The 5 principles of zero-trust security microsegmentation

How to choose the best ZTNA vendor for your organization

In a sea of options, finding the best ZTNA vendor for your organization can pose a major challenge. Weed through the marketing hype with advice from the experts.

Just before Christmas 2015, an alleged stalker talked his way inside a gated community in Hidden Hills, Calif. Once inside the neighborhood, the man proceeded to the home of Kris Jenner, matriarch of the infamous Kardashian-Jenner clan. Strolling past security guards, the intruder found Jenner alone in her home office, where he announced, "Lucy, I'm home."

About a year later, another alleged stalker breached the community's gates. This time, however, Jenner's new security detail -- she fired the previous guards -- questioned and detained the man before he could enter her private property.

What is zero-trust network access?

These back-to-back incidents illustrate the fundamental differences between legacy, perimeter-based network access and new zero-trust network access (ZTNA). ZTNA is garnering enormous interest in the enterprise as multi-cloud use and remote work continue to decentralize IT infrastructure and dissolve the traditional network perimeter. Gartner predicted that, by 2025, ZTNA will have eclipsed most VPN use in 70% of new remote access deployments.

The traditional security paradigm -- much like the one that allowed an intruder to enter Jenner's home -- takes an all-or-nothing approach, assuming anyone inside a network is trustworthy. This implicit trust has resulted in a slew of high-profile and costly corporate data breaches in recent years, with attackers free to move laterally and commandeer sensitive data once they've made it past the perimeter -- often via VPNs.

In contrast, ZTNA -- like Jenner's new guards in the second intruder incident -- treats everyone everywhere as a threat, continuously making all users prove they have permission to be wherever they are trying to go. Even after authentication and authorization, users and devices get tailored, incremental access to only the applications, services and systems they need and only for as long as they need them.

John BurkeJohn Burke

Expert advice for choosing a ZTNA vendor

The ongoing zero-trust boom has seen a plethora of ZTNA vendors wade into the market, leaving today's network security pros "swimming in a sea of products," said John Burke, CTO at research and consulting firm Nemertes. With so many options, it's important to understand how various ZTNA features and technical flavors work and differ before investing.

Features to look for when choosing a ZTNA vendor

Burke cautioned that many vendors today label products and services as zero trust that don't qualify. To identify a true ZTNA product, experts recommend looking for the following core features:

  • Identity-centric. A ZTNA tool should grant users conditional access to as few network resources as possible -- the ones they need to do their jobs -- based on preestablished identities, roles and permissions.
  • Default "deny" response. ZTNA platforms consider users guilty until proven innocent, granting them access only after they have satisfied authentication and authorization requirements. Denial by default is a core tenet of zero trust.
  • Context-aware. In addition to identity, ZTNA products also consider context-based criteria -- such as date, time, geographic location, network connection and device posture -- before granting access. For example, atypical and unsanctioned user behavior, such as attempting to log in to an application overnight or from another country, could result in denial.

Buyer, beware: 'Zero trust' red flags

According to Burke, if a tool can't establish in advance, at a granular level, who is allowed to connect to a given resource, it's not ZTNA. For example, he added, user behavior analytics (UBA) -- which entails letting an entity into the network, watching how it behaves and stopping it if it behaves badly -- doesn't qualify. "That's a fine adjunct to zero trust, but it's an independent concept," Burke said.

The vendor hype leads to a lot of confusion. They are using zero trust as overloaded marketing shorthand for 'more secure.'
John WattsAnalyst, Gartner

John Watts, analyst at Gartner, said claims about a ZTNA product's "agility" should also raise red flags. Restricting access to network resources improves security, but it logically reduces agility, which he identified as a competing priority.

Watts added that vendors sometimes claim to sell zero-trust collaboration tools and zero-trust VPNs, but he called both contradictions in terms. "The vendor hype leads to a lot of confusion," he said. "They are using zero trust as overloaded marketing shorthand for 'more secure.'"

How ZTNA products work

In ZTNA, authentication depends on user identities that organizations preestablish using integrated identity and access management (IAM), single sign-on (SSO) and multifactor authentication (MFA) tools.

ZTNA trust brokers, or centralized controllers, enforce enterprise access policies by negotiating connections between users and applications, while shielding private network resources from the public internet.

The trust broker acts as a kind of dynamic ZTNA policy brain, cross-referencing user identities, user roles and contextual variables -- such as dates, times, geolocations, data sensitivity levels and device postures -- against enterprise policies, granting or denying client connection requests accordingly.

The trust brokers allow authenticated users limited access to individual or grouped applications on a one-to-one basis, preventing unsanctioned lateral movement into other areas of the private network.

"In a sense, ZTNA creates individualized 'virtual perimeters' that encompass only the user, the device and the application," Gartner analysts Neil MacDonald, Steve Riley and Lawrence Orans wrote in a 2022 ZTNA market guide.

Endpoint-initiated vs. service-initiated ZTNA

Organizations can choose between two basic ZTNA architectures: endpoint-initiated and service-initiated.

Endpoint-initiated ZTNA. Endpoint-initiated ZTNA, also known as agent-based ZTNA, requires enterprises to deploy a software agent in each network endpoint to gather information and share it with the broker as part of the authentication and authorization process.

Based on the context it receives from an agent, the broker determines which resources it trusts a user to access and then signals a secondary gateway, an appliance located near the hidden enterprise network, to initiate an encrypted outbound tunnel from application to user. According to Watts, this "inside-out" model closely reflects the original software-defined perimeter (SDP) specification of the Cloud Security Alliance.

Gartner reported a growing percentage of ZTNA implementations today are agent-based and part of broader Secure Access Service Edge (SASE) or security service edge (SSE) deployments.

Service-initiated ZTNA. Service-initiated ZTNA, or clientless ZTNA, does not require endpoint agents or clients. Instead, an enterprise installs a connector appliance in its private network, which initiates an outbound connection to the ZTNA provider's cloud.

If a user and device pass muster based on identity credentials and context requirements, the ZTNA controller facilitates a connection with the requested application via a proxy appliance in the provider network. The user typically accesses services through a web browser.

This flavor of ZTNA aligns with Google's BeyondCorp design, which it has used internally since 2011. A version called BeyondCorp Enterprise is now available commercially.

Service-initiated ZTNA is growing in popularity for third-party and BYOD use, according to Gartner.

Endpoint-initiated ZTNA vs. service-initiated ZTNA. An agent on an enterprise-managed endpoint can provide the ZTNA trust broker with rich contextual insight into user behavior and device posture, theoretically resulting in more nuanced, sophisticated access control.

But, because it requires software installation, endpoint-initiated access can't support devices that the enterprise doesn't control, limiting third-party and BYOD use. On the other hand, service-initiated ZTNA doesn't require agents on the end-user side, but typically supports only application protocols based on HTTP or HTTPS.

Gartner recommended choosing a vendor that supports a hybrid approach. Offerings that let customers mix and match service-initiated and endpoint-initiated ZTNA for different use cases include the following:

  • Akamai Enterprise Application Access;
  • Appgate SDP;
  • Cato ZTNA, delivered as part of Cato SASE Cloud and Cato SSE 360;
  • Citrix Secure Private Access;
  • Cloudflare Access;
  • Forcepoint ZTNA;
  • Netskope Private Access;
  • Palo Alto Networks' ZTNA 2.0, delivered as part of Prisma Access;
  • Perimeter 81 Zero Trust Application Access;
  • Proofpoint ZTNA;
  • Tencent iOA;
  • VMware Secure Access, delivered as part of VMware SASE; and
  • Zscaler Private Access.

When vetting either endpoint-initiated or service-initiated architectures, Gartner's MacDonald said in a recent webinar, enterprises should also ask ZTNA vendors if the broker or controller stays in the encrypted data path to perform continuous, inline inspection and authentication functions for the duration of the exchange. If the broker removes itself after setting up the application access, the network will have less visibility and a higher level of implicit trust -- but potentially also a lower risk of traffic bottlenecks.

ZTNA as a service vs. self-hosted ZTNA

Organizations must also decide whether they want to subscribe to ZTNA as a service or host the software themselves, either on premises or in a public IaaS cloud.

ZTNA as a service. According to Forrester, ZTNA SaaS offerings currently dominate customer interest and adoption. Generally, cloud-hosted ZTNA is faster and easier to deploy, less onerous to manage and more readily scalable than self-managed offerings.

ZTNA-as-a-service products include the following:

  • Akamai Enterprise Application Access;
  • Appgate SDP;
  • Banyan Security Zero Trust Remote Access;
  • Broadcom's Symantec Secure Access Cloud;
  • Cato ZTNA, delivered as part of Cato SASE Cloud and Cato SSE 360;
  • Cisco Secure Access by Duo;
  • Citrix Secure Private Access;
  • Cloudflare Access;
  • Forcepoint ZTNA;
  • Fortinet's FortiClient, delivered as part of FortiSASE and FortiGate Next-Generation Firewall (NGFW);
  • Google's BeyondCorp Enterprise;
  • Lookout ZTNA, delivered as part of Lookout SASE;
  • Netskope Private Access;
  • Palo Alto Networks' ZTNA 2.0, delivered as part of Prisma Access;
  • Perimeter 81 Zero Trust Application Access;
  • Proofpoint ZTNA;
  • Tencent iOA;
  • Verizon SDP;
  • Versa Networks' Versa Secure Access, delivered as part of Versa SASE;
  • VMware Secure Access, delivered as part of VMware SASE; and
  • Zscaler Private Access.

Self-hosted ZTNA. Self-hosted ZTNA requires deploying controller appliances either on premises or in a public cloud. Although they tend to have more cumbersome deployment and management requirements, customer-deployed and -controlled trust brokers may offer greater control, according to Gartner's MacDonald. Organizations with strict security requirements may prefer self-hosted ZTNA.

ZTNA products with self-hosted options include the following:

  • Appgate SDP;
  • Banyan Security Zero Trust Remote Access;
  • Fortinet's FortiClient, delivered as part of FortiSASE and FortiGate NGFW;
  • Palo Alto Networks' ZTNA 2.0, delivered as part of Prisma Access;
  • Tencent iOA; and
  • Zscaler Private Access.

Questions to ask ZTNA vendors

Gartner's Watts reminded network security pros to bring a healthy sense of skepticism to conversations with ZTNA vendors, objectively vetting products to ensure they meet specific use cases and needs.

"Work with standards bodies, get independent advice and come up with your own ideas before you start engaging with the vendors because they will want you to do zero trust their way," he advised.

Watts also cautioned that, despite what some vendors might claim, ZTNA tools can't meet every security use case -- unstructured data protection and customer access for public-facing applications, for example.

"These are not silver bullets," he said of ZTNA offerings, adding that enterprises should think about what other, complementary technologies they might also need.

During the vetting process, consider asking ZTNA vendors the following questions:

  • How does this product control, in advance, who is allowed to connect to a given network resource?
  • How granular can customers make their access policies?
  • What role do contextual risk factors, such as device security posture, play in the authentication process?
  • What IAM, SSO and MFA tools does the ZTNA product support?
  • What endpoint security software does it support?
  • How does this offering prevent unauthorized lateral movement within the network?
  • What is the UX like? How easily can administrators update access policies?
  • Is this a SaaS offering? Is there a self-hosted option?
  • What is the ZTNA delivery model: service-initiated or endpoint-initiated? Is there a mix-and-match, hybrid option to serve different use cases, i.e., service-initiated for third-party users and endpoint-initiated for internal users?
  • Is this a standalone tool, or is it part of a broader SASE or SSE platform?
  • Does the offering include complementary security features, such as UBA?
  • Does the trust broker stay in the encrypted data path to perform continuous, inline inspection and authentication functions for the duration of the exchange?
  • Does the ZTNA platform support both remote and in-office users?
  • Does it support access to on-premises, legacy resources?
  • Does it support access to non-browser-based resources, such as those using Remote Desktop Protocol (RDP), SSH, virtual desktop infrastructure, Session Initiation Protocol and VoIP?
  • Does it support workloads and users in IaaS?
  • Does it support managed IoT and operational technology devices?
  • What is your in-house security operations strategy?
  • What are the uptime and performance service-level agreements for the ZTNA trust brokers?

Identify your organization's network access use cases, needs and priorities, and cross-reference them with vendors' responses.

ZTNA vendors

Today's organizations can choose from a wide array of ZTNA vendors. These include the following, listed in alphabetical order:

  • Akamai -- Enterprise Application Access
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Endpoint-initiated (client-based) and service-initiated (clientless) options
  • Appgate -- Appgate SDP
    • Deployment: Cloud-hosted (ZTNA as a service) and self-hosted (on premises or in the cloud) options
    • Delivery: Endpoint-initiated (client-based) and service-initiated (clientless) options
  • Banyan Security -- Banyan Security Zero Trust Remote Access
    • Deployment: Cloud-hosted (ZTNA as a service) and self-hosted (on premises or in the cloud) options
    • Delivery: Endpoint-initiated (client-based) and service-initiated (clientless) options
  • Broadcom -- Symantec Secure Access Cloud
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Service-initiated (clientless)
  • Cato Networks -- Cato ZTNA, delivered as part of Cato SASE Cloud and Cato SSE 360
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Endpoint-initiated (client-based) and service-initiated (clientless) options
  • Cisco -- Cisco Secure Access by Duo, delivered as part of a Duo Beyond subscription
    • Deployment: Cloud-hosted (ZTNA as a service) and hybrid (combined cloud-hosted and on premises) options
    • Delivery: Service-initiated (clientless)
  • Citrix -- Citrix Secure Private Access
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Endpoint-initiated (client-based) and service-initiated (clientless) options
  • Cloudflare -- Cloudflare Access
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Endpoint-initiated (client-based) for nonweb applications, RDP connections and private routing; service-initiated (clientless) for web app and SSH connections
  • Forcepoint -- Forcepoint ZTNA, delivered as part of Forcepoint One, an SSE platform
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Endpoint-initiated (client-based) and service-initiated (clientless) options
  • Fortinet -- FortiClient, delivered as part of FortiSASE and FortiGate NGFW
    • Deployment: Cloud-hosted (ZTNA as a service) and self-hosted (on premises or in the cloud) options
    • Delivery: Endpoint-initiated (client-based)
  • Google -- BeyondCorp Enterprise
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Service-initiated (clientless)
  • Lookout -- Lookout ZTNA, delivered as part of Lookout SASE
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Service-initiated (clientless)
  • Netskope -- Netskope Private Access
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Endpoint-initiated (client-based) and service-initiated (clientless) options
  • Palo Alto Networks -- ZTNA 2.0, delivered as part of Prisma Access, an SSE platform
    • Deployment: Cloud-hosted (ZTNA as a service) and self-hosted (on premises or in the cloud) options
    • Delivery: Endpoint-initiated (client-based) and service-initiated (clientless) options
  • Perimeter 81 -- Perimeter 81 Zero Trust Application Access
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Endpoint-initiated (client-based) and service-initiated (clientless) options
  • Proofpoint -- Proofpoint ZTNA
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Endpoint-initiated (client-based) and service-initiated (clientless) options
  • Tencent Security -- Tencent iOA
    • Deployment: Cloud-hosted (ZTNA as a service) and self-hosted (on premises or in the cloud) options
    • Delivery: Endpoint-initiated (client-based) and service-initiated (clientless) options
  • Verizon -- Verizon SDP
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Endpoint-initiated (client-based)
  • Versa Networks -- Versa Secure Access, delivered as part of Versa SASE
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Endpoint-initiated (client-based)
  • VMware -- VMware Secure Access, delivered as part of VMware SASE
    • Deployment: Cloud-hosted (ZTNA as a service)
    • Delivery: Endpoint-initiated (client-based) and service-initiated (clientless) options
  • Zscaler -- Zscaler Private Access
    • Deployment: Cloud-hosted (ZTNA as a service) for remote users and self-hosted (on premises) for local users
    • Delivery: Endpoint-initiated (client) and service-initiated (clientless) options

Next Steps

How to build a zero-trust network in 4 steps

7 steps for implementing zero trust, with real-life examples

How to implement zero-trust cloud security

Top 6 challenges of a zero-trust security model

What is zero-trust network access? ZTNA basics explained

Dig Deeper on Network security