Many employees and contractors work offsite in home networks, coffee shops, hotels, and other untrusted networks.At the same time, many cloud applications and data repositories have also moved outside the centralized control of an organization's IT environment.
IT managers try to protect these users, devices and resources from unauthorized access by moving the IT boundary and rerouting all data through corporate control. One way to achieve this is to use zero trust.
There are a number of Zero Trust solutions that address five key categories of Zero Trust Architecture (ZTA):
For most organizations, however, budget and IT team bandwidth constraints will force a selective adoption of ZTA and a focus on solutions that can be implemented quickly, inexpensively, and comprehensively with minimal expense.Zero Trust Network Access (ZTNA) is probably one of the easiest ways for organizations to get started with ZTA, so we'll focus on the top low-cost turnkey ZTNA products.
This list is more aimed at small to midsize businesses (SMBs) looking for a low-cost, easy-to-implement solution, so larger enterprises may want to check out our list of top zero trust security solutions and software.
The basic concept behind ZTA, developed by Forrester Research, requires organizations to treat all resources as fully exposed to the Internet.No user can be trusted by default, all users should be restricted to the minimum required access rights, and should be fully monitored.
Firewalls and hardened security layers that used to exist only at network access points must now be transferred and enforced for every endpoint, server, container, and even application.Every access request and session must begin with the assumption that the user and device may be compromised and require re-authentication.
U.S. government agencies have received requests to achieve zero trust security goals, and many business executives have also sought to use zero trust architectures to improve their security and compliance.
Zero trust does not require new tools or technologies to implement.Operating systems, firewalls, and other tools can be implemented on a device-by-device or application-by-application basis to achieve zero trust.
However, new ZTA-branded tools often simplify the process IT managers implement.Instead of providing a variety of disparate tools with overlapping or even conflicting rules, ZTA tools provide a single place to enforce policies, which are then pushed to related technologies.
From a central management console, IT managers define which applications, databases, servers, and networks are available to end users.However, keep in mind that to implement ZTA, companies must be prepared to fine-tune users and devices.
Any organization that doesn't use ZTA's capabilities to provide the minimum access required is simply recreating a non-ZTA trusted network with more expensive techniques.
Note: If clarification is needed, we have provided a glossary of key Zero Trust terms at the bottom of this article.
We reviewed many different vendors for this article, and Zero Trust is too broad to compare or cover all of them in one article.To list the top low-cost Zero Trust options, we focused on a limited set of criteria that can provide value to the broadest range of organizations.
The vendors on this list offer solutions that start very quickly, require minimal IT labor, and require no in-house installation.We specialize in turnkey SaaS solutions that IT managers can implement and deploy to the entire organization in a matter of hours.
These Zero Trust Network Access (ZTNA) products must replace or complement Virtual Private Network (VPN) access and have their pricing listed publicly for comparison.While many companies may offer free trials or tiers, we've only listed providers that cost less than $15/user per month for the basic paid service tier.
These solutions must also provide fully encrypted connections and support multi-factor authentication.These solutions should also support access to legacy IT infrastructure.
ZTNA can be implemented in many different ways, but turnkey solutions are often offered as browser-based solutions or global edge network solutions.
These companies implement the actual equivalent of ZTNA through a secure browser.End users download a browser to their local endpoint and must use it to access corporate resources.The vendor also offers a cloud-based application that allows IT managers to add and manage users and corporate resources in a single package.
Vendors in the global edge networking category replace existing wired or software-defined networking infrastructure with cloud-based equivalent software-defined networking on a subscription basis.The Internet provides the wire, and the provider provides the encrypted connection between the user and the protected resource.
While the details of deployment may vary, agents or connectors are typically installed to cloud-based or on-premises resources, such as servers, containers, and applications.These connectors create secure tunnels to the global edge network, sometimes replacing the need for firewall rules or DMZ architecture.
Administrators then use the SaaS management interface to select resources to make available to end users using access policies.The user then connects to the encrypted network through a standard browser or application.
Some vendors focus on secure web gateways, while others focus on cloud-based VPN servers, but when offering ZTNA, their offerings often combine the functionality of gateways, VPNs, and even CASBs.Be sure to review the vendor's specific products to ensure they meet the required requirements.
Appaegis Access Fabric is deployed as a browser and provides a lightweight alternative to Virtual Desktop Infrastructure (VDI).The tool provides fully documented role-based access control (RBAC) for fine-grained security controls and rigorous audit reporting.
IT managers use the cloud management portal to control agentless application access, data access permissions, and team- and role-based policies.The paid tier provides location-based access control, API support, and logging of user activity.
NetTAP Security is a global edge networking solution that provides multi-cloud, application and service access through a real-time least privilege solution that leverages an organization's existing identity and security tools.The tool requires the deployment of the Banyan connector to enterprise resources, setup through the Cloud Command Center, and access to the Global Edge Network.
Internet giant Cloudflare got its name from its distributed hosting service for corporate websites.However, they also offer Zero Trust Services, a global edge solution that provides ZTNA, secure web gateway, private routing to IP/host, network FaaS, HTTP/S inspection, DNS resolution and filters, and CASB services.
Cloudflare provides an agnostic platform that integrates with a variety of existing identity, endpoint security, and cloud applications.Cloudflare's ZTNA is accessible from a high-speed global edge network in more than 200 cities around the world.
GoodAccess markets its ZTNA edge solution as a cloud-based VPN-as-a-service to teams with access gateways in more than 35 cities and 23 countries around the world.IT managers can easily create administrative profiles for different categories of users and easily assign users and resources to that category for least privilege access.
GoodAccess offers four tiers of pricing.Customers who choose annual billing receive a 20% discount on monthly billing prices:
NordLayer provides SASE and ZTNA turnkey solutions based on its successful NordVPN solution.Available in over 30 countries, this edge solution focuses on quick and easy installation, with AES 256-bit encryption, threat blocking and MFA support for all levels offered.The solution is basically a VPN, but with the added security of fine-grained zero-trust access controls set by the administrator.
NordLayer offers three tiers of pricing and a free trial period.Customers who opt for annual billing can save 18-22% from monthly billed prices:
OpenVPN offers an option for self-hosted VPN servers, but this article focuses on OpenVPN cloud edge solutions that do not require any server infrastructure.OpenVPN client software can be installed on Windows, MacOS and Linux.
Open VPN supports SAML 2.0 and LDAP authentication and email- or application-based MFA.Pricing is volume based and depends on the number of simultaneous VPN connections per month.It's a single-tier service and can be billed monthly, or customers can save 20% by paying annually:
Perimeter 81 offers turnkey ZTNA connectivity from over 40 locations worldwide.Its simple management interface provides quick and easy web development with granular user controls to define user groups, available applications, work days, connected devices and more.
Perimeter 81 offers four tiers of service billed monthly, or customers can save 20% by billing annually:
Zentry provides ZTNA over TLS via an HTML5 browser to avoid VPN troubleshooting without any client download, configuration or management.The Zentry control panel allows granular control over applications and resources without requiring VPN infrastructure or installing clients on local resources.
Zentry offers three tiers of pricing that can be paid monthly, or customers can take advantage of discounts by paying annually:
Many other products try to fill the zero trust network access arena by securely connecting all employees to all resources.However, this article does not consider both types of suppliers.
First, some suppliers do not list their prices on their website, so their costs cannot be compared with other suppliers.Some of these vendors will offer free trials, and many will also have technology partners who can help explain features and downsides to interested customers.
Another type of supplier is the ZTNA supplier, which requires a large number of installations and cannot be considered turnkey.If a vendor needs to build cloud computers, dedicated servers, or virtual machines, we think the threshold is too high to be considered in this article.
This does not mean that the vendor we recommend is the best solution for a particular organization's needs.IT managers looking for more options can consider the following additional solutions:
As with all IT needs, zero trust can be achieved in many different ways.ZTNA is probably one of the easiest ways to get started with Zero Trust, and organizations with limited resources will seek out vendors that can easily adopt support and implementation with minimal IT labor.
We analyzed many different ZTNA companies and only 8 could be validated to provide low-cost solutions that could be implemented quickly.These solutions may meet the needs of any company with urgent needs or limited resources; however, organizations should thoroughly investigate their options before making a decision.
When dealing with new technologies, vendors take shortcuts and smack potential customers with an endless stream of acronyms.For those who want to know about these products, it will be helpful to look at these acronyms for clarity.
API = Application Programming Interface = a software interface that uses a common connector between different software applications.
CASB = Cloud Access Security Broker = On-premises or cloud-based security software that monitors activity and enforces security policies between users and cloud applications.
CDR = Content Disarm & Reconstruction = Security solutions that inspect packets and attempt to detect and remove vulnerabilities, executable code, and malformed packets.
DaaS = Desktop as a Service = A remote access service where desktops are hosted in the cloud and available when a remote user logs in and starts a session.
