Best Zero Trust Security Solutions

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A presidential executive order mandating a zero trust strategy for federal agencies has raised the profile of the cybersecurity technology and prompted many non-government IT security managers to consider how they might adopt the three zero trust principles: “All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.”

These principles can also be restated as:

  1. Continuous verification: Check each and every request from every user for every resource.
  2. Limit breach impact: Grant minimal permissions so a breach will have limited access.
  3. Collect evidence: Collect logs, behavioral data, and context to track, monitor, and validate compliance for every access to every monitored resource.

Of course, this is another easy-to-say but hard-to-do concept in IT security – especially for companies with extensive legacy IT infrastructure. Where should an IT security team start if they want to adopt zero trust?

Despite the relatively recent development of zero trust as a concept, many companies offer zero trust products or position their existing products as a mechanism to deliver zero trust. To discuss options intelligently, we need to consider the basics of the concept and categorize potential solutions.

Compare the Top Zero-Trust Solutions

1 NordLayer

Visit website

NordLayer embodies Zero Trust principles, streamlining hybrid and multi-cloud security. Prioritizing user, device, and connection authentication, it follows a ‘trust-none, verify all’ approach. NordLayer integrates IAM and network segmentation, establishing checkpoints for robust security. Its intuitive design enhances admin visibility, automation, and compliance with contemporary industry standards and organizational goals.

Learn more about NordLayer

2 Twingate

Visit website

Twingate helps fast-growing companies easily implement a secure Zero Trust Network Access solution without compromising on usability or performance. Twingate’s secure access platform replaces legacy VPNs with a modern Identity-First Networking solution that combines enterprise-grade security with a consumer-grade user experience. It can be set up in less than 15 minutes and works with all major cloud providers and identity providers. We believe that “Work from Anywhere” should just work.

Learn more about Twingate

3 ManageEngine AD360

Visit website

ManageEngine AD360 is an integrated identity and access management solution that assists organizations to manage and secure user identities, facilitate identity governance, and ensure compliance. It provides in-depth access management for Microsoft Active Directory, M 365, G Suite, and other target systems, and gives an edge over native tools. Its key capabilities include authentication, auditing, user behavior analytics (UBA), multi-factor authentication (MFA), and single sign-on (SSO).

Learn more about ManageEngine AD360

4 Heimdal Security

Visit website

A PAM solution that gives system administrators complete visibility into each endpoint’s access privileges. With this convenient setup, admins are able to view user requests, check request history, block elevations, and approve or decline escalation requests on the go from either the dashboard or mobile app. Enable Zero-trust execution or revoke local admin rights with a simple click. This effectively stops malicious insider threats from taking over your network and boosts your security.

Learn more about Heimdal Security

What Are the Categories and Functions of Zero Trust?

At its core, Zero Trust consists of:

  • Policy Engine to determine the rules for access
  • Policy Administrator to enforce the rules for access
  • Policy Enforcement Point – An access control point between untrusted requesters and trusted resources.

In application, users, systems, and apps contact the policy enforcement point with their credentials and a request for a resource. Next, the policy enforcement point sends the request and credentials to the policy administrator that will confirm or deny access to that specific request based on the rules of the policy administrator.

For example, consider the following requests from a non-employee contractor working on web design from a workstation in the marketing department:

  1. To access the image archive for company logos on a shared server:
    1. Policy Administrator checks the user ID and machines and verifies they have rights on the network
    2. Policy Administrator checks the resource and verifies that the image archive folder is a valid request and grants access to the contractor.
  2. To access the Human Resources employee records on a shared server:
    1. Policy Administrator checks the user ID and machines and verifies they have rights on the network
    2. Policy Administrator checks the resource and recognizes that the HR folder is not a valid request and refuses access to the contractor.

Note that in a more conservatively configured zero trust framework, the contractor will likely not even be able to see the HR folder to even initiate the request because of microsegmentation.

In both cases, the request and access granted will be logged and security teams may be flagged about the attempt to access unauthorized resources. Similar processes can apply for systems and applications on both the requestor and the resource ends.

In an extended model, this three-part zero-trust process is extended and expanded to eight more narrow categories:

  • Identity Security: Uniquely describe and validate a user or entity (device, application, etc.) and that they have permissions to access the environment. Policies can be role-based or attribute-based access controls.
  • Endpoint Security: Validates devices attempting to connect to resources with regards to right to access and the compliance of the device with company requirements (antivirus, updates, etc.).
  • Network Security: Identifies devices attempting to connect to the network. Segregates and isolates resources granularly for minimal access to any given user. End-to-end encryption protects data in transit and granular network segmentation limits the damage from any security breach.
  • Data Security: Identifies, organizes, segregates, and securely stores data and enforces least-privilege access.
  • Application Security: On-premises and cloud-based security to isolate and secure individual applications or workloads from unauthorized access or disruption.
  • Infrastructure Security:Today’s applications and workloads run in containers hosted on logical and bare-metal infrastructure that must also be secured from unauthorized access.
  • Visibility and Analytics: Heighten awareness by gathering information, alerts, and logs from systems. Monitor, research, and analyze potential threats, user access records, user behavior, resources accessed, network traffic, and more. Analyze information to improve threat detection, adjust access, and more.
  • Automation: Avoids human error, increases efficiency, drives performance and improves scalability through automation of repetitive manual processes and policy application.

Currently most tools embed features for automation as well as visibility and analytics into the zero trust solutions, so we will generally omit those two categories. However, a potential customer will need to judge if the embedded capabilities will be sufficient or how they fit into other security and operations processes.

To evaluate zero trust vendors, we need to categorize them by their specialties. Most vendors develop zero trust specialties related to existing solutions with add-on features or by positioning existing features as zero trust.

Where a vendor provides more than one type of zero trust capability, we will often place the vendor in their historical category. While we risk being inaccurate, we assume that their legacy technology will be the most developed and advanced capabilities of a vendor’s portfolio of features.

In addition to their categories, we also note the business model for delivering zero trust. Some companies will prefer in-house solutions and others will prefer outsourcing so these categories can help to pick more suitable candidates:

  • SaaS, or Software as a Service solutions, usually will be based on per-user fees over a time period (month, year, etc.) and the software will also include the cloud infrastructure. Typically, there will not be much software or hardware to install to use these tools.
  • Licensed Technology solutions license the software for in-house installations. While these may also be subscription-based, these technologies usually delegate installations and integrations to the customer.
  • Appliance solutions require a customer to install hardware (physical or virtual) into their infrastructure. These solutions may also require annual software maintenance fees and customers will be responsible for all installations and integrations.
  • Service solutions provide the personnel to manage installations, integrations, and ongoing management of the zero trust tool. Some software or hardware licenses may also be included, but a service contract may include those costs in the pricing.

We’ve broken down the zero trust security market into 80 products spanning six categories to differentiate between the products’ focus areas:

Comprehensive Zero Trust Solutions

Vendors in this category offer tools that encompass multiple categories to deliver a broad zero trust solution; however, the solution may be modular and require multiple licenses. These solutions also tend to be delivered by the largest, most expensive, and best known brands.

Broadcom / Carbon Black / Symantec / VMware (Licensed Technology)

Broadcom’s proposed acquisition of VMware could face a lengthy antitrust review both in the U.S. and Europe, but if it happens it will combine the endpoint security of both Carbon Black and Symantec under one roof. When combined with other acquisitions and VMware’s container technology, the unified tools offer potential solutions within the zero trust categories for identity, endpoint, network, application, and data.

Check Point (Licensed Technology)

Check Point offers an array of solutions that fulfill zero trust security requirements for nearly the full spectrum of categories: identity, endpoint, network, data, and application.

Cisco Zero Trust / Duo (SaaS, Licensed Technology, Appliance)

Cisco combines its expertise in network security with Duo’s SaaS identity solutions (multi-factor authentication, single-sign-on) to provide a range of policy-based and automated zero trust solutions for identity, endpoints, networks, and applications. These technologies may be obtained as SaaS or deployed on-premises as appliances or licensed technologies.

Forcepoint (SaaS)

Forcepoint delivers a Security Service Edge SaaS solution that combines features of Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), and Zero Trust Network Access. These solutions provide unified-policy, zero trust security solutions with integrated automation that cover the identity, endpoint, network, and data categories.

Fortinet (SaaS, Licensed Technology, Appliance, Services)

Fortinet provides a wide array of software, appliances, and services that deliver zero trust capabilities in the categories of identity, endpoint, network, and applications.

Google (Licensed Technology)

Google Cloud helps organizations to provide zero trust identity, network, and application protection for organizations that can establish, secure and manage HTTPS load balancers or virtual machines on Google Cloud. Google also hosts machines with Titan microchips that provide infrastructure security.

IBM (Licensed Technology, Service)

IBM offers a mix of internal products, services, and integrated third party tools to provide automated zero trust solutions for identity, endpoint, data, and network categories. IBM uses their Watson AI solution to enhance their automation and analytics.

Ivanti (SaaS, Licensed Technology)

Ivanti’s various Neurons modules provide zero trust capabilities for the identity, endpoint, network, and application categories. Ivanti’s Neurons will soon be updated to feature the capabilities of newly acquired MobileIron and Pulse Secure technologies.

Microsoft (Licensed Technology, SaaS)

Microsoft powers business through its Microsoft Windows, Office and Azure solutions, but they also offer compatible solutions to deliver zero trust solutions for identity, endpoints, network, infrastructure, applications, and data.

Palo Alto Networks (Technology License, Appliance)

Palo Alto builds on its legacy of advanced firewall technology to deploy a comprehensive zero trust solution for the categories of identity, endpoint, network, application, and infrastructure. Through a mix of products, customers can deploy next-generation firewalls (NGFW), extended detection and response (XDR), identity access management (IAM), and more.

SkyHigh Security (Technology License)

Skyhigh Security (formerly McAfee Cloud) provides solutions for Cloud Access Security Broker (CASB), Data Loss Protection (DLP), Remote Browser Isolation (RBI), Secure Web Gateway (SWG), and Security Service Edge (SSE). These features deliver cloud-based tools to deliver zero trust identity, endpoint, network, data, and application security.

Also read: McAfee Cloud Launches as Skyhigh Security

Tanium (Licensed Technology)

Tanium’s zero trust capabilities stem from its focus on asset discovery, endpoint validation, identity and access management (IAM), sensitive data monitoring, and network access control. Tanium’s solutions provide zero trust security capabilities for the identity, endpoint, network, and data categories.

Zero Trust Identity Solutions

Many zero trust implementations use identity solutions to provide continuous verification for access. Most vendors in this category typically specialize in identity verification for human users, but some tools will also have options for other categories such as applications or system services.

CyberArk Software Ltd. (SaaS, Licensed Technology)

CyberArk’s Identification-as-a-Service (IDaaS) and self-hosted identity and access management (IAM) solution provide zero trust identity security for an organization’s employees, customers, and even applications. The platform provides a host of options for single sign-on, multi-factor authentication, app gateways, password management, app secret management, privileged access management, and auditing.

Delinea (SaaS)

Known as Thycotic before it merged with Centrify, Delinia provides a zero trust SaaS enterprise password management application. Their solutions enable identity, application, and data security.

HID Global (Hardware)

HID’s Crescendo solution focuses on access control and identity management using peripheral equipment such as smart cards and USB keys as a factor that provides verification of identity. Public Key Infrastructure (PKI) security for IoT is also available.

JumpCloud (SaaS)

JumpCloud’s SaaS zero trust solution provides cloud-based monitoring and configuration for identity and endpoint security. The solution flexibly combines and integrates lightweight directory access protocol (LDAP), single-sign-on (SSO), remote authentication dial-in user service (RADIUS), certificates, and patch management to verify users and endpoint status.

Keeper Secrets (SaaS)

Keeper Secrets provides web-browser plugins, container-based installations, and SaaS features to provide password management and secure gateway functions. This tool can deliver zero trust identity and network security.

Manage Engine (Licensed Technology)

Managed Engine’s zero trust solution focuses on identity security and device control – which is a subcategory of endpoint security.

Netwrix (Licensed Technology)

Netwrix focuses on identity management and data governance software that can deliver zero trust security for the identity and data categories.

Okta (SaaS)

Okta’s SaaS solution focuses primarily on identity solutions such as single sign-on, API access management, multi-factor authentication, and identity governance for employees and business-to-business (B2B) users. However, Okta’s platform also has access gateway features that can provide some network security features as well.

Ping Identity (SaaS, Licensed Technology)

Ping’s zero trust solution can be obtained as a SaaS identity management solution (single-sign-on, multi-factor authentication, etc.) or licensed to provide identity and application security for customers and APIs. Ping also provides real-time monitoring and analytics for user risk management and API intelligence.

StrongDM (SaaS)

StrongDM delivers a network proxy that combines zero trust features for identity and network security. The network proxy is created as a combination of gateways and local clients.

Thales (Licensed Technology)

As a specialist in access management, Thales’ SafeNet Trusted Access delivers zero trust identity security options such as multi-factor authentication (MFA) and single-sign on (SSO) authentication. (Browser Extension) provides an unusual multi-factor authentication process suitable to provide identity security for zero trust implementations. TwoSense uses AI to create a model of the typical typing pattern of a user as a biometric factor to verify identity for access to company resources.

See the Best Identity and Access Management (IAM) Solutions

Zero Trust Endpoint Solutions

Even if a user, application or service has a verified identity, a zero trust process should also verify the device requesting access. Zero trust device security verifies the device is uncompromised, in good standing (updated, in compliance, has antivirus software installed, etc.), and authorized to access any of the protected resources.

BlackBerry (Licensed Technology)

BlackBerry builds off of the Cylance endpoint security product to provide endpoint detection and response (EDR), mobile threat detection (MTD), data loss prevention (DLP), and user and entity behavior analysis (UEBA). When combined with their secure web gateway, BlackBerry provides zero trust endpoint and network security.

BlackRidge Technology (Licensed Technology)

BlackRidge focuses on a niche within the zero trust endpoint security category: Industrial IoT solutions. BlackRidge provides virtual gateways for installation in cloud or local data centers as well as software that can be installed on endpoints.

Cloudflare (SaaS)

The internet giant Cloudflare makes its name providing distributed hosting services for corporate websites. However, they also offer a zero trust solution for the security categories of identity, network, and application. Cloudflare’s platform combines ZTNA, Secure Web Gateways, Private Routing to IP/Hosts, Network FaaS, HTTP/S Inspection, DNS Resolution and filters, and CASB services.

CrowdStrike (SaaS)

CrowdStrike focuses on threat detection, investigation and response to provide endpoint and data security within the zero trust framework.

Heimdal Security (Licensed Technology)

Heimdal Security delivers zero trust endpoint security that prevents the execution of malware and ransomware, prevents data leakage, and a threat intelligence platform.

Jamf / Wandera (SaaS)

Jamf’s Wandera product provides zero trust capabilities fulfilling the endpoint, network, and data categories.

Morphisec Ltd. (Licensed Software)

Morphisec’s Zero Trust Endpoint Security installs a zero-trust execution environment in the memory of managed endpoints.

RevBits (Licensed Technology)

RevBits licenses a variety of components that deliver thin-client, privileged access management, endpoint detection and response, and zero trust network access. These components deliver zero trust security technology to provide the identity, endpoint, and network categories.

Sophos (SaaS, Licensed Technology)

Sophos builds on its endpoint protection solutions to deliver zero trust capabilities in the endpoint, network, and application categories.

Trend Micro (Licensed Technology)

Trend Micro offers a suite of products that offer zero trust solutions for endpoints, networks, and applications. Trend Micro uses AI to enhance its unifying security product, Trend Micro One, which installs in the cloud and coordinates security through the other licensed solutions.

TypingDNA (SaaS)

TypingDNA uses typing patterns to provide biometric authorization that can be used to provide identity security for zero trust on specific endpoints. TypingDNA’s solution can be used to continuously protect endpoints as well as access to websites.

See our comprehensive guide to EDR tools and software

Zero Trust Network

Zero trust networks securely connect resources to specific identity and device combinations often verified by other zero trust vendors (identity or endpoint). In line with least privileged access, networks should be microsegmented so users and their devices only have access to the resources they absolutely need.

Akamai Intelligent Edge (SaaS, Service)

Akamai’s zero trust SaaS solution provides solutions for the networking, identity, and application categories. Akamai offers a fully managed security service in addition to the ZTNA SaaS and network segmentation through its recently acquired Guardicore technology.

Appaegis (SaaS)

Appaegis Access Fabric delivers zero trust network access and visibility through a browser isolation and fully-logged role-based access controls (RBAC). IT managers use a cloud management portal to control agentless app access, data access permission, and team and role-based policies.

Appgate (SaaS)

Appgate offers a Software Defined Perimeter (SDP) product that provides single packet-level authorization security, microsegmentation, and continuous verification of access. Appgate also considers user context, and device security posture to deliver the zero trust security categories of identity, endpoint, and network.

Avast Business (SaaS)

Avast Business’ Secure Private Access provides a zero trust network access alternative to VPN connections with their cloud-based solution. This solution compliments their existing and more well known antivirus solution.

Axis Security (SaaS)

Axis Security’s Atmos secure service edge (SSE) solution uses secure gateways, CASB, and DLP to deliver zero trust solutions for identity and network security.

Banyan Security (Licensed Software)

Banyan Security uses browsers and desktop applications to provide users with multi-cloud, application and service access through a least-privileged zero trust network access solution. The tool requires deployment of a Banyan Connector to corporate resources, set up through the Bayan Cloud Command Center, and accessed from the Banyan Global Edge Network.

Barracuda (Licensed Technology, Appliance)

Barracuda licenses virtual and physical appliance CloudGen firewalls to deliver zero trust network access.

Cato Networks (Licensed Technology)

Cato Networks’ SASE solution provides zero trust network access. Their solution is unusual because the billing is based upon traffic speed and throughput instead of annual, device, or per-user fees.

Citrix (Licensed Technology)

Citrix’s zero trust capabilities build off of their virtual desktop technology, which incorporates secure browser and software-defined wide area networking (SD-WAN) capabilities. In combination, Citrix can deliver zero trust network access security.

Cyolo Ltd. (SaaS, Licensed Technology)

Cyolo provides a zero trust platform that delivers zero trust network access with additional zero trust security elements for the identity and endpoint categories.

DxOdyssey (Licensed Technology)

DxOdyssey creates software defined perimeters by installing software on endpoints that connect to DxConnect gateways to implement zero trust network access – especially for internet of things (IoT) devices.

Elistity (Licensed Technology)

Elisity deploys cloud-native controls to manage existing networking equipment from Cisco, Meraki, Arista and other switch technologies. Their management platform enables granular control for identity-based microsegmentation at scale, with enhanced visibility, and without choke-points to hinder performance.

Forescout (Licensed Technology)

Forescout’s different software solutions implement zero trust by focusing on visibility of connected devices and micro segmentation of the network.

GoodAccess (SaaS)

GoodAccess delivers zero trust network access through internet gateways in 35 cities and 23 countries around the world. IT managers can easily create management profiles for different classifications of users and easily assign both users and resources to the classification to enable least-privileged access.

Iboss (SaaS)

Iboss provides a zero trust platform that replaces VPNs with a solution that delivers secure access service edge (SASE), browser isolation, cloud access security broker (CASB), and data loss protection (DLP) features. These and other features deliver zero trust security for the identity, endpoint, and network categories.

Illumio (SaaS, Licensed Technology)

Illumio’s granular micro segmentation provides zero trust network access easily managed using their intuitive interface. The role based access controls, unknown device detection, device quarantine, and user based segmentation tightly protect data, networks, and applications.

Also read: Illumio Unveils CloudSecure for Zero Trust Segmentation in the Cloud 

InstaSafe (SaaS, Licensed Technology)

InstaSafe provides hosted controllers and installable gateways to create fully encrypted channels for authentication and access to cloud and local resources. This enables zero trust security for the identity, endpoint, and network categories.

Juniper Networks (Licensed Technology, Appliance)

Juniper Networks’ appliances (physical and virtual) and software solutions deliver gateways, firewalls, and network security options to customers. Using an assortment of these tools can enable the zero trust security categories of network, applications, and visibility.

Lookout, Inc. (SaaS, Licensed Technology)

Lookout provides a host of zero trust security solutions centered around its Zero Trust Network Access. Other technologies provide cloud access security broker (CASB), mobile endpoint security, secure access service edge (SASE), and threat intelligence features to deliver endpoint, identity, and network security for zero trust architectures.

Menlo Security (SaaS)

Menlo Security’s secure web gateway, browser and email isolation, cloud access service broker (CASB), and data loss protection (DLP) solutions enable zero trust security in the identity, endpoint, and network categories.

NetFoundry (SaaS, Licensed Technology)

NetFoundry supports multiple tiers of embeddable open-source code to integrate into applications as well as cloud-hosted ZTNA routers. NetFoundry enables the very niche sub-category to provide zero trust networking access within applications themselves.

NetMotion (Licensed Technology)

NetMotion offers a zero trust network access solution that provides both software defined perimeters (SDPs) and VPN connections to cloud-based and local resources. Their solution requires customers to install the software on self-managed local or cloud-hosted servers.

Netskope (Licensed Technology)

Netskope offers zero trust network access and cloud access security broker (CASB) services that would fit in the identity and network categories for zero trust security. Their software may be installed in the cloud, on prem, or as a hybrid solution.

NordLayer (SaaS)

NordLayer builds on its successful NordVPN solution to offer a turn-key SASE and zero trust security categories for identity and networks. NordLayer offers secure gateways located in many different cities around the globe and options for dedicated servers with fixed IP addresses.

Also read: NordLayer Review: A VPN for the Zero Trust Era

OpenVPN (SaaS, Licensed Technology)

OpenVPN delivers zero trust network security through a self-hosted VPN server and a SaaS OpenVPN Cloud edge solution. OpenVPN client software can be installed on Windows, MacOS, and Linux.

Perimeter 81 (SaaS)

Perimeter 81 offers turn-key zero trust network access connections from over 40 global locations. Their simple administration interface offers quick and easy network development with granular user controls to define user groups, available applications, work days, devices suitable for connection, and more.

SecureLink (SaaS)

SecureLink provides a highly specialized third-party identity verification and access authorization to deliver zero trust network access for customers and vendors.

Tempered (SaaS, Licensed Technology)

Tempered’s Airwall solution uses an encrypted software-defined perimeter (SDP) network to provide network micro segmentation. The cloud or self-hosted technology delivers zero trust network security access.

TerraZone (SaaS)

TerraZone’s ZoneZero creates software defined perimeters that can enhance VPN services to deliver zero trust security capabilities for the identity and network categories.

Trustgrid (SaaS, Licensed Technology)

Trustgrid’s platform for application development provides zero trust network access through SaaS or docker-hosted Layer 3 Bridge technology for secure TLS tunnels. Clients use this technology to create secure development platforms or to support legacy systems.

Twingate (SaaS)

Twingate delivers a multi-step authentication process that requires deployment of endpoint applications and a docker container or native Linux service on remote networks. Twingate’s controller manages a TLS tunnel between these installed applications to provide zero trust network access.

Unisys (Licensed Technology)

Unisys’ Stealth software deploys on-premises to deliver granular zero trust network control that extends to cloud-based applications, customers, suppliers, and even to remote work employees on mobile devices. Stealth monitors devices and users and can automatically isolate any violators.

Versa Networks (Licensed Technology, Appliance)

Versa Networks offers a selection of products such as remote browser isolation (RBI), secure web gateways (SWGs), cloud access security brokers (CASBs), and zero trust network access. These appliance and software solutions deliver zero trust security solutions for the identity, endpoint, and network categories.

Zentry Sentry (Licensed Technology)

Zentry avoids VPN troubleshooting by providing zero trust network security over TLS through HTML5 browsers without any clients to download, configure or manage.

Zero Networks (Licensed Technology)

Zero Networks’ zero trust network security solutions installs as a virtual server and all traffic routed through that server can be delivered to micro segmented network components specific to that user and application combination.

Zscaler (SaaS)

Zscaler delivers a cloud-based zero trust network access solution by routing all traffic through its cloud filters for authorization, inspection, and control.

Zero Trust Data and Application Solutions

Even for authorized users, on authorized devices, and connecting through authorized networks the resource itself needs to differentiate between levels of access. For example, a shared server will use data security to segregate folders or categories of data.

Similarly, an application itself will require zero trust security that defines the levels of access available to the application. Vendors in this category focus on application security and securing the resources themselves.

ColorTokens (SaaS)

ColorTokens’ Xtended ZeroTrust SaaS platform integrates features to provide the endpoint, network, and application categories.

Proofpoint (Licensed Technology, Service)

Proofpoint offers cloud and data-center based security products that deliver zero trust data security solutions focused on email, cloud applications, and data center data. The various components can be integrated to also deliver specialized zero trust category solutions for identity, network, and application security.

TrueFort (SaaS)

TrueFort’s cloud-based platform focuses on zero trust microsegmentation of applications and workloads as well as file integrity monitoring. In combination, these features conform to the zero trust data, network, and application categories.


Rubrik provides cloud-based data protection and backups that focus on delivering zero trust data protection.

Tigera (SaaS, Service)

Tigera builds on the open-source Project Calico to provide zero trust application security based upon micro segmentation and container security.

Varonis (Licensed Technology)

Varonis’ focus on data auditing, classification, and threat detection can provide zero trust data security for local and cloud resources.

Virsec (Licensed Technology)

Virsec’s technology can be installed on-prem or in the cloud to provide real-time zero trust security for applications.

For more on Virsec, see Application Security is Key to Stopping Ransomware, Vendor Says

Zero Trust Visibility, Automation, Logging and Record Keeping

Most tools integrate some form of visibility, automation, logging or record keeping into their various functions. However, this can often require an organization to consolidate the various results for centralized control and analysis.

The following tools specialize in one or more of these categories to provide a more unified zero trust capability to integrate with other zero trust solutions.

ExtraHop (SaaS)

ExtraHop’s Reveal(x) 360 platform delivers cloud-based network detection and response (NDR) and situational intelligence. This platform and related tools provide zero trust visibility capabilities.

Firemon (Licensed Technology)

Firemon’s cloud-based products coordinate policy management, automation and enforcement by integrating with existing and future devices in the enterprise infrastructure. Firemon’s network discovery tools deliver the zero trust category of visibility and the policy tools can help unify other zero trust capable tools.

What Are Zero Trust Buying Considerations?

There are hundreds of existing and newly released zero trust tools, but many vendors make it difficult to understand their full capabilities, business models, or pricing, often making it difficult for buyers to assess a product’s.

A lot of time and effort went into making this list an accurate reference, but we know it will be incomplete, incorrect, or out-of-date the moment it becomes published. Change is simply too frequent in the marketplace.

Potential buyers should select a range of candidate vendors to evaluate and expect their offerings to change every few months. When reading user and product reviews, vendors must keep in mind that the perfect tool for one organization may be useless to another unless they share the same use case, infrastructure, and internal capabilities.

Also, while some vendors will claim to deliver specific features, not all features will be of the same quality. It is impossible to test all of these tools, so any organization interested in zero trust will need to create a list of must-have, should-have, and nice-to-have features and evaluate candidate technologies thoroughly.

The creators of the zero trust framework consider it to be a process towards ever-improving security and risk management maturity. Whether or not an organization decides to fully implement zero trust, the concept provides a useful framework to evaluate security in a modern IT environment.

Organizations can begin by selecting vendors they already trust and improve security by enhancing existing technology in a manner consistent and compatible with existing processes. Other organizations may elect to completely replace their existing technology stack and start fresh using new vendors.

There is no right way to implement zero trust or IT security. There is only a wrong way: to never mature, never seek to improve, and never check for vulnerabilities.

Read next: Zero Trust: Hype vs. Reality

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.

Chad Kime Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis