Zero trust security is a concept that's been around for several years, but it may finally be starting to gain traction as a technology product. The problem is that zero trust can mean different things to different people - and not all vendors take the same approach. But buyers are beginning to express interest, and a number of security vendors have assembled some interesting approaches to zero trust security.
What is zero trust security?
Even analysts don't entirely agree on what zero trust security is.
Gartner calls it zero trust network access (ZTNA) and sees ZTNA as something of a fine-grained approach to network access control (NAC), identity access management (IAM) and privilege access management (PAM) - and at least an adjunct to, if not a replacement for, VPNs and DMZ architectures. Users are granted access only to the data and applications they need rather than the entire network, reducing the risk of lateral movement on the network, and device security and behavior monitoring controls can further restrict access.
As Gartner analyst Steve Riley puts it, "Identity is the new perimeter." He sees services taking a substantial early lead over standalone solutions and says that while it's too soon for a zero trust Magic Quadrant, the analyst firm will have more to share on customer experiences in 2021.
Forrester - which coined the term zero trust 10 years ago - takes a broader approach. The Forrester Wave report covers "Zero Trust eXtended Ecosystem Platforms," or ZTX for short. The firm urges microsegmentation at the identity, network or device level, along with policy enforcement and advanced identity management.
We'll take a look at both approaches and some others in this top zero trust vendors piece. While it's too soon to declare winners, a number of vendors have pieced together strong approaches. We looked at nearly 40 vendors in developing this list, so we'll focus on eight of the more interesting solutions, from the simple to the complex, and list some other promising ones after that.
Top zero trust solutions
Jump ahead to:
Key takeaway: With a strong offering spanning access management and segmentation, Cisco customers in particular have reason to look closely at the networking giant's zero trust solutions.
Cisco's acquisition of access management leader Duo has solidified its zero trust approach. Combined with the networking giant's Tetration microsegmentation technology and SD-Access policy and network access solution, Cisco is becoming an early leader in the zero trust security market. That's especially good news for Cisco customers, who will have an easier time with implementation with all the pieces integrated. Duo users have been particularly happy, so if Cisco can maintain that product satisfaction it could have a winner on its hands.
Key takeaway: Illumio goes beyond zero trust to fill a number of security needs, and automation and management features might even give it SMB appeal.
Illumio's workload and endpoint security platforms fit nicely into the zero trust space, and with its microsegmentation and whitelisting abilities, the company says it can even prevent the spread of ransomware. Users are happy with everything from product capabilities to pricing. With capabilities that span vulnerability management, microsegmentation, network visibility and encryption, Illumio has put together a strong security offering in general. Good automation and management features give Illumio's Adaptive Security Platform broad appeal.
Key takeaway: Palo Alto combines strong security with recent acquisitions to emerge as a zero trust player.
Palo Alto Networks is one vendor that's not afraid of independent security tests, and the results across gateways, firewalls, intrusion prevention systems and endpoints have been impressive. With the recent acquisitions of Twistlock, RedLock, PureSec and CloudGenix, Palo Alto's security offerings now extend into the cloud, containers and SD-WAN. Integrating all that may take some work, but Palo Alto is becoming a vendor to be reckoned with in zero trust security. CloudGenix users in particular seem wildly happy.
Key takeaway: Akamai has leveraged its CDN technology and internal security work to emerge as a zero trust leader.
Akamai has leveraged its dominant position in edge data and content delivery into an impressive security platform, with zero trust at the center of that approach. Identity and application access, single sign-on with multi-factor authentication, and threat and DDoS protection are some of the ways Akamai cloaks and protects applications while accelerating performance. Much like Google's BeyondCorp, Akamai's Identity Aware Proxy architecture began as an internal security effort.
Key takeaway: Looking for an easy way to implement zero trust? Okta should be on your list.
Seeing Okta on this list should come as no surprise, as the company has long been a leader in access management, authentication and single sign-on. It also shouldn't come as a surprise that Okta is strongest in identity and access management. With a simple and easy-to-manage approach, Okta offers users a way to implement zero trust without a lot of complexity.
Key takeaway: This is SO not your father's mainframe vendor.
For a vendor that started out in mainframes, Unisys Stealth is one of the coolest zero trust approaches on the market, leveraging the company's work in high-security government agencies to create a platform that includes what Forrester called "one of the few real applications of actual machine learning that we've seen in production in any security analytics or automation system." The Stealth software suite offers visibility, microsegmentation, identity, cloud and mobile support, and services. If you have high security requirements, you need to take a look at Unisys.
Key takeaway: The vendor known for one-stop shopping takes the same approach to zero trust.
Symantec, now part of Broadcom, has assembled a comprehensive portfolio of zero trust offerings:
- Secure Access Cloud
- Cloud Workload Protection
- Web Application Firewall
- Control Compliance Suite
- Symantec Protection Engine
Symantec positions Secure Access Cloud as a replacement for VPNs. It uses a software-defined perimeter approach to cloak data center resources, isolating them from end users and the internet and removing the network as an attack surface. And Symantec ties it all together and automates it through its Integrated Cyber Defense Platform, making the vendor a good choice for those who want one-stop shopping.
Key takeaway: Positive user experience and an innovative approach to zero trust makes AppGate one to watch.
AppGate SDP - part of Cyxtera's cybersecurity business that was spun out last year into a separate company - is another software-defined perimeter product aimed at replacing legacy VPN systems. There's not a lot of user feedback on AppGate SDP, but what there is is uniformly positive. Users say the product is innovative and offers very granular access control and supports multi-cloud environments. Support is responsive but a couple say the management interface can be difficult to use. Best for those looking to isolate specific environments and aren't afraid of a leading-edge product. The product's ability to dynamically adapt to risk is a plus too.
With so many security vendors going after the zero trust market, mergers and acquisitions are likely. Indeed, just in the last week, Check Point Software acquired Israeli zero trust startup Odo Security, and Fortinet acquired OPAQ Networks in July.
Other vendors taking noteworthy approaches to zero trust include:
- Google (BeyondCorp, Cloud IAP, Context-Aware Access)
- Microsoft (Azure AD and Web Application Proxy)
- Check Point
- Pulse Secure
- Perimeter 81
- Cato Networks