Locking it down: Top 10 zero trust vendors deployed by UK IT teams

The zero trust approach to cybersecurity leapt up the agenda when the pandemic hit. Here's an overview of some of the key industry players

Zero trust is an architectural and governance led-approach to security rather than a product or plug-in solution. It requires strategic planning and involves numerous technologies, including network access control (NAC), identity and access management (IAM) and privilege access management (PAM). Machine learning is another component that's growing in importance as the zero trust approach needs to be adaptive if a seamless UX is to be delivered, and solutions must be able to span multiple environments, including public and private clouds, data centres and edge devices - vital when securing working from home.

In a recent Computing Delta survey of UK IT leaders, Cisco came top in terms of vendors respondents had deployed or planned to deploy for zero trust networking. As perhaps the best-known supplier of networking infrastructure and software this is not a surprising result. Cisco also claims to offer a comprehensive package of interlocking solutions, although some depend on its hardware.

Other organisations such as Okta focus on one or two pieces of the puzzle, relying in integrations and APIs to connect with the others.

See also Faith no more: the rise of 'zero trust' approaches to cyber security

The zero trust approach is rising in popularity What follows is a quick look at the top 11 (because Ivanti Pulse and CyberArk polled equally) choices of our respondents.

Base: 205 UK IT professionals who said they have or will be implementing zero trust networking solutions.

Cisco

Silicon Valley veteran Cisco manufactures networking hardware and software, with its products in the zero trust category encompassing both. Cisco divides its solutions according to the item being secured: workloads, workforce or workplace.

Cisco Secure Workload (formerly Tetration) secures connections between applications and services and APIs, and includes micro-segmentation capabilities to limit the effect of any breach by blocking lateral movement.

The workforce category is covered by Duo Security, which includes multi-factor authentication (MFA), application access policy enforcement, device trustworthiness enforcement and email protections. There is a free version for up to 10 users, after which it costs $3 per user per month.

Meanwhile, workplace protections are afforded by SD-Access (Software-Defined Access), which "automates user and device policy for any application across the wireless and wired network via a single network fabric", although there are hardware compatibility requirements.

SD-Access is part of Cisco's DNA network virtualisation and management software. Cisco DNA software is available in three subscription tiers: Cisco DNA Essentials, Cisco DNA Advantage, and Cisco DNA Premier. SD-Access requires Advantage plus a separate ISE licence or a Premier subscription.

Palo Alto Networks

Palo Alto Networks began life as a vendor of advanced network firewalls and security solutions, later expanding to endpoint protection, threat intelligence, analytics and SASE (secure access service edge).

The company's zero trust networking software revolves around Prisma Access, a cloud-based SASE solution that links and controls access to endpoints, including sites, cloud resources and IoT devices, by connecting them directly to the security edge rather than to the corporate network and allows admins to apply policies across the range of devices from a single console.

Features include App-ID, which offers in-depth visibility of all applications on the network, User-ID which performs a similar task for users, threat prevention and threat intelligence, filtering, and predictive analytics and automation.

Prisma Access integrates with the company's Panorama network security control centre and with many third-party services via APIs.

The company does not make its pricing public.

Fortinet

Fortinet is another Silicon Valley company that started by manufacturing firewalls and has since branched out into security software, services and training, and software-defined infrastructure, combining its products into a ‘Security Fabric'.

Fortinet Zero Trust Access covers IoT and endpoint device, continuously verifying who and what is using them and providing visibility to IT teams. Its hardware and software offerings plug into the Security Fabric and are catagorised as client, network, SASE and authentication.

FortiClient is an agent-based endpoint protection and secure remote access solution that ensures that all components of Security Fabric (gateways, switches, etc) have a unified view of all endpoints, so they can be monitored and web and application and other policies applied.

FortiSASE is a cloud-based secure virtual networking solution that offers secure private access to applications hosted on-premises or as SaaS. It also integrates with IAM services such as Okta and Azure AD .

FortiToken is a small, physical one-time password generator for securely authenticating remote users, while FortiAuthenticator is a user identity management and single sign-on appliance.

The company does not make its pricing public.

Citrix

Desktop and application virtualisation vendor Citrix provides a "range of solutions to help organisations at every stage of the zero trust journey", which combine, the company says, to create a holistic zero trust architecture.

They include Citrix DaaS (desktop-as-a service) which includes access policies that adapt to user behaviours and risk scores. Prices range from US$10 to US$23 per user per month.

Citrix Secure Private Access is a cloud-based service that protects access to apps and data from managed, unmanaged and mobile devices to secure hybrid working. It has features for adaptive authentication, such as device posture checks, user location, user role and risk score.

Citrix Analytics for Security tracks user activity to create real-time alerts and individual risk scores, which are then used any Secure Private Access and other systems in the automatic granting or restriction of of access to certain applications or data on the principles of least privilege.

And Citrix Web App and API Protection is a SaaS solution providing layered protection against known and zero-day application attacks.

Okta

Rather than offering an end-to-end solution, SaaS IAM firm Okta looks after the identity, authentication and authorisation elements of the zero trust equation.

In 2020, Okta joined Proofpoint, CrowdStrike and Netskope to create the Spectra Aliance with the aim of easing the transition to zero trust as organisations rushed to support WFH.

Like Citrix, Okta presents zero trust as a journey, and posits a maturity model that goes form Active Directory on-premises and different passwords for each application to risk-based access profiles, adaptive authentication and authorisation and passwordless access.

Universal Directory is a directory service for all of an organisation's users, groups and devices, with integrations with many popular HR and productivity tools.

Okta's Identity Cloud has integrations to more than 7,000 services and applications, and allows organisations to manage access according an individual's role, their location, what device they are using, and so on. It handles SSO and MFA, and covers the entire employee lifecycle from joining to changing roles to leaving.

Meanwhile Okta ThreatInsight maintains a constantly evolving list of suspicious IP addresses, logging in from which can be blocked or restricted.

Adaptive functionality, which is a key feature of zero trust architectures, comes at an increased price. For example, standard SSO is US$2 per user per month, while adaptive SSO costs US$5; standard MFA comes in at US$3 while adaptive MFA will set you back US$6.

Cloudflare

Cloudflare is best known for its content delivery network (CDN) and DDoS prevention services, but since 2020 it has also offered zero trust access and authentication tools as part of its under its Zero Trust Platform.

Cloudflare Access enforces zero trust rules for users accessing any application, in any on-premises private network, public cloud or SaaS environment.

Organisations can also route internet traffic through Cloudflare Gateway, a secure web gateway (SWG) that filters out malware and other attack vectors with traffic inspection to help build rules.

The company offers a Browser Isolation service in which a sandboxed browser runs in the cloud away from networks and endpoints, meaning that any browser-based attacks cannot infect the user. This starts at US$10 per user per month but is only available on top of a paid plan.

A cloud access security broker (CASB) service is available for control over SaaS apps to reduce data leaks and regulatory violations.

And the company's SASE offering, Cloudflare One, is a zero trust network-as-a-service platform with identity-based security controls.

The core features are free free for up to 50 users. Prices for the core features Access the SWG, CASB and filtering, start at US$7 per user per month and include 100% uptime SLAs and support.

Zscaler

Zscaler was one of the early implementers of the zero trust idea with its secure web gateways (SWGs). In fact, CEO Jay Chaudhry recently berated the industry for rebadging existing products as ‘zero trust' to jump on the bandwaggon.

"Either you're zero trust or you're network security. You don't do both," he told Venturebeat, adding that ‘true' zero trust involves connecting users directly to applications without going over the network.

The Zero Trust Exchange is the platform from which the company offers its services, allowing direct secure connections based on risk profiles. These services include:

Zscaler Internet Access (ZIA) is a SWG that includes data leak prevention, intrusion prevention, CASB and browser isolation all as a cloud service, allowing organisations to apply the same rules across multiple premises.

Zscaler Private Access is a SWG is pitched as a secure cloud-based VPN replacement that connects users directly to private applications, with user-to-app, user-to-device and workload-to-workload segmentation to prevent lateral spread of threats.

Zscaler B2B is a service that extends the above functionality to business partners and customers, using business policies to connect authenticated customers to an authorised app, without exposing the app to the internet or allowing the customer on the network.

Prices are on application only.

Check Point

Israeli-US firm Check Point began as a manufacturer of hardware firewalls and diversified into all aspects of cyber security, including zero trust, where it offers a single consolidated architecture that includes Zero Trust Network Access as a service (ZTNA-aaS) and security gateways for micro-segmentation of networks.

The company describes its platform Check Point Infinity as "consolidating a wide range of security functions and solutions that enable you to implement all of the seven principals of the Extended Zero Trust Security model", those being protection of networks, workloads, people, devices and data, and providing visibility and automation.

Among the individual solutions on offer are Security Gateways that enable organisations to create granular network segmentation across clouds and LAN with visibility into users, applications and devices.

CloudGuard IaaS, and CloudGuard Dome 9 are designed to secure workloads, and integrate with most public and cloud environments.

And Check Point Identity Awareness and Check Point CloudGuard SaaS offer IAM , SSO, MFA, context-aware authentication and anomaly detection.

The company does not provide pricing details.

Proofpoint

Email security and data loss prevention specialist Proofpoint offers a range of products and services. It is also a member of the Spectra Alliance along with Okta, CrowdStrike and Netskope, a multi-vendor effort to ease the transition to zero trust as organisations rushed to support WFH.

Proofpoint ZTNA is described as a "next-generation cloud-based VPN as a service". It allows for micro-segmentation of networks to limit the effects of any breach, and supports cloud and on-premises platforms. There is a version for public sector organisations called Proofpoint Meta.

Proofpoint Browser Isolation provides web isolation based on the company's intelligence.

Proofpoint Cloud App Security Broker (Proofpoint CASB) offers "people-centric visibility and control" over cloud apps.

Meanwhile Nexus People Risk Explorer (NPRE) builds risk-profiles of individuals across the Proofpoint platform and third-party products.

The company does not publish pricing.

Ivanti/Pulse Secure

US cybersecurity vendor Ivanti acquired VPN provider Pulse Secure and mobile security firm MobileIron in 2020 as it moved to broaden its scope to including zero trust. Both companies had previously suffered high-profile security breaches.

Pulse Zero Trust Access (PZTA) / Ivanti Neurons for Zero Trust Access provides continuous user and device authentication and always-on protected access to corporate applications, "eliminating bandwidth and data charges through gateways while constantly verifying the user, their device, and applications based on granular constraints".

The company does not publish pricing.

CyberArk

CyberArk started with digital vault technology to secure sensitive data, later acquiring privilege management firm Viewfinity and identity company Idaptive, among others. It positions its products as conforming with the NIST SP 800-207 zero trust architecture specifications.

The company's zero trust offerings include CyberArk Privileged Access Manager, a SaaS or self-hosted solution that allows admins to manage credentials, discover and onboard privileged credentials and secrets used by human and non-human identities, and set policies for password complexity, frequency of password rotations, access rights, and more.

Vendor Privileged Access Manager secures third-party access to internal resources with session isolation, monitoring and audit capabilities without the need for VPNs.

Workforce Identity includes SSO, Adaptive MFA, lifecycle management, directory services and endpoint authentication.

Customer Identity provides risk-based customer authentication and access, and the company provides DevOps specifics solutions for managing secrets and keys.

There are no prices on the company's site.

Other vendors covered by this study, but which fell outside this Top 10, were Broadcom/Symantec, AppGate, Akamai, Forescout, Infoblox, Forcepoint, Cato Networks, Perimeter 81, Absolute NetMotion, Netskope, Wandera, Guardicore, BlackBerry, NetFoundry, BlackRidge, Illumio and Unisys Stealth.