Zero Trust Security, also referred to as Zero Trust Networks or Zero Trust Architecture, is a security concept with one basic principle: don’t automatically trust anything to access your data, whether it’s connecting from outside your organization or from within. Implementing Zero Trust involves a range of different technologies, policies and processes that help you to better respond to the sophisticated approaches cybercriminals are using to gain access to sensitive data.
The US National Institute of Standards and Technology (NIST) defines Zero Trust security as an “evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” Zero Trust Security is not something that organizations can implement by purchasing one solution, but rather something that is incrementally implemented with a combination of solutions and processes that are underpinned by Zero Trust principles.
As such, the Zero Trust security solutions included in this list comprise a range of different technologies and processes that authenticate user access, segment and manage access to data, and continuously monitor your network for malicious network activity; three of the most important features in any Zero Trust security model.
We’ve researched the top Zero Trust security solutions, considering key features including authentication methods, policies, and monitoring and reports. We’ve also considered pricing, target markets, and the deployment process, to help you find the right Zero Trust Security solutions for your organization.
Twingate is a Zero Trust Network Access (ZTNA) solution that provides a cloud-based remote access alternative to traditional VPN solutions. Their solution allows IT teams to easily enforce a network perimeter and centrally manage user access to any internal applications, whether on-premises or in the cloud. Founded in 2019 and headquartered in Redwood City, California, Twingate has raised over $67 million USD in funding to date and is a leading vendor in the ZTNA space.
Twingate Features
Twingate’s ZTNA solution provides several benefits over traditional VPN solutions by enabling organizations to use a Zero Trust approach to remote access. The platform improves admin control and security by allowing admins to grant access to applications on a per-user basis, ensuring that users can only access the apps they need to effectively complete their work (principle of least privilege) and helping limit the scope of data breaches in the event of an account compromise attack.
Admins can assign roles to users governing access to applications based on several data sources. These include user location, time of day, contextual information such as an employee risk score based on past behaviors, and integrations with third-party identity management tools, including SSO or MFA solutions.
Twingate provides an easy-to-manage admin console that enables centralized control and visibility over the entire network environment. From the console, admins can access detailed logs and reporting, as well as integrate the platform with other reporting tools or SIEM solutions.
Finally, the platform reduces latency associated with traditional VPN solutions and performs well, reducing corporate bandwidth usage and improving the user experience for end-users connecting to legacy VPNs.
Twingate Deployment
Twingate is a fully cloud-based solution that enables you to control remote access to both cloud and on-premises applications. The solution can be installed on MacOS, Windows, Linux, iOS, Android, and Chrome devices. Configuration is straightforward with clear documentation for first-time configuration on the Twingate website.
Summary
Twingate’s cloud-based Zero Trust Network Access solution is easy to manage and deploy for admins and enables secure remote connection with minimal latency for end-users. Users praise the service for its ease of deployment, centralized management capabilities, and integrations with both cloud-based and on-premises applications. We recommend this solution for organizations seeking a robust Zero Trust Network Access solution to enable remote and hybrid users to securely access corporate applications.
Founded in 2012 and headquartered in Lithuania, Nord Security is a market-leading provider of cybersecurity and privacy solutions. NordLayer is their Zero Trust Network Access solution—an alternative to a legacy VPN—which enables users to easily connect to their corporate network, then secures each connection with user authentication, network segmentation, and traffic encryption. Delivered as-a-Service, NordLayer enables IT admins to centrally and remotely manage and secure user access to any areas of their cloud or multi-cloud environments.
NordLayer Features
NordLayer allows admins to segment user access to their network. In line with the principles of zero trust and least privilege, this means users can only access the specific applications and data they need to do their jobs, based on admin-configured permissions. This approach means that, if an attacker were to breach the network, they would only be able to access a small section of it, rather than the entire network as they would with a legacy VPN.
The platform authenticates users via integrations with third-party MFA and SSO providers, including Azure AD, Google Workspace, Okta, and OneLogin. Once authenticated, users can start a remote connection in just one click. They can also enable auto-connection for a constant, immediate network connection via NordLayer’s proprietary NordLynx protocol.
NordLayer secures all connections with AES 256-bit encryption, and also offers a Kill Switch feature, which automatically cuts off all traffic to a device if its connection to the server breaks at all, helping mitigate Man-in-the-Middle attacks.
From the central management console, admins can manage user accounts and gateways; configure permissions and security policies for users, devices, and apps; and access support from their account manager.
NordLayer offers comprehensive network security features as part of their Zero Trust security solution. This includes a comprehensive cloud firewall that combines stateful network traffic inspection with packet inspection, intrusion prevention, and threat intelligence. Another key feature is the device posture security module, which monitors all devices connected to your network, enabling admins to configure policies and alerts to prevent non-compliant device access.
NordLayer Deployment
NordLayer is delivered as-a-Service. It’s highly scalable and integrates easily alongside other third-party security tools. The platform is quick to deploy, offering protection within a few hours of purchase, and Nord Security also offers a dedicated account manager and highly effective customer support options for assistance throughout deployment and beyond.
Summary
NordLayer is a powerful, yet still highly intuitive and easy-to-manage ZTNA solution. The platform is quick to deploy, and Nord Security offers extensive support via live chat, email, and a dedicated account manager for each of their customers. Existing users praise NordLayer for its ease of use for both admins and end users, and the speed of its connections. Overall, we recommend NordLayer as a strong solution for any sized organization looking to secure user access to their network in line with zero trust principles.
JumpCloud is a comprehensive Open Directory Platform™ that helps organizations to centrally manage identity, access, and devices to facilitate a Zero Trust environment. The JumpCloud Open Directory Platform enables admins and security teams to securely provision and manage identities; easily configure policies to only allow user access to the devices, applications, and networks necessary for their jobs; and deliver comprehensive monitoring and logging capabilities to deliver organization wide visibility to all of their users and IT resources. JumpCloud can be purchased as part of a package or individually as part of an à la carte, build-your-own package.
JumpCloud Open Directory Platform™ Features
The JumpCloud Open Directory Platform™ is a single platform that enables administrators to deliver Zero Trust capabilities wherever they are on their Zero Trust journey. JumpCloud enables organizations to build a strong Zero Trust foundation across all aspects of an employee lifecycle. This includes the provisioning of new identities, deprovisioning them once an employee changes roles or leaves the organization, configuring conditional access policies based on business need, granting privileged access to accounts for certain groups, single sign-on application access, just-in-time access provisioning, and more.
To ensure that access is granted using the principle of least privileges, admins can set granular policies to determine which users have which levels of access, and under which conditions. For example, admins can implement group-based access controls to ensure that users only have access to the resources that they need for their roles. Admins can also implement rules to specify that users need to log in using multi-factor authentication (MFA) or that users can only log in on trusted devices or networks.
Finally, the JumpCloud Open Directory Platform provides comprehensive visibility to their users, devices, and IT resources and comes with powerful monitoring and event logging features built in, to enable admins a granular view across their entire IT environments. This includes the ability to view authentication requests, which users access which services and when, the actions that they take, changes to identities, and more. This not only helps admins to identify suspicious behaviors and potential vulnerabilities, but also helps organizations to adhere with auditing and compliance regulations.
JumpCloud Open Directory Platform™ Summary
JumpCloud is used by over 180,000 organizations worldwide and is consistently ranked as a top solution by customers. The JumpCloud Open Directory Platform is a cloud-based solution that is quick to deploy, easy to scale and integrates seamlessly with existing applications, other identities, and is compatible with users’ MacOS, Windows, and Linux devices.We recommend JumpCloud for enterprises of all sizes who are looking for a powerful and scalable identity, access, and device management solution that helps administrators efficiently and easily implement and support zero trust access wherever they are on their Zero Trust journey.
Prove is a market leading identity proofing and verification vendor that helps organizations enable zero trust user access to applications and services. Prove’s phone-centric identity platform utilizes phone numbers as secure methods of user authentication. The platform allows users to log in, authenticate their identity, and get access to account services all with just a cell phone and number. Prove is currently used by more than 1,000 organizations globally—including banks, financial services, insurance, healthcare, and e-commerce—to mitigate fraud, boost revenue, reduce operating costs, and improve customer experiences across all channels.
Prove Features
Prove Identity Manager is a registry of tokenized customer identities that manages customer phone numbers, enabling greater customer data accuracy, contact rates, and payment fulfilment, and helping ensure compliance with TCPA. Prove Identity Manager™ allows for the discovery of the best and most up-to-date contact for your customers, resulting in improved servicing and contactability and an optimal experience.
Prove Identity helps thwart the major vectors of digital fraud such as SIM Swaps by verifying a consumer’s identity using validating consumer provided information. The platform assigns a real-time, risk-scoring “Trust Score”, and confirms users are in fact in possession of the phone they rightfully own. These validations assist with Know Your Customer (“KYC”) and Customer Identification Program (“CIP”) compliance programs. In doing this, Prove is able to provide a holistic identity score which can significantly improve account security without increasing complexity for security teams.
Prove Auth is a mobile-first authentication solution that allows clients to have a comprehensive suite of authenticators for passwordless login and/or as a seamless second factor method of authentication. The solution facilitates a range of authentication factors, from OTPs to sophisticated mobile authentication and biometric authenticators. With this authenticator suite, clients can tailor authentication across low to high-risk transactions to protect from fraud and account takeovers, all the while prioritizing the customer experience.
Prove Summary
Prove is a leading authentication solution in the banking, commerce, payments, gaming, insurance, and healthcare industries. It allows organizations to authenticate and verify user identities, thereby preventing account breach and identity fraud. The platform enables secure, seamless authentication for users, and powerful controls and protection for service providers. Utilizing mobile networks and the phone number is a highly secure method of authentication, and Prove’s recent acquisition of mobile behavioral biometrics provider UnifyID promises to further enhance the security of the platform with added biometric controls. We recommend Prove for organizations looking for a seamless authentication experience for users that provides enhanced security and admin oversight.
GoodAccess offers a cloud-based Zero Trust Network Access solution, designed to provide secure access to business resources regardless of location. This platform provides a set of security features including identity-based access rules, traffic encryption, multi-factor authentication (MFA), single sign-on (SSO), and network segmentation.
GoodAccess Zero Trust Network Access Features
Through a user-friendly web interface, businesses can set up their virtual infrastructure, achieving high-speed connectivity across multiple locations. Aimed at small and medium businesses, this 100% cloud-based solution aims to streamline network security operations, allowing quick setup without requiring specialized skills. The platform’s features encompass a range of security measures. Cloud and branch connectors help integrate various data points into the GoodAccess infrastructure, allowing users to select between IPsec, IKEv2, or OpenVPN protocols based on their needs. Single sign-on is facilitated through integrations with platforms like Microsoft Azure, Google Workspace, and other SAML compatible services.
The Threat Blocker feature aims to protect users from accessing malicious websites, while DNS filtering offers control over site and application access. The platform also emphasizes compliance, with user activity logging and multi-factor authentication for both admins and users. Lastly, centralized access control is managed using virtual access cards, which assign permissions based on specific criteria, ensuring each user can access only the resources they are permitted to.
GoodAccess Zero Trust Network Access Summary
GoodAccess provides a cloud-based Zero Trust Network Access solution, aimed at giving businesses secure access to their resources from any location. Designed for small and medium businesses, the platform offers features such as identity-based access rules, traffic encryption, multi-factor authentication, and single sign-on, all manageable through a user-friendly interface.
Duo Beyond is a Zero Trust security solution that provides granular user verification, authentication, single sign-on and multi-factor authentication, designed with Zero Trust principles in mind. Duo Beyond allows you to securely authenticate access to any user, with any device to ensure data stays protected and secure. Duo Beyond combines multi-factor user authentication, with device verification and secure single sign-on to secure all of your organizations’ trusted assets. Duo Beyond includes all features offered by Duo’s Access and MFA product, with Single Sign-On, policies and controls, device insights, and directory sync. Duo was acquired by Cisco in 2018 and is now one of the core pillars of their Zero Trust security suite, fully integrated into the Cisco Zero Trust solutions portfolio.
Duo Beyond Features
Duo Beyond offers two major features: Trusted Endpoints and Duo Network Gateway. With trusted endpoints, you can define and manage devices connecting to your company accounts, and grant secure access with device certificate verification policies. Trusted, managed devices can be classed as safe with a Duo certificate, and are then allowed to gain access to sensitive accounts. Unmanaged endpoints without the certificate in place can be blocked from accessing applications according to admin policies. These can be configured at a group or user level.
The Duo Network Gateway allows users to securely access internal web applications using any device or browser, from any network in the world, without having to use remote access software or VPNs. Duo uses MFA to authenticate user access, and provides granular access control per application, SSH servers and user groups, so you can fine tune the security processes for each application.
Deleted: Alongside Trusted Endpoints and the Network Gateway, Duo provides Trust Monitor, Single Sign-On, Directory Sync and more. Cisco recently announced Duo’s passwordless authentication capabilities would be added to its Zero Trust platform.
Duo Beyond Deployment
Deploying Duo requires that the Duo certificate is present on your organization’s trusted devices. This can be achieved through the Duo mobile app, integrations with Active Directory Domain Services, AirWatch, Cisco MSP, Cisco Meraki, and a range of other applications.
Duo Beyond Summary
Duo Beyond is a powerful tool for authenticating and managing user access – a central component of any strong Zero Trust Security solution. Duo Beyond is fully integrated into Cisco’s existing Zero Trust security portfolio, and the solution provides granular access controls for admins. Customers also report that the user interface is intuitive and easy to use, with powerful analytics and reporting available. Duo Beyond is a strong authentication solution for SMBs and enterprise customers to achieve Zero Trust security.
Google BeyondCorp is Google’s own implementation of Zero Trust security, enabling access controls to be moved from your network perimeter to individual users. BeyondCorp allows users to securely connect to enterprise applications virtually from anywhere at any time, without the use of a VPN. BeyondCorp is the result of a decade of security processes being built within Google and was initially designed as an internal initiative to allow Google employees to access internal applications. Since then, BeyondCorp has been developed as an enterprise Zero Trust solution, delivered via Google’s global network, that allows secure access to applications and cloud resources.
Google BeyondCorp Enterprise Features
BeyondCorp provides a range of features to secure access to corporate applications, with integrated data and threat protection. Admins are able to configure risk-based access policies based on user identity, device health and other contextual factors to ensure that only authorized users can gain access to corporate applications, virtual machines and Google APIs. Google also provides data loss protection, with anti-malware and phishing protection built into the Chrome browser and automated alerts for IT admins.BeyondCorp provides a range of integrations from leading cybersecurity vendors for greater control and visibility into your network. Google’s solutions are highly scalable, and BeyondCorp also provides integrated protection against DDoS attacks.
Google BeyondCorp Enterprise Deployment
BeyondCorp enterprise is delivered entirely via the cloud and requires no agents to deploy. BeyondCorp uses Google’s global network infrastructure to support low-latency connections and elastic scaling. BeyondCorp allows users to connect to any SaaS apps, web apps and cloud resources from anywhere in the world. BeyondCorp is delivered as a subscription service with per-user-per-month pricing.
Summary
BeyondCorp provides continuous, multi-layered security for users, access data and applications that helps to prevent malware and reduces the risk of data breach. Google provides granular access management policies and controls for IT admins, while ensuring end users are able to quickly and easily gain access to the applications they need to. Google provides strong data and threat protection features, with integrated protection against DDoS attacks. Google is fully committed to Zero Trust principles and has partnered with a variety of market leading cybersecurity vendors to help customers implement a Zero Trust approach. Forrester credits Google as being one of the pioneers of Zero Trust solutions, with their range of solutions (BeyondCorp included) being suitable for SMBs and enterprises alike looking to implement a Zero Trust security model.
Microsoft, developer of the world’s market leading email platforms Exchange and Office 365, offers a Zero Trust security stack through Azure, its cloud-based identity and access management solution. Microsoft Azure Active Directory enables you to manage all of your Office 365 users, synchronizing user accounts and passwords across corporate applications and enabling multi-factor authentication and single sign-on for users. This means that you can gain greater control and visibility over your users and their level of access, while ensuring that users can easily access all of the accounts and services they need to, through Microsoft and beyond. Azure also features a scalable VPN gateway as an alternative to using a third-party VPN, as well as a range of other applications to help execute Zero-Trust.
Microsoft Azure Features
Using Azure, you can verify and secure each user with strong authentication standards across your Microsoft applications. Microsoft provides an easy-to-use authenticator smartphone app for free, which allows users to easily scan their fingerprint or generate an OTP. Microsoft also provides a range of reports around user access, improving visibility over who is accessing applications.
Using Azure, admins have greater control over in-app permissions for different user groups and can control user permissions and restrict access to sensitive data as needed. Microsoft also uses real-time monitoring to detect potentially malicious user behaviours to prevent data breaches. Microsoft’s status as a market leading provider means Azure is widely supported by third-party applications, enabling the use of single sign-on for users.
Microsoft Azure Pricing
Azure AD is included with all paid subscriptions to Microsoft 365. The Azure Active Directory service can be managed from the Microsoft 365 admin console. From here you can create and manage user groups. Pricing options for Microsoft 365 varies depending on organization size, and level of functionality required.
Summary
Microsoft have made a strong commitment to Zero-Trust principles throughout their solutions. Many of the core features needed to execute an organization-wide Zero Trust policy are available across Microsoft 365, giving admins the tools they need to continuously and autonomously verify user identities and segment access to sensitive data. There are also a strong range of reports available to suit the needs of small and mid-sized organizations – although larger organizations and those with more stringent compliance needs may wish to augment Microsoft’s protection with a third-party solution. Forrester praises Microsoft as being one of the ‘dominant’ providers of Zero-Trust throughout the coronavirus pandemic, protecting hundreds of thousands of remote workers globally.
OKTA is a market leading identity and access management provider who offer a number of different products and solutions aimed at helping organizations to manage access to systems and achieve Zero-Trust security. OKTA serve two distinct audiences: organizations who are looking for solutions to authenticate access for their employees with OKTA Workforce Identity, and developers who need to implement secure login access for their applications, with OKTA Customer Identity. OKTA provides Zero Trust security for applications, servers and APIs, and provides secure access for both cloud-based and on-premise applications. OKTA is also known for its OKTA Integration Network, which provides over 7,000 integrations to enable identity management across applications.
OKTA Identity Cloud Features
OKTA provides a number of different products and feature sets to help organizations achieve Zero Trust. OKTA Workforce Identity allows organizations to support remote workers and secure access with single sign-on, a universal user directory, server access controls, adaptive multi-factor authentication, granular provisioning controls and API controls. OKTA Customer Identity allows developers to implement MFA, secure authentication, user management and more, which can all be managed via one scalable platform. OKTA also provides a variety of platform services to support Zero Trust, including a range of integrations, reporting and data insights, customizable identity workflows and device management.
OKTA Identity Cloud Deployment/Integrations
OKTA can be deployed across cloud-based or on-premises applications. Deployment steps vary for different solutions and applications; OKTA offers comprehensive guides within their knowledge base. OKTA helps to manage easier deployment with their integration wizard, as part of the OKTA Integration Network. OKTA provides 7,000 pre-built integrations with cloud and on-premise systems, allowing you to easily provision SSO and MFA across third-party accounts and applications. This allows users to centralize user management and automate access to workflows and policies.
Summary
OKTA is a leading identity management vendor that helps organizations to implement a reliable and scalable Zero Trust policy, and developers to implement Zero Trust security controls into their applications. Forrester recognises OKTA as one of the leading Zero Trust vendors for its ‘powerful, broadly adopted platform.’ For end-users, OKTA’s SSO and MFA functionality is easy to use, providing easy authentication for applications. For admins and developers, OKTA provides a huge range of integrations, policies, controls and advanced functionality to support growth and security. OKTA is an enterprise-focussed solution, and best suited to mid-sized and large organizations. OKTA can help to achieve core Zero-Trust goals, prevent data breaches, centralize access controls, and automate onboarding and off-boarding of users.
Ping Identity is an identity and access management provider that offers solutions that ensure maximum security of account and application access across your organization. Utilized by 60% of Fortune 100 companies, PingOne for Workforce is a cloud identity solution that provides robust, adaptive user authentication with in-built single sign-on and a unified admin portal to create a seamless, secure login process for both employees and admins.
PingOne Features
PingOne offers adaptive authentication for users and devices across a wide range of SaaS, on-prem and cloud applications. The platform provides the ability to detect high-risk behaviors, such as unauthorized logins or malicious attacks. If such behaviors are detected, PingOne can require a user to reauthenticate or deny their login attempt, per predefined policies. If no anomalous behavior is detected, the user is granted access without . This gives admins greater assurance that users are legitimate, without adding unnecessary friction to all users’ login experiences.
The PingOne platform also provides in-built SSO across all applications, service providers and identity providers, meaning that users can sign in across each of these accounts with just one set of credentials, no matter now the accounts have been configured. PingOne’s SSO also works across mobile applications, ensuring a seamless login experience no matter from which device a user is connecting.
From the universal management console, designed with simplicity in mind, admins can generate useful insights into the state of authentication across their business and set up granular adaptive authentication policies in line with their zero trust principles. They can also automate and delegate certain administrative tasks, making it easier to keep on top of support tickets.
Alongside it’s MFA and SSO capabilities, PingOne offers a number of technology integrations with other third-party vendors, including device and network security providers, to help you build a complete zero trust architecture.
PingOne Deployment
PingOne is a cloud-based platform delivered as-a-Service and, as such, is relatively easy to deploy. The solution offers Active Directory integration, which takes the complexity out of onboarding users initially but also enables the automatic removal of users from the Ping platform if they leave the company.
PingOne also offers integrations with an extensive range of SaaS, legacy, on-prem and custom applications, so that organizations can easily create a seamless, universal login experience across all of their workplace apps.
PingOne Summary
PingOne is a powerful identity and access management tool that enables admins to easily verify and manage user access to all on-prem, SaaS and cloud applications. Admins can configure granular adaptive access policies to bring the platform in line with their business’ zero trust architecture, as well as streamline the login process for their end users. We recommend PingOne as a strong solution for organizations of any size looking to integrate identity and access management into their zero trust security stack.
FAQs
What Is Zero Trust Security?
In short, Zero Trust is a security model which recommends not trusting any users, devices, or systems within your network, until they have been authenticated to be genuine. In practice, this means continuous authentication of internal users and devices to reduce potential security risks, alongside enforcing the principle of least privilege. This ensures that users and systems only have access to the specific applications they need for the prescribed function of their job role.
It’s important to note that Zero Trust is not a strictly set category of solutions, although many vendors have evolved their product suites to fit the Zero Trust model, and now advertise their solutions as ‘Zero Trust’ services. Zero Trust can only be achieved by using a combination of technologies, including continuous authentication, network segmentation, network access control, and access management. As such the above list covers solutions that span these categories and can help organizations on their Zero Trust journey.
Why Is Zero Trust Important?
Zero Trust is becoming increasingly adopted by both vendors and organizations as cyber-crime has continued to become more advanced and targeted. Organizations are adopting more complex network environments with the rise of cloud applications. As users have shifted from the office to hybrid ways of working, the threat landscape has become much more dynamic.
All these factors, in addition to others, have led the traditional perimeter-based security approach – which assumes everything outside the network is a security risk, while everything inside is secure – to become outdated when faced with the complexity of the modern cyber-threat landscape.
This has led many analysts, governments, and regulatory bodies to recommend organizations look to a Zero Trust to improve resilience. After the Colonial Pipeline cyber-attack of May 2021, US President Joe Biden signed an executive order mandating that all federal agencies implement a “Zero Trust” architecture and urged private organizations to do the same.
What Is Zero Trust Software?
Zero Trust Software is a broad term to describe solutions that enable organizations to implement Zero Trust principles into their network security strategies. This can include multiple different features and tools, such as network microsegmentation, user privileges management, Zero Trust Network Access (ZTNA), and identity controls such as multi-factor authentication (MFA) and Single Sign-On (SSO) which ensures users are continuously verified and monitored.
How To Get Started With Zero Trust Security
Expert Insights asked Tim Knudsen, Director Of Product Management For Zero Trust at Google Cloud, for his advice for organizations looking to get started with Zero Trust:
“It’s no secret that Zero Trust can be a journey and there is no magic switch to “turn it on” overnight. That being said, we recommend customers build a thoughtful plan before getting started with their Zero Trust approach.
“Similarly, implementing Zero Trust is not just about a product roadmap: it’s also about identifying use cases and prioritizing your deployment. For instance, we recommend customers first take stock of what is currently being accessed so they can identify what needs to be secured most urgently.
“This way, you can choose and prioritize sets of user groups and applications. Once you have this list, you can deploy sequentially – there is no need to try and boil the ocean at once. A phased approach like this – specific sets of users and applications across your core use cases – can also help you break down the change management aspect that is crucial to any large-scale IT project.”