Zero trust network access (ZTNA) solutions enable remote users to securely access network resources such as files, servers, and applications. They create identity- and context-based boundaries around network assets or asset groups, hiding the network IP address so that those assets are hidden from public view, and restricting access to them on a zero trust basis.
Before granting a user access, the ZTNA provider authenticates their identity, their device’s identity and health, and the context of their login attempt. Once authenticated, users are given access only to the resource they need in line with the principle of least privilege; to access something else, they must be re-authenticated. This continuous verification helps segment the network, preventing attacks from spreading laterally throughout the network.
To achieve this, ZTNA solutions offer application micro-segmentation, granular role-based access policy configuration, and in-depth reporting into user access and application use. They should also verify that the endpoint security on a user’s device is working properly, and that the operating system is patched. Finally, the best ZTNA solutions offer in-built two-factor or multi-factor authentication (2FA/MFA) or integrations with leading MFA providers, for further security against identity-based attacks and account takeover.
In this article, we’ll explore the top zero trust network access (ZTNA) solutions. We’ll look at features such as app micro-segmentation, user and device authentication, access policy configuration, reporting and analytics, and added security controls. We’ll give you some background information on the provider and the key features of each solution, as well as the type of customer that they are most suitable for.
Twingate is a provider of remote access solutions that focuses on enabling distributed workforces to securely access corporate resources, without compromising their productivity. Twingate’s cloud-based ZTNA solution allows IT and security teams to implement a software-defined perimeter and centrally manage user and device access to corporate applications without using external hardware or changing their existing infrastructure.
Once users have installed the Twingate app and signed in, Twingate ZTNA connects them to applications on the corporate network via the app’s FQDN or IP address with no interaction from the user, helping to minimize friction in the access process. The platform supports split tunneling to ensure quick, strong connections, and the ViPR technology automatically makes authorization and routing decisions, reducing alerts for IT teams. From the management console, admins can configure user access policies at an app level, helping to stop the lateral spread of attacks. These policies are based on the context of each access attempt, taking into account attributes such as device posture, location, and time. Admins can also gain insights into network access activity, provision and deprovision users, and configure integrations with identity providers such as Okta and OneLogin to enable single sign-on for all users.
Twingate ZTNA is a cloud-based, software-only solution, which gives it the flexibility to integrate easily, as well as the scalability to support both small teams and larger businesses. Customers praise the platform for its intuitive interface, connection reliability, and ease of deployment. To make deployment and ongoing management even simpler, Twingate offers a broad range of support options, including priority support for businesses on their Enterprise subscription. We recommend Twingate ZTNA as a strong solution for small- to mid-size businesses looking to provide secure access to their remote users, that’s user-friendly for end users and admins alike.
Akamai Technologies is a cybersecurity company that specializes in cloud-based web and internet security, and content delivery network services. Enterprise Application Access is Akamai’s ZTNA solution. Cloud-delivered, with no virtual or physical hardware to manage and maintain, the solution runs on the distributed infrastructure of Akamai’s Intelligent Edge Platform, which enables it to allow remote users to access the company network securely, without impacting connection speed or performance.
With Enterprise Application Access, admins can configure per-application access policies based on role and privilege, helping minimize the spread of account takeover and malware attacks throughout the network. Admins can manage all policies via a single intuitive portal, making it easier to secure access across AWS, Azure, and Google Cloud apps, as well as web and SaaS applications. Enterprise Application Access analyzes signals in real-time—such as user identity, device posture, and endpoint compromise—to detect anomalous activity, helping to block high-risk access attempts while giving admins heightened visibility into user access. Finally, the platform offers in-built multi-factor authentication and single sign-on, as well as integrations with a range of leading identity providers.
Akamai’s Enterprise Application Access is highly scalable, and integrations with LDAP and Active Directory make it relatively straightforward to deploy and provision. It also offers SIEM log integration via Unified Log Streamer (ULS), and API and SDK support to enable admins to easily integrate the solution with the rest of their security architecture for ease-of-use and seamless reporting. Its ease of use makes Enterprise Application Access a strong ZTNA option for SMBs, but because of its scalability and ease of integration with other third-party security solutions, we also recommend Akamai’s solution as a good fit for larger organizations.
Appgate provides secure, flexible access solutions for remote workforces, and for businesses that need to provide their consumers with a secure way to access digital services. Appgate SDP is their ZTNA solution for the workforce, designed to secure organizations against web-based attacks and identity threats, while saving IT resource with automation and a user-friendly interface that doesn’t require deep technical knowledge to navigate.
Appgate SDP uses single packet authorization to hide network resources from public view. All connections between users and network resources are encrypted, protecting all network activity against unauthorized viewing. From the intuitive admin console, IT teams can centrally configure access policies for servers, desktops, mobile devices and cloud infrastructure. SDP then applies policies to grant or deny user access based on user roles and attributes. SDP also analyzes login attempts for contextual risk—such as device security posture—and modifies access automatically based on risk level, helping to mitigate unauthorized access as a result of identity-based attacks. Finally, the platform offers integrations with third-party identity providers for added security and a frictionless user login experience, and LDAP and SIEM tools to simplify operations and increase visibility across the security stack.
One of Appgate SDP’s main differentiators in the ZTNA space is its flexibility: the solution is offered as-a-Service, and as a self-hosted option. It also supports multi-cloud and containerized environments, making SDP suitable for deployment in any environment. Users praise Appgate SDP for its intuitive interface, and ease of deployment and management, both of which reduce the strain on IT teams in terms of a learning curve when adopting the solution. We recommend Appgate SDP as a strong ZTNA solution for larger enterprises looking for dynamic, automated remote access control that’s easy to set up and manage.
Cisco is a market-leading provider of solutions that enable and secure remote and hybrid work. They provide a wide range of security solutions to cover the most prevalent attack surfaces modern organizations are facing, including endpoint, identity, and web threats. Software-Defined Access (SD-Access) is Cisco’s ZTNA solution, designed to enable IT and security teams to configure and enforce access policies across their remote or hybrid workforce.
From the central dashboard, admins can configure role-based access policies for all users and devices—including IoT devices—connected to their network. SD-Access offers particularly strong device verification to mitigate the spread of malware; it establishes a segmented connection with each endpoint, granting it as little access as possible in line with the principle of least privilege, and continuously verifies the security posture of each device to identify any anomalous or risky behaviors. If devices are considered high risk, IT admins are alerted so they can contain the threat and investigate it in more detail. Finally, Cisco SD-Access offers analytics and reporting into endpoint activity, giving admins greater visibility into access across the network and automatically quarantining compromised devices to reduce malware threats.
SD-Access offers cloud, on-prem and hybrid deployment options, making it suitable for any environment. However, some users, particularly those unfamiliar with Cisco’s products, report that initial deployment is complex and requires support from Cisco’s technical team. We recommend Cisco’s Software-Defined Access for mid-size organizations and larger enterprises looking for ZTNA with robust device authentication capabilities as well as user authentication, and particularly those already utilizing other security tools in Cisco’s suite. SMBs interested in the Cisco suite may wish to consider Duo Remote Access, which is aimed at smaller businesses but still offers seamless integrations with Cisco’s other products.
Citrix is a cybersecurity company that focuses on enabling remote access and virtual desktops to enable hybrid and remote workers to be as productive as were they in the office. Secure Private Access is Citrix’s cloud-delivered ZTNA solution, which provides secure, adaptive remote access to all corporate applications—including web, SaaS, and client-server apps both on-prem and in the cloud—via any managed or unmanaged devices.
Citrix Secure Private Access automatically applies adaptive access policies based on device posture, location, and risk score to all access attempts, only granting access to secure devices and verified users. This helps reduce the spread of malware through the network while ensuring a frictionless login experience for users. The solution also offers added security features, including the disabling of screen capture and copying, keystroke scrambling, and browser isolation, which mitigates the risk of web threats by ensuring all browsing activity occurs in an environment isolated from the network; when a user tries to access harmful content, it’s run and sandboxed within the isolated environment, ensuring it never interacts with the user’s device or company network.
Citrix Secure Private Access deploys in the cloud, making it highly flexible and scalable. It offers support for multiple application types and is compatible with both managed and unmanaged devices. Because of this flexibility, we recommend Secure Private Access as a strong zero trust network access solution for larger enterprises with a combination of corporate-issued and BYOD devices in their device fleet, that are looking for a ZTNA solution with lots of added built-in security functionality.
Cloudflare is a cybersecurity provider that aims to secure anything connected to the internet. Designed to augment or replace traditional VPN solutions, Cloudflare Access is Cloudflare’s ZTNA solution that enables remote users to access all apps in their company’s on-prem, public cloud, or SaaS environment.
With Cloudflare Access, admins can configure granular role-based access controls across all segmented SaaS and self-hosted apps, ensuring that only authorized users can access those applications, and only the ones they need, when they need them. To verify user access, Cloudflare offers strong integrations with multiple identity providers. The diverse range of integrations on offer make it easy to integrate with existing identity and access management infrastructures. Cloudflare Access also verifies devices before granting access, analyzing health posture indicators such as serial numbers and mTLS certificates to ensure that only secure, known devices are granted access. The platform also offers integrations with endpoint protection providers such as Crowdstrike and Sentinel One for added endpoint security. Finally, Cloudflare Access offers granular log functionality, with logging for all requests made in applications so admins can keep a tight eye on user activity throughout their sessions—not just when they log in and out.
Cloudflare Access is delivered via Cloudflare’s globally distributed edge network, giving it scalability and enabling fast connections, no matter where in the world a user is based. Users praise Cloudflare for its strong integrations with identity providers, intuitive interface, and reliability when it comes to threat prevention. Some, however, note that deployment is time-consuming and comes with a learning curve. We recommend Cloudflare Access as a strong ZTNA solution for any sized organization with a tech-savvy IT team that have the experience and knowledge to handle a complex implementation.
Google Cloud is the cloud security division of Google, which helps organizations secure their data and ensure compliance with federal and industry data protection regulations. BeyondCorp is Google’s cloud-centric zero trust network access solution that offers an agentless and proxy-less approach to ZTNA by integrating with Google’s Chrome browser. BeyondCorp offers user- and device-based authentication for access to cloud and on-prem applications without the need for a traditional VPN.
The Access Context Manager lets admins configure and deploy zero trust access policies for all users and devices. Policies are contextual and highly granular; they can be configured per-user and per-device, and admins can define access permissions according to the strength of certain credentials. Admins can also enforce in-built multi-factor authentication (via push notifications, one-time passcodes, and 2SV keys) and single sign-on for users to ensure a frictionless login experience, as well as a secure one. The Endpoint Verification feature offers visibility into the devices from which users are seeking access, enabling admins to fine-tune access policies and keep an eye on the activity of high-risk users. Finally, BeyondCorp offers a range of extra security features: it encrypts all access to corporate services to prevent unauthorized viewing; it gathers threat intelligence data to help identify and remediate data breaches and malware instances; and it blocks access to malicious websites.
Delivered on a subscription basis through Google’s global network, BeyondCorp is highly scalable and easy to deploy. Being a Google Cloud product, BeyondCorp offers seamless integrations with Chrome and other products in the Google security suite, making it easy to navigate for existing Google users. We recommend Google BeyondCorp as a strong ZTNA solution for any sized businesses looking for powerful ZTNA with a familiar, intuitive interface.
Palto Alto Networks is a globally recognized and trusted provider of enterprise cybersecurity solutions that employ machine learning, in-depth analytics, and automation. Prisma Access, formerly GlobalProtect, is Palo Alto’s ZTNA solution, an evolution of their traditional VPN that combines continuous authentication and least privilege access to provides remote users with secure access to corporate applications, including web apps, TCP-based apps, and UDP-based apps.
Prisma Access enables IT admins to implement least privilege user and device access to all apps on the corporate network by offering granular access controls at an app and sub-app level. The platform continuously monitors user and device activity throughout each session to identify anomalies such as changes in device posture and user and app behavior, granting admins greater visibility into the security of each connection. This also enables admins to troubleshoot issues with app performance quickly and effectively. Note that, in order to get the most out of the centralized management features, customers must invest in Palo Alto’s Panorama management portal, which they must deploy and host themselves. As well as the authentication and reporting features it offers, Prisma Access provides a range of advanced security features, including URL filtering to block web-based attacks, and machine learning-powered firewalls to protect against malware.
Prisma Access is available as-a-Service or through a self-hosted deployment and can also be deployed as a hybrid combination of the two. Users praise Prisma Access for the simplicity with which they can manage user access, and the high levels of security the platform provides. We recommend Palo Alto Prisma Access for larger organizations looking for reliable ZTNA that will support a diverse environment, both in terms of combining on-prem and SaaS elements, and managed and unmanaged devices, including IoT devices.
Perimeter 81 is a market-leading network security provider that offers cloud-based solutions to support the hybrid workforce. Their eponymous platform combines ZTNA with a Secure Service Edge (SSE) platform, a Firewall-as-a-Service (FWaaS), and a Secure Web Gateway (SWG), providing holistic, comprehensive security against endpoint, web, and identity-based threats. Because the platform is cloud-based, it doesn’t require the maintenance of any external hardware, making it easy to deploy and scale to secure on-prem and remote access to corporate resources.
Perimeter 81 supports IPSec, OpenVPN and WireGuard protocols to encrypt all network traffic, no matter the cloud environment users are connecting to. This offers protection against unauthorized access and spying, should users be connecting remotely via an unsecure WiFi network. From the central management portal, admins can configure user and device access permissions to secure web and cloud apps. Admins can also access activity reports and audits to monitor logins, app connections, and gateway deployments, giving them greater visibility into who is accessing which parts of the network and why. Finally, Perimeter 81 offers in-built two-factor authentication for further security against identity-related breaches such as account takeover, and DNS filtering to prevent employees from accessing known malicious or high-risk websites.
Perimeter 81 is compatible with Windows, Mac, iOS, Android, Linux, and Chromebook operating systems, giving all users a universal access experience, no matter what device they’re using. This makes it a strong option for companies with a lot of BYOD devices in their device fleet. Users praise the solution’s helpful, efficient support and intuitive interface, which make it a particularly popular product amongst SMBs.
ZScaler is a market-leading provider of scalable, cloud-based web security solutions. ZScaler Private Access (ZPA) is their ZTNA solution designed to provide secure, frictionless remote access to all private applications, services and OT/IoT devices running in a public cloud or in a data center. Part of ZScaler’s security servie edge (SSE) platform, ZPA’s cloud-based architecture makes it highly scalable and quick to deploy, without the need for external hardware.
ZScaler Private Access hides the IP addresses of all applications on the corporate network, preventing unauthorized parties from discovering them. The platform creates a direct connection between each user and the resource they’re trying to access, reducing the risk of lateral attacks. User access is granted based on admin-configured authentication and access policies. The platform uses machine learning to analyze indicators of anomalous access activity—such as app telemetry, user context, and location—and validate access policies. As well as defining access policies, admins can identify app performance issues via digital experience monitoring and identify and shut down rogue apps and unauthorized access. Finally, the platform offers added security through in-built content inspection, which controls sensitive data across user/app connections, and cloud browser isolation, which mitigates the risk of web-based threats such as malicious links and downloads.
ZPA is compatible with both managed and unmanaged devices, making it a particularly strong ZTNA solution for organizations with corporate-issued and BYOD devices in their device fleet, or organizations that use third parties or contractors who prefer to use their own personal devices. Because of its scalability and wealth of additional security features, we recommend ZScaler Private Access as a strong ZTNA solution for larger enterprises looking to provision secure remote access, with additional protection against web and browser threats such as DDoS attacks and malicious webpages.
FAQs
What Is Zero Trust Network Access (ZTNA)?
Zero trust network access solutions enable remote users to securely access resources on their corporate network. They do this by creating an identity- and context-based boundary around individual network assets—such as files, servers, or applications—or groups of assets. If a user wants to access an asset, the ZTNA solution must first verify their identity and the context of their access attempt in line with pre-defined policies. If the user passes these checks, they’re granted permission to access only the requested asset or asset group. If they want to access another asset, the ZTNA solution must re-verify them.
The micro-segmentation employed by ZTNA solutions also gives admins continuous, real-time visibility into which users are accessing which assets and when. This enables them to quickly identify and anomalous activity, as well as identify applications that are rarely used or redundant, to help save subscription costs.
ZTNA Vs. VPN: What’s The Difference?
Traditionally, organizations have relied on virtual private networks (VPNs) to establish a secure connection between their remote users and the corporate network. Enterprise VPNs create a private network across a public internet connection, essentially creating an encrypted tunnel between the user and the network. They anonymize the user by hiding their IP address and prevent any third parties from spying on users by encrypting data. They also usually require the user to authenticate themselves via multi-factor authentication (MFA) before establishing the connection.
However, once authenticated, the user has free access to the entire corporate network. This means that, if an attacker gains access to a remote user’s credentials and logs into their VPN, or even just intercepts a user’s VPN connection, they too can access the entire company network.
ZTNA solutions differ from this by only giving users access to the resources they need, when they need them—and nothing more. This enables ZTNA solutions to prevent attacks from spreading laterally through the network should an attacker manage to gain initial access. This greatly limits the amount of damage an attacker can do if they compromise a user’s account.
TL;DR: if a VPN builds a wall around the castle of your network to keep out the bad guys, a ZTNA solution places a guard on every door within the castle.
What Features Should You Look For In A ZTNA Solution?
There are five key features that you should look for when shopping for a ZTNA solution:
- Application micro-segmentation: users should only be able to access one asset at a time.
- Role-based access: admins should be able to define access permissions for each user based on their role within the company.
- Real-time reporting on user access activities and application usage: admins should be able to easily monitor user access and identify anomalous activity. In addition to this, users should be able to identify rarely used applications, with the help of visual reporting dashboards.
- In-built, or ability to integrate, MFA or 2FA security: all users should be made to verify their identity in two or more ways before being granted access to any network assets.
- Device and operating system health checks: the ZTNA solution should only establish a remote connection with devices that are adequately patched and running an endpoint security solution.
