other third-party vendors, including device and network security providers, to help you build a complete zero trust architecture.
PingOne Deployment
PingOne is a cloud-based platform delivered as-a-Service and, as such, is relatively easy to deploy. The solution offers Active Directory integration, which takes the complexity out of onboarding users initially but also enables the automatic removal of users from the Ping platform if they leave the company.
Pingne also offers integrations with an extensive range of SaaS, legacy, on-prem and custom applications, so that organizations can easily create a seamless, universal login experience across all of their workplace apps.
PingOne Summary
PingOne is a powerful identity and access management tool that enables admins to easily verify and manage user access to all on-prem, SaaS and cloud applications. Admins can configure granular adaptive access policies to bring the platform in line with their business’ zero trust architecture, as well as streamline the login process for their end users. We recommend PingOne as a strong solution for organizations of any size looking to integrate identity and access management into their zero trust security stack.
Thales is a global technology company, providing security and technology solutions for over 30,000 organizations in 68 countries globally. SafeNet Trusted Access is a cloud-based access management and authentication solution which provides secure multi-factor authentication and single sign-on in one, integrated cloud-based platform. The solution enables organizations to more effectively protect online identities and securely authenticate access with granular, situation-based admin policies to verify external and internal access to systems; helping organizations to achieve one of the central tenets of a zero trust approach.
Thales SafeNet Trusted Access Features
SafeNet Trusted Access is a cloud-based solution that provides identity-as-a-service, combining single sign-on and multi-factor authentication into a seamless authentication solution that allows users to verify identities easily and securely. SafeNet Trusted Access Smart Single Sign-On allows users to securely authenticate access to all cloud applications with just a single set of credentials, verifying identities continuously without reliance on often unsecure methods of verification through the use of passwords.
This also helps to reduce the burden on admin teams, by removing the need for password resets and account unlocking. Admins can configure scenarios-based policies to govern single sign-on access, including requiring additional authentication steps for specific accounts and applications.
SafeNet Trusted Access also supports multi-factor authentication, allowing users to authenticate access using a number of different authentication methods. The platform supports adaptive context-based authentication meaning that users are only prompted for additional verification steps in high-risk scenarios, according to admin policies.
Thales SafeNet Trusted Access Deployment
SafeNet Trusted Access is fully-cloud based, and so can be very quickly deployed and rolled out to users. The service is highly scalable, and admins can apply regional compliance controls to specific groups of users. SafeNet Trusted Access is a strong solution when it comes to integrations, featuring hundreds of 0 out-of-the-box integrations with third party applications, such as privileged access management providers.
Summary
Thales SafeNet Access is a leader in Zero Trust solutions for organizations. Thales provides secure access management, enabling single sign-on and adaptive authentication in one integrated cloud-based platform, with granular access policies. The service is highly regarded by customers who praise the visibility and control on offer, as well as the powerful authentication capabilities, ease of management and user policies. Thales SafeNet Access is a strong Zero Trust solution for enterprises looking for powerful, secure user authentication.
Twingate is a Zero Trust Network Access (ZTNA) solution that delivers cloud-based remote access designed as a more secure alternative to traditional VPN solutions. Their solution allows IT teams to enforce a network perimeter with ease, with centrally managed user access to any internal applications, whether on-premises or in the cloud. Founded in 2019 and headquartered in Redwood City, California, Twingate has raised over $67 million USD in funding to date and is a leading vendor in the ZTNA space.
Twingate Features
Twingate’s ZTNA solution provides multiple benefits over that of a traditional VPN solution by enabling organizations to leverage a Zero Trust approach to remote access. The platform improves admin control and security by enabling admins to allow access to applications on a per-user basis, ensuring users can only access the apps they need to in order to effectively complete their work (principle of least privilege) and helping to limit the scope of data breaches in the case of an account compromise attack.
Admins can assign roles to users governing access to applications based on a wide range of data sources. These include user location, time of day, contextual information such as an employee risk score based on past behaviors, and integrations with third-party identity management tools, including SSO or MFA solutions.
Twingate provides an easy-to-manage admin console, which enables centralized control and visibility over the whole network environment. From the console, admins can access detailed logs and reporting, as well as integrate the platform with other reporting tools or SIEM solutions.
Finally, the platform reduces latency associated with traditional VPN solutions, and performs well, reducing corporate bandwidth usage and improving the user experience for end-users over connecting to legacy VPNs.
Twingate Deployment
Twingate is a fully cloud-based solution that enables you to control remote access to both cloud and on-premises applications. The solution can be installed on MacOS, Windows, Linux, iOS, Android, and Chrome devices. Configuration is straightforward with clear documentation for first-time configuration on the Twingate website.
Summary
Twingate’s cloud-based Zero Trust Network Access solution is easy to manage and easy to deploy for admins, and enables safe and secure remote connection with minimal latency for end-users. Users praise the service for its ease of deployment in particular, as well as the centralized management capabilities and integrations with both cloud-based and on-premises applications. We recommend this solution for organizations looking for a robust Zero Trust Network Access solution to enable remote and hybrid users to securely access corporate applications.
Keeper is a leading security provider for business, known for its popular enterprise password management and account takeover protection solutions. Keeper’s Secrets Manager is a zero-trust, zero-knowledge solution designed to help developers manage and protect their cloud infrastructure. Keeper Secret Managers secures and protects all infrastructure secrets, including API keys, database passwords, access keys, certificates, and other confidential data. This data can otherwise be stored hard coded into source code, CI/CD systems or config files, rather than being hidden. Keeper allows these secrets to be fully secured, with role-based access controls and automated rotation of access keys.
Keeper Secrets Manager Features
Keeper Secrets Manager allows DevOps teams, IT Security teams and software teams to securely manage all infrastructure secrets. The platform uses a zero-knowledge encryption model to secure access to enterprise secrets, and is 100% cloud-based, with no hosted software or virtual machines for admins to manage. The platform supports developer-friendly SDKs to support all programming languages and environments.
Users can easily access encrypted secrets in a private, user-friendly and easy-to-manage web portal, with a browser extension and mobile and desktop app. The platform support passwordless authentication with SAML 2.0 and supports the use of a master password. Users can easily and securely share credentials within their team, and the platform integrates securely with Slack and Microsoft Teams.
Admins can easily manage the solution, with an admin console to enforce policies, manage users, and provisioning. The platform provides advanced reporting and alerts for auditing and ensuring legal compliance.
Keeper Secrets Manager Deployment
Secrets Manager is fully cloud-based and does not require any hosted software, VPC peering requiring or new infrastructure. It does not have access to corporate environments or any company hardware. It is delivered as a web portal, with a desktop and mobile app, and a browser extension for Chrome.
Keeper Secrets Manager Summary
Keeper Secrets Manager address a core zero-trust use case: ensuring that privileged credentials and company secrets are kept secure, easy to manage, and only accessible by developers who need to access them. The platform is highly secure, and easy to manage, vastly improving the security of cloud infrastructure. We particularly recommend this solution to organizations using Keeper’s enterprise password management platform, which allows you to consolidate all secure credentials in a unified platform with full admin control and auditing.
TypingDNA is an innovative behavioral biometric authentication provider that specializes in identifying users based on the unique ways that they type. ActiveLock is its continuous authentication solution that’s designed to silently monitor users’ typing behaviors and patterns in the background while they go about their workdays, continuously verifying that the users behind the screens are the right users. If an anomalous typing pattern or behavior is detected, the solution can automatically lock the device or trigger a silent alert, helping to prevent unauthorized device access and device sharing, protect sensitive data, and facilitate a zero-trust environment.
TypingDNA ActiveLock Features
ActiveLock is designed with user experience in mind. Built on TypingDNA’s proprietary behavioral biometric technology and powerful AI and machine learning algorithms, the solution works silently in the background to analyze typing micropatterns and behaviors—including keystroke rhythm, speed, and more—and determine at all times whether the right user is behind the screen.
When the solution detects a genuine user, no action is taken, and they’re allowed to keep going about their day. But if it detects anomalous behavior—and, therefore, a potential intruder—it can automatically either lock the device or trigger a silent alert for security teams to follow up on afterwards.
What’s also great about ActiveLock is that it’s a completely non-invasive solution and user privacy is built into the product from the ground up. While the solution continuously monitors users’ typing habits and behaviors, it does not analyze what users type, only how they type. User data also never leaves their device, as nothing is stored in the cloud.
TypingDNA ActiveLock Deployment
ActiveLock is easy to roll out to users and simple to set up—user enrolment is done in the background, as the solution gathers initial typing samples while a user goes about their day.
What’s great about the solution is that it requires no investment in additional hardware, and can be used across all keyboards and devices. It also works seamlessly across both Windows and macOS computers, and can either be deployed as a standalone solution or integrated with existing third-party endpoint protection solutions.
TypingDNA ActiveLock Summary
ActiveLock is a powerful continuous authentication tool that’s hailed by users as an easy-to-use, accurate, reliable, and friction-free solution. The product is ideal for remote workforces, where employers are looking to prevent device sharing and unauthorized access, and to ensure that their company data is protected from accidental leakage or malicious use. We recommend ActiveLock for business of all sizes—especially in critical industries such as finance, healthcare, government, and more—that are looking for an advanced zero trust solution that can not only authenticate the right users, but also block out the wrong ones.
JumpCloud is a comprehensive Open Directory Platform™ that helps organizations to centrally manage identity, access, and devices to facilitate a Zero Trust environment. The JumpCloud Open Directory Platform enables admins and security teams to securely provision and manage identities; easily configure policies to only allow user access to the devices, applications, and networks necessary for their jobs; and deliver comprehensive monitoring and logging capabilities to deliver organization wide visibility to all of their users and IT resources. JumpCloud can be purchased as part of a package or individually as part of an à la carte, build-your-own package.
JumpCloud Open Directory Platform™ Features
The JumpCloud Open Directory Platform™ is a single platform that enables administrators to deliver Zero Trust capabilities wherever they are on their Zero Trust journey. JumpCloud enables organizations to build a strong Zero Trust foundation across all aspects of an employee lifecycle. This includes the provisioning of new identities, deprovisioning them once an employee changes roles or leaves the organization, configuring conditional access policies based on business need, granting privileged access to accounts for certain groups, single sign-on application access, just-in-time access provisioning, and more.
To ensure that access is granted using the principle of least privileges, admins can set granular policies to determine which users have which levels of access, and under which conditions. For example, admins can implement group-based access controls to ensure that users only have access to the resources that they need for their roles. Admins can also implement rules to specify that users need to log in using multi-factor authentication (MFA) or that users can only log in on trusted devices or networks.
Finally, the JumpCloud Open Directory Platform provides comprehensive visibility to their users, devices, and IT resources and comes with powerful monitoring and event logging features built in, to enable admins a granular view across their entire IT environments. This includes the ability to view authentication requests, which users access which services and when, the actions that they take, changes to identities, and more. This not only helps admins to identify suspicious behaviors and potential vulnerabilities, but also helps organizations to adhere with auditing and compliance regulations.
JumpCloud Open Directory Platform™ Summary
JumpCloud is used by over 180,000 organizations worldwide and is consistently ranked as a top solution by customers. The JumpCloud Open Directory Platform is a cloud-based solution that is quick to deploy, easy to scale and integrates seamlessly with existing applications, other identities, and is compatible with users’ MacOS, Windows, and Linux devices.We recommend JumpCloud for enterprises of all sizes who are looking for a powerful and scalable identity, access, and device management solution that helps administrators efficiently and easily implement and support zero trust access wherever they are on their Zero Trust journey.
Duo Beyond is a Zero Trust security solution that provides granular user verification, authentication, single sign-on and multi-factor authentication, designed with Zero Trust principles in mind. Duo Beyond allows you to securely authenticate access to any user, with any device to ensure data stays protected and secure. Duo Beyond combines multi-factor user authentication, with device verification and secure single sign-on to secure all of your organizations’ trusted assets. Duo Beyond includes all features offered by Duo’s Access and MFA product, with Single Sign-On, policies and controls, device insights, and directory sync. Duo was acquired by Cisco in 2018 and is now one of the core pillars of their Zero Trust security suite, fully integrated into the Cisco Zero Trust solutions portfolio.
Duo Beyond Features
Duo Beyond offers two major features: Trusted Endpoints and Duo Network Gateway. With trusted endpoints, you can define and manage devices connecting to your company accounts, and grant secure access with device certificate verification policies. Trusted, managed devices can be classed as safe with a Duo certificate, and are then allowed to gain access to sensitive accounts. Unmanaged endpoints without the certificate in place can be blocked from accessing applications according to admin policies. These can be configured at a group or user level.
The Duo Network Gateway allows users to securely access internal web applications using any device or browser, from any network in the world, without having to use remote access software or VPNs. Duo uses MFA to authenticate user access, and provides granular access control per application, SSH servers and user groups, so you can fine tune the security processes for each application.
Deleted: Alongside Trusted Endpoints and the Network Gateway, Duo provides Trust Monitor, Single Sign-On, Directory Sync and more. Cisco recently announced Duo’s passwordless authentication capabilities would be added to its Zero Trust platform.
Duo Beyond Deployment
Deploying Duo requires that the Duo certificate is present on your organization’s trusted devices. This can be achieved through the Duo mobile app, integrations with Active Directory Domain Services, AirWatch, Cisco MSP, Cisco Meraki, and a range of other applications.
Duo Beyond Summary
Duo Beyond is a powerful tool for authenticating and managing user access – a central component of any strong Zero Trust Security solution. Duo Beyond is fully integrated into Cisco’s existing Zero Trust security portfolio, and the solution provides granular access controls for admins. Customers also report that the user interface is intuitive and easy to use, with powerful analytics and reporting available. Duo Beyond is a strong authentication solution for SMBs and enterprise customers to achieve Zero Trust security.
Microsoft, developer of the world’s market leading email platforms Exchange and Office 365, offers a Zero Trust security stack through Azure, its cloud-based identity and access management solution. Microsoft Azure Active Directory enables you to manage all of your Office 365 users, synchronizing user accounts and passwords across corporate applications and enabling multi-factor authentication and single sign-on for users. This means that you can gain greater control and visibility over your users and their level of access, while ensuring that users can easily access all of the accounts and services they need to, through Microsoft and beyond. Azure also features a scalable VPN gateway as an alternative to using a third-party VPN, as well as a range of other applications to help execute Zero-Trust.
Microsoft Azure Features
Using Azure, you can verify and secure each user with strong authentication standards across your Microsoft applications. Microsoft provides an easy-to-use authenticator smartphone app for free, which allows users to easily scan their fingerprint or generate an OTP. Microsoft also provides a range of reports around user access, improving visibility over who is accessing applications.
Using Azure, admins have greater control over in-app permissions for different user groups and can control user permissions and restrict access to sensitive data as needed. Microsoft also uses real-time monitoring to detect potentially malicious user behaviours to prevent data breaches. Microsoft’s status as a market leading provider means Azure is widely supported by third-party applications, enabling the use of single sign-on for users.
Microsoft Azure Pricing
Azure AD is included with all paid subscriptions to Microsoft 365. The Azure Active Directory service can be managed from the Microsoft 365 admin console. From here you can create and manage user groups. Pricing options for Microsoft 365 varies depending on organization size, and level of functionality required.
Summary
Microsoft have made a strong commitment to Zero-Trust principles throughout their solutions. Many of the core features needed to execute an organization-wide Zero Trust policy are available across Microsoft 365, giving admins the tools they need to continuously and autonomously verify user identities and segment access to sensitive data. There are also a strong range of reports available to suit the needs of small and mid-sized organizations – although larger organizations and those with more stringent compliance needs may wish to augment Microsoft’s protection with a third-party solution. Forrester praises Microsoft as being one of the ‘dominant’ providers of Zero-Trust throughout the coronavirus pandemic, protecting hundreds of thousands of remote workers globally.
OKTA is a market leading identity and access management provider who offer a number of different products and solutions aimed at helping organizations to manage access to systems and achieve Zero-Trust security. OKTA serve two distinct audiences: organizations who are looking for solutions to authenticate access for their employees with OKTA Workforce Identity, and developers who need to implement secure login access for their applications, with OKTA Customer Identity. OKTA provides Zero Trust security for applications, servers and APIs, and provides secure access for both cloud-based and on-premise applications. OKTA is also known for its OKTA Integration Network, which provides over 7,000 integrations to enable identity management across applications.
OKTA Identity Cloud Features
OKTA provides a number of different products and feature sets to help organizations achieve Zero Trust. OKTA Workforce Identity allows organizations to support remote workers and secure access with single sign-on, a universal user directory, server access controls, adaptive multi-factor authentication, granular provisioning controls and API controls. OKTA Customer Identity allows developers to implement MFA, secure authentication, user management and more, which can all be managed via one scalable platform. OKTA also provides a variety of platform services to support Zero Trust, including a range of integrations, reporting and data insights, customizable identity workflows and device management.
OKTA Identity Cloud Deployment/Integrations
OKTA can be deployed across cloud-based or on-premises applications. Deployment steps vary for different solutions and applications; OKTA offers comprehensive guides within their knowledge base. OKTA helps to manage easier deployment with their integration wizard, as part of the OKTA Integration Network. OKTA provides 7,000 pre-built integrations with cloud and on-premise systems, allowing you to easily provision SSO and MFA across third-party accounts and applications. This allows users to centralize user management and automate access to workflows and policies.
Summary
OKTA is a leading identity management vendor that helps organizations to implement a reliable and scalable Zero Trust policy, and developers to implement Zero Trust security controls into their applications. Forrester recognises OKTA as one of the leading Zero Trust vendors for its ‘powerful, broadly adopted platform.’ For end-users, OKTA’s SSO and MFA functionality is easy to use, providing easy authentication for applications. For admins and developers, OKTA provides a huge range of integrations, policies, controls and advanced functionality to support growth and security. OKTA is an enterprise-focussed solution, and best suited to mid-sized and large organizations. OKTA can help to achieve core Zero-Trust goals, prevent data breaches, centralize access controls, and automate onboarding and off-boarding of users.
