One of the main weaknesses of the traditional approach to security is that it assumes that everything inside an organization’s network can be trusted. One implication of this assumption is that it keeps us blind to threats that get inside the network, which are then left to freely roam and attack the network wherever they choose.
To overcome this deficiency, organizations must adopt a new approach to protect the modern network infrastructure and fluid network perimeter that extends to the cloud, and the increasing number of mobile or dispersed users. This new approach is called zero trust security model or zero trust network access (ZTNA).
Here is our list of the best Zero Trust Networking Software:
- Perimeter 81 Zero Trust Platform EDITOR’S CHOICE A choice of three access control platforms that deal with web applications, networks, and cloud services. This access rights system is delivered from the cloud and integrates VPN services to prevent hackers from bypassing security measures.
- Twingate ZTNA Software (FREE TRIAL) A cloud-based perimeter service that manages all access processes for on-premises and cloud-based resources.
- MobileIron Zero Trust Platform A unified endpoint management service with string mobile device access controls.
- Illumio Zero Trust Platform A choice of network-focused or endpoint-focused access rights management strategies.
- Appgate ZTNA Strong VPN-style access protection aimed at businesses with distrusted teams.
- Cisco Zero Trust Platform Security controls that follow users across devices and also offers access rights management solutions for resources and connections.
- NetMotion ZTNA A combination of access control technologies available for on-premises or cloud installation or as a hosted service.
What is Zero Trust Network Access (ZTNA)?
Zero Trust Network Access (ZTNA) is a shift in approach to security whereby access is denied unless it is explicitly granted and the right to have access is continuously verified.
The idea behind zero trusts is that the network devices should not be trusted by default, even if they are connected to a corporate network or have been previously verified.
The zero trust approach advocates checking the identity and integrity of devices irrespective of location and providing access to applications and services based on the confidence of device identity and device health in combination with user authentication. ZTNA reduces insider threat risks by always verifying users and validating devices before granting access to sensitive resources. For outside users, services are hidden on the public internet, protecting them from attackers, and access will be provided only after approval from their trust broker. According to Gartner, by 2022 80% of new digital business applications will be accessed via ZTNA.
Most ZTNA solutions are implemented as a Software-Defined Parameter (SDP). Zero trust networks enabled as SDPs are in a better position to manage cyber-attacks across networks. The zero trust network framework comprises the following key components:
- Visibility: This helps security teams gain deeper network visibility, and track the flow of data and device as it moves through its lifecycle.
- Micro-segmentation: With micro-segmentation, organizations can limit internal access to networks and assets to only those that need to reach those assets. This helps to reduce the total attack surface of the network. and it entails moving the perimeter to workloads.
- Least privileged access: ‘Least privilege’ principle allows users to access only the resources and applications they need to effectively do their job.
- Monitoring: AI technology can be used to continuously monitor risk and trust to ensure the right security posture is maintained.
The best Zero Trust Networking Software
With the right ZTNA solution, organizations can ensure proper user context through authentication and attribute verification before allowing access to network resources at a fraction of the cost, complexity, and security risk of the traditional approach. In this article, we’re going to review the seven best ZTNA solutions in the market. Hopefully, this will guide you in the process of choosing the right solution for your business.
Perimeter 81 is on a mission to transform traditional network security technology with one unified Zero Trust Network as a Service. Perimeter 81’s zero trust solution is offered via the following platforms:
- Zero Trust Application Access Helps to ensure zero trust access to web applications and remote network access protocols such as SSH, RDP, VNC or Telnet, through IPSec tunnels – without an agent.
- Zero Trust Network Access Helps to ensure zero trust access to on-premises and cloud resources with one unified cloud platform.
- Software-Defined Perimeter Helps organizations conceal internal network resources and assets from external entities, whether it is hosted on-premises or in the cloud.
Perimeter 81 zero trust platforms are a scalable hardware-free solution that helps organizations provide secure access to their network infrastructure and digital assets including local and cloud resources from end-point to data-center to the cloud. It offers network visibility, resource access segmentation, and full integration with major cloud providers, giving organizations peace of mind in the cloud. The solution is ideal for SMBs, especially those looking for a modern alternative to traditional corporate VPN systems.
Some of the key features and capabilities of Perimeter 81 zero trust solution include:
- Integration with identity providers or directory services such as SAML, LDAP, Active Directory, Touch ID, and more
- Option to deploy private servers on your premises, in a remote location, or in the cloud, allowing you to restrict access to specific resources
- Central cloud management with single-click apps for major platforms
- Two-factor authentication, automatic WiFi protection, and kill switch
- Multi-Regional Deployment with 700 servers in 36 countries
- Site-to-site interconnectivity and policy-based segmentation
- Network auditing & monitoring
- Split Tunneling
The onboarding process is smooth and issue-free. When you sign up with Perimeter 81, you get a full management platform where you can build, manage, and secure your network. To get started, all you need to do is to sign up, invite your team, install the client apps, and create user groups. By clicking on the link in the Downloads section of the platform, you can download the client app on your preferred platform and follow the wizard to complete the installation. You can give network access to as many team members as possible, assign them to specific groups, and add or remove user permissions with a single click.
Perimeter 81 offers flexible payment plans with billing occurring on a yearly or monthly basis. Sign up process for all plans are commitment-free and have a 30-day money-back guarantee. The table below is a summary of the various subscription plans and associated features.
Cost (billed annually)
Minimum No. of Users
$ 8 per user/month per gateway
$12 per user/month per gateway
Custom: + $40/month per gateway
Perimeter 81 Zero Trust Platform is our number one choice for zero trust networking software because it offers a great deal of deployment flexibility. This service is available to protect web applications through supervised and strengthened access control. Typical network and business resource access controls are also available and a software-defined perimeter offering gives a third deployment option. Perimeter Zero also offers a traditional VPN connection privacy service. Perimeter Zero Trust is a subscription service and it comes with a 30-day money-back guarantee.
Get Demo: perimeter81.com/demo
Twingate enables organizations to implement a modern zero trust network without changing existing infrastructure, and centrally manage user access to company digital assets, whether they are on-premises or in the cloud. Twingate ZTNA solution is offered as an SDP service or an alternative to a traditional VPN. It is delivered as a cloud-based service, and delegates user authentication to a third-party Identity Provider (IdP).
No special technical knowledge is required from end-users other than to download and install the SDP client application and authenticate with an existing identity provider. The controller handles the rest, negotiating encrypted connections between clients and resources. Once everything is confirmed, users are routed to the appropriate resources.
A key feature of the Twingate ZTNA solution is that authorization for user access is always confirmed with a second or third component depending on the sensitivity of the decision being authorized. No single component can independently make a decision to allow traffic to flow to another component or resource in your remote networks. Other Twingate features and capabilities include:
- No hardware and application changes are necessary to deploy nodes
- Scalable controller with over 580 points of access worldwide
- One-click user/third-party onboarding and offboarding
- Support for role-based and attribute-based access control
- Comprehensive audits of employee activities and actions
- Client agents can be set up by users without IT support
- Supports least-privilege access and split tunneling
The Twingate zero trust architecture relies on four components: Controller, Clients, Connectors, and Relays. These components work in tandem to ensure that only authenticated users gain access to the resources that they have been authorized to access. It is is offered in four flexible price plans as shown on the table below which also include a 14-day free trial option:
Cost (billed annually)
Individuals or very small teams
$5 / user / month
Smaller teams that need to replace a VPN for remote access
$10 / user / month
Larger teams that need more advanced access controls
Companies that need comprehensive access controls, detailed auditing, and deployment automation
MobileIron provides a mobile-centric, zero trust platform and unified endpoint management of mobile devices such as smartphones and tablet computers in an enterprise environment, as well as zero trust mobile access to enterprise data across the perimeter-less enterprise. MobileIron’s zero trust approach is focused on applying zero trust and ZTX concepts to enterprise users’ mobile devices. MobileIron is ranked as a Leader in The Forrester Wave Zero Trust eXtended Ecosystem Platform Providers, Q3 2020 report. It earned high scores in the ZTX roadmap and differentiation, workload security, people/workforce security, and APIs.
MobileIron’s mobile-centric zero trust solution is offered via the following platforms:
- Unified Endpoint Management (UEM) Helps organizations to secure corporate or employee-owned mobile devices connecting to the enterprise while managing the entire lifecycle of the device. The zero trust approach ensures that only authorized users, devices, apps, and services can access business resources.
- MobileIron Zero Sign-On Provides conditional access through Single Sign On (SSO) and Multi-Factor Authentication (MFA). The zero trust approach ensures that only authorized resources can access and share corporate data from any device to any service.
- MobileIron Threat Defense Provides zero trust security using built-in threat detection and remediation across devices, apps, and networks — without the need for Internet connectivity.
These mobile-centric zero trust platforms are available as on-premises or cloud deployment options. A 30-day free trial of any of the above platforms is available. As more businesses implement BYOD policies and the perimeter-less model of work, MobileIron’s mobile-centric zero trust approach to security tackles the security challenges posed by these modern fluid network infrastructures and their growing number of dispersed users.
Illumio delivers zero trust micro-segmentation from endpoints to data centers to the cloud to halt cyber-attacks and the spread of ransomware. You can also use Illumio’s zero trust platform to protect against lateral movements across devices, applications, workloads, servers, and other infrastructure.
Illumio is ranked as a Leader in the Forrester Wave Zero Trust eXtended (ZTX) Ecosystem Platform Providers, Q3 2020 report. Illumio received high scores in most of the evaluation criteria, including ‘Future State of Zero Trust infrastructure’, which assessed vendors on their ability to enable zero trust for remote workforces and distributed environments. Illumio zero trust solution is offered via the following platforms:
- Illumio Core (formerly known as Illumio ASP) delivers visibility and segmentation for workloads and containers in data centers, private clouds, and all public cloud environments.
- Illumio Edge brings zero trust to the endpoint and helps prevent the peer-to-peer spread of ransomware and other malware
With capabilities that span micro-segmentation, network visibility, encryption, and vulnerability management, Illumio’s zero trust platform provides opportunities for organizations to embrace and implement zero trust strategies. Pricing details can be obtained by directly contacting the vendor. However, the vendor provides a means to obtain a total cost of ownership (TCO) estimate for Illumio Core to help you build a business case for the elimination of unnecessary hardware in your data center. There is also a 30-day free trial available.
Appgate ZTNA solution is offered as a software-defined perimeter, VPN alternative, secure third party, and DevOps access based on zero trust principles and built to support hybrid IT and a distributed workforce. It is infrastructure agnostic and can be deployed in all environments: on-premises, multi-cloud (AWS, Azure, GPC), virtualized containerized environments, and legacy networks and infrastructure. Appgate was named a leader in the Forrester Zero Trust Wave 2020 report. The entire Appgate ZTNA solution is designed to be distributed and to offer high availability, and it can be deployed in physical, cloud, or virtual environments. The Appgate platform integrates seamlessly with third-party applications such as IdPs, LDAP, MFA, and SIEM, among others.
With Appgate ZTNA solution, access can be controlled from any location and to any enterprise resource with centralized policy management for servers, desktops, mobile devices, and cloud infrastructure among others. The Appgate ZTNA platform consists of three main components:
- Controller The controller manages user authentication and applies access policies assigned to users based on user attributes, roles, and context. It then issues entitlement tokens listing the resources the user is permitted to access.
- Client The Appgate client is software that runs on user devices and connects with Appgate appliances to receive site-based entitlement tokens after successful authentication.
- Gateway The gateway evaluates user entitlements and opens connections to resources accordingly.
Some of the key Appgate ZTNA features and capabilities include:
- Concurrent access Users gain access to all entitled resources across heterogeneous environments without VPN switching
- Integration support Includes a bi-directional API interface to support third-party integrations
- Invisibility Single Packet Authorization (SPA) makes your infrastructure invisible
- Dynamic policy resolution User policies remain in-sync with infrastructure
- Users live outside the protected network
Cisco zero trust solution helps organizations secure access across their applications and environment, from any user, device, and location. This allows organizations to:
- Get detailed logs, reports, and alerts to assist in the detection and response efforts
- Gain visibility into users, devices, and components across the environment
- Mitigate, detect, and respond to risks across the environment
- Consistently enforce policy-based controls
Cisco is ranked as a Leader in the Forrester Wave Zero Trust eXtended (ZTX) Ecosystem Platform Providers, Q3 2020 report. The Cisco zero trust approach is broken down into three pillars: workforce, workload, and workplace.
Zero Trust for the workforce: This pillar ensures that only the right users and devices that meet security requirements can access applications and systems, regardless of location. Zero Trust for the workforce solution is implemented via the Cisco Duo platform, which helps to shield applications from compromised credentials and devices. Duo’s solutions for the workforce such as Duo MFA, Duo Access, and Duo Beyond help organizations meet industry compliance requirements using the zero trust approach. A free version called Due free, a 30-day free trial as well as the various subscription plans and associated cost and features are all available.
Zero Trust for workloads: This pillar focuses on securing all connections and preventing unauthorized access within application environments across multicloud, irrespective of where they are hosted. The Cisco Zero Trust for workload solution is implemented via the Cisco Tetration platform, which helps organizations achieve micro-segmentation and cloud workload protection. It can be deployed on-premises (physical or virtual) or as a SaaS application.
Zero Trust for the workplace: This pillar focuses on securing all users and devices (including IoT) access to the enterprise network. The Cisco Zero Trust for the workspace solution is offered via the Cisco Software Defined Access (SDA) platform.
The Cisco SDA is a software-defined perimeter solution that allows organizations to bring together users, applications, and devices and apply the right policies to each to secure the network. It is aimed at making enterprise networks more software-driven and simpler to manage. The solution is targeted at medium to large enterprises looking to solve the following business IT challenges:
- Network segmentation without the need for MPLS network
- Flexible LAN or host mobility without additional VLANs
- Role-based access control without end-to-end TrustSec
- Common policy for wired and wireless without using multiple tools
- Consistency across WAN, cloud infrastructures, branch offices, and campuses without using multiple tools
The core components that make up the SDA solution are The Cisco DNA Center (Cisco DNA software that powers the controller appliance including a dashboard), Cisco ISE (that enables zero-trust network access), and wired/wireless network infrastructure (such as routers and switches). SDA contains multi-vendor support and an API that allows integration with network equipment from other vendors. As with most Cisco products, the setup process can be complex and usually requires the services of a Cisco expert.
The NetMotion zero trust solution combines ZTNA, SDP, and enterprise VPN solutions to provide organizations secure access to their digital assets and resources. It can be deployed on-premises, or in the cloud (public, private, and hybrid). The easiest way to take advantage of the NetMotion platform is to implement it as a service.
The NetMotion client installed on user devices acts as the controller, gathering real-time data about the host device, applications, network connections, and analyzing the context of every user request for resources. The data gathered is then used to build a risk profile of each request to determine whether the user can access the resource based on the immediate context. The NetMotion gateway which can be installed on-premises or in the cloud ensures that all company resources are protected. If the controller approves users’ access to a resource, traffic is routed to this gateway and directly to the destination requested. Some of the key features and capabilities of the NetMotion zero trust platform include:
- Combines ZTNA, SDP, and enterprise VPN in a single platform
- A single agent and console to manage remote devices, analyze data, and apply policy
- Dynamic web filtering and enforcement of access policies on a contextual basis
- Flexible deployment options, including cloud, hosted or on-premises
- Security reputation information on websites and applications.
- Real-time risk assessments of every access request
NetMotion licenses are available in two subscription options:
- The Complete subscription This option grants customers access to the entire range of functionality – ZTNA, SDP, VPN, experience monitoring, and others.
- The Core subscription: This option grants customers access to a limited range of functionality.
A 30-day free trial is available on request.
Choosing the right ZTNA solution for your business
While ZTNA has many use cases, most organizations choose to use it as a means of access to hybrid and multi-cloud services, an alternative to VPN, and a means to eliminate over-privileged access to resources, among others.
Like most network security solutions, not all zero trust solutions are created equal. What fits perfectly from a price, feature, and functionality standpoint for one organization may not fit for another. You need to consider a variety of factors, some of which include: What deployment model best suits your environment—cloud or on-premises? Does the deployment model meet your organization’s security and residency requirements? Does the ZTNA solution require an endpoint agent to be installed? Does the trust broker integrate with your existing identity provider? Is vendor support available in your region, and to what extent? How geographically diverse are the vendor’s edge locations worldwide? What is the total cost of ownership?
These solutions can be deployed as on-premises or standalone service, cloud service, or as a hybrid service, combining cloud and stand-alone offerings. If you find any of these solutions useful, or indeed other solutions, let us know in the comments.