reprints2.forrester.com Open in urlscan Pro
169.47.124.23  Public Scan

Form analysis
0 forms found in the DOM

Text Content

The Forrester New Wave™: Zero Trust Network Access, Q3 2021
The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Callout

report
The Forrester New Wave™: Zero Trust Network Access, Q3 2021
August 24, 2021
The 15 Providers That Matter Most And How They Stack Up
August 24, 2021
DHDavid Holmes
with Joseph Blankenship, Caroline Provost, Peggy Dostie
Callout

Summary
In Forrester's evaluation of the emerging market for Zero Trust network access,
we identified the 15 most significant providers in the category — Akamai
Technologies, Appgate, Cisco, Citrix, Cloudflare, Google, Juniper Networks,
Netskope, Palo Alto Networks, Perimeter 81, Proofpoint, Tencent Security,
VMware, Wandera, and Zscaler — and evaluated them. This report details our
findings about how well each vendor scored against 10 criteria and where they
stand in relation to each other. Security professionals can use this report to
select the right partner for their Zero Trust network access.


TOPICS

Unchain Users From VPNs With Zero Trust Network Access
ZTNA Evaluation Overview



Vendor QuickCards





























Supplemental Material




UNCHAIN USERS FROM VPNS WITH ZERO TRUST NETWORK ACCESS

Forrester’s crusade to kill the VPN found a champion in Zero Trust network
access (ZTNA) during the COVID-19 pandemic. VPN performance issues, more than
any other factor, drove enterprises to adopt ZTNA for secure remote access to
keep their remote employees working. With ZTNA, users can access on-premises
applications using Zero Trust principles while allowing their two-way video
conference traffic to go directly out to the internet, thereby improving
security posture and employee experience. Ultimately, ZTNA reduces the need for
employee VPNs and makes way for infrastructure and security teams to adopt
cloud-delivered networking and security capabilities, a model Forrester calls
the Zero Trust edge (ZTE), also known as secure access service edge (SASE). ZTNA
solutions have an on-prem component (an application gateway, connector, or
encrypted tunnel) and a separate authentication gateway that can be hosted
either on-premises or delivered in the cloud as a service. This evaluation
includes representatives of each delivery model, but ZTNA as a cloud-delivered
service is the most common, reflecting the preferences of most enterprise
security buyers today.


ZTNA EVALUATION OVERVIEW

The Forrester New Wave™ differs from our traditional Forrester Wave™. In the
Forrester New Wave evaluation, we assess only emerging technologies, and we base
our analysis on a 10-criterion survey and a 2-hour briefing with each evaluated
vendor. We group the 10 criteria into current offering and strategy (see Figure
1). We also review market presence.
We included 15 vendors in this assessment: Akamai Technologies, Appgate, Cisco,
Citrix, Cloudflare, Google, Juniper Networks, Netskope, Palo Alto Networks,
Perimeter 81, Proofpoint, Tencent Security, VMware, Wandera, and Zscaler (see
Figure 2 and see Figure 3). Each of these vendors has:
   

 * A proprietary Zero Trust network access product or service. We included
   vendors that demonstrate Zero Trust principles for on-premises application
   access by a remote workforce. We included vendors whose products and services
   actively replace VPN infrastructure.

 * Annual ZTNA revenues of at least $5 million. We included vendors with at
   least $5 million annual ZTNA revenues in the 12 months ending on the cutoff
   date.

 * At least 150 ZTNA customers and a global presence. We included vendors that
   have an install base of at least 150 active ZTNA customer organizations in
   production, with at least 10% of revenue outside the organization’s home
   region (NA, LATAM, APAC, or EMEA).

   

 * At least 100 full-time employees. We included vendors with at least 100
   full-time employees to better compare customer support, go-to-market, and
   ability to support strategic initiatives.

 * An unaided mindshare within the industry. The vendors we evaluated are
   frequently mentioned in Forrester client inquiries, vendor selection RFPs,
   shortlists, consulting projects, and case studies. These vendors are also
   mentioned by other vendors during Forrester briefings as viable and
   formidable competitors.


Figure 1Assessment Criteria: Zero Trust Network Access, Q3 2021

Figure 2Forrester New Wave™: Zero Trust Network Access, Q3 2021

Figure 3Forrester New Wave™: Zero Trust Network Access Scorecard, Q3 2021



VENDOR QUICKCARDS

Forrester evaluated 15 vendors and ranked them against 10 criteria. Here’s our
take on each.
Palo Alto Networks: Forrester's Take
Our evaluation found that Palo Alto Networks (see Figure 4):
   

 * Offers a strong combination of deployment options, IDP integration, and
   nonweb apps. Prisma Access can be self-hosted, consumed as a SaaS, or used in
   hybrid combinations. The vendor’s support for authenticating and authorizing
   third parties is superior to other ZTNA solutions. The solution can protect
   TCP- and UDP-based applications in addition to standard web apps.

 * Still needs to improve endpoint offering, including mobile. Customers say the
   mobile experience Prisma Access still needs improvement, and they report some
   technical challenges with the endpoint software for desktops and laptops.

 * Is a good fit for organizations seeking a hybrid of SaaS and on-premises
   software. Prisma Access excels at securing the nonweb applications that are
   so common in complex on-prem environments.

Palo Alto Networks Customer Reference Summary
Palo Alto Networks’ reference customers endorse the vendor’s high-level value
prop: viability, strategy, and engineering. They express minor dissatisfaction
with endpoint headaches, including the mobile experience and challenges with
endpoint agent updates, a common complaint for the vendor.
Figure 4Palo Alto Networks QuickCard

Appgate: Forrester's Take
Our evaluation found that Appgate (see Figure 5):
   

 * Offers exceptional integration with services like ITSM and CMDB. Appgate is
   one of the few vendors in this space specializing in ZTNA without taking on
   the entire Zero Trust edge (ZTE/SASE) security model directly. Appgate
   delivers its security and business value through distributed
   policy-enforcement points that integrate with solutions like ServiceNow.

 * Lags the leading competition on inline security inspection. ZTNA solutions
   are usually inline in order to provide authentication and contextual
   authorization. Appgate’s inline security inspection could be improved by
   adding more behavioral analytics and machine learning.

 * Is the best fit for companies that need high security and a self-hosted
   option. Appgate offers its ZTNA as a SaaS, but also as a self-hosted option
   for enterprises and agencies that need it. Its cryptographic single packet
   authorization (SPA) can make for a supertight network defense posture.

Appgate Customer Reference Summary
Appgate’s enthusiastic reference customers say that while implementing Appgate
they did experience initial technical challenges around the endpoint agent
operation, the vendor was good at addressing the issues and that the service has
come a long way in a short time.
Figure 5Appgate QuickCard

VMware: Forrester's Take
Our evaluation found that VMware (see Figure 6):
   

 * Has superior inline security inspection and device posture security. VMware
   offers a broad set of inline security techniques like watermarking, risk
   scoring, and behavioral analysis. VMware’s ZTNA solution integrates well with
   its own endpoint protection as well as major third-party suites.

 * Must provide better support for access to legacy applications. Client
   organizations with numerous legacy, nonweb applications are waiting for
   VMware to improve its remote desktop capabilities.

 * Is the best fit for companies already invested in VMware’s portfolio.
   Organizations heavily invested in VMware’s other offerings like Workspace One
   and Carbon Black will get the most value from the vendor’s ZTNA solution.

VMware Customer Reference Summary
VMware’s customer references said they are excited about the vendor’s vision and
strategy. They were largely satisfied with the service, citing only that the
onboarding process could be improved.
Figure 6VMware QuickCard

Zscaler: Forrester's Take
Our evaluation found that Zscaler (see Figure 7):
   

 * Can take enormous deployments into its global network. Zscaler has the
   greatest ZTNA mindshare among Forrester clients. The vendor is enrolling
   organizations with tens of thousands, and in some cases, hundreds of
   thousands of users.

   

 * Needs to support server-initiated applications like VoIP. While Zscaler has
   support for most common and TCP and UDP applications, it must add support for
   server-initiated applications like VoIP/SIP. Call centers take note.

 * Works well for companies already using Zscaler for outbound security. A
   common complaint with other vendors is the requirement for multiple endpoint
   agents. Zscaler customers don’t have this issue since the vendor built the
   ZTNA solution into its secure web gateway client.

Zscaler Customer Reference Summary
While Zscaler customer references are enthusiastic about the vendor’s
scalability and use of a single client for ZTNA and SWG, they cite cost and
traffic routing issues as areas for improvement. Their sharpest criticism is
around the vendor’s inability to handle VoIP/SIP call traffic.
Figure 7Zscaler QuickCard

Perimeter 81: Forrester's Take
Our evaluation found that Perimeter 81 (see Figure 8):
   

 * Focuses on the cloud-delivered and managed SaaS experience. Perimeter 81’s
   ZTNA management is intuitive and modern. Its ability to handle nonweb
   applications like VoIP is a major differentiator in this field.

   

 * Needs to integrate with enterprise device security. Perimeter 81 still needs
   to add integration with Microsoft endpoint security and apply more inline
   security and analytics.

 * Is the best fit for smaller enterprises that need ZTNA as a service, quickly.
   Perimeter 81’s self-service portal allows smaller organizations to sign up
   quickly and onboard dozens of applications in less than a month.

Perimeter 81 Customer Reference Summary
Perimeter 81 reference customers are among the most enthusiastic of those
included in this evaluation. They extol the vendor relationship, support, and
dedication to improving the product quickly. On the downside, they expressed
frustration with an inability to download full logs.
Figure 8Perimeter 81 QuickCard

Citrix: Forrester's Take
Our evaluation found that Citrix (see Figure 9):
   

 * Offers strong RDP/VDI and inline security capabilities. Citrix benefits from
   its heritage as remote access and virtual desktop provider for its Zero Trust
   network access. The vendor delivers a mature network gateway for on-prem
   applications and networking services like printing and drive mapping.

   

 * Needs to complete integration with major EDR solutions. Citrix has
   Crowdstrike and Microsoft integration on its roadmap, while most other ZTNA
   solutions integrate with one or both of these.

 * Is the best fit for companies already invested in an on-prem Citrix
   infrastructure. Much of the value that Citrix brings for ZTNA is embedded in
   its existing infrastructure. Citrix ties ZTNA into the services the vendor
   has always provided for access and application delivery.

Citrix Customer Reference Summary
Citrix reference customers like the vendor’s atypical approach to ZTNA. One
said, of the vendor’s solution, that it supported their “clients across
geographies and [their] very customized network architecture.” They also praise
the solution’s performance and user experience but cited a need for
more-granular IAM policy control.
Figure 9Citrix QuickCard

Netskope: Forrester's Take
Our evaluation found that Netskope (see Figure 10):
   

 * Offers strong device posture security today and a great vision for tomorrow.
   Netskope excels at device posture security, and customers cite a fast, easy
   rollout taking weeks where others take months. Netskope has a solid vision
   for ZTNA and associated services.

 * Needs to add features to support third-party access. Netskope’s agentless
   support was still in beta during this research. Netskope also needs to add
   multiple concurrent identity providers (it currently supports only one).
   These two features are important to support contractors and other third
   parties who have their own identity providers and where an agent can’t be
   installed.

 * Should be on the shortlist for organizations moving to the Zero Trust edge.
   Organizations looking to consolidate, consume, and cloud-deliver three
   technologies (ZTNA, CSG, SWG) with a single vendor should seek out Netskope.
   In our research, customers cite that these other capabilities are important
   to them.

Netskope Customer Reference Summary
Even with its current limitations, Netskope’s customers express enthusiasm for
the service, recognizing that the product grew quickly and overlooking a few
early rollout challenges. They appreciate the speed at which the vendor provided
fixes and report solid operation since.
Figure 10Netskope QuickCard

Akamai: Forrester's Take
Our evaluation found that Akamai (see Figure 11):
   

 * Offers strong ecosystem integration and programmability. Akamai’s vision of
   “programmable edge” enables hundreds of on-prem applications to be
   programmatically onboarded quickly. Akamai’s Enterprise Application Access
   has rich integrations with identity providers, a critical need for large
   enterprises with complex business partner requirements.

 * Needs to improve product experience. Like many vendors, the Akamai endpoint
   agent for ZTNA is needlessly separate from Akamai’s other endpoint agents.
   The onboarding process and management console need improvement as well.

   

 * Is a good fit for large enterprises that need managed services around ZTNA.
   As a vendor, Akamai serves many large enterprises and has a mature product in
   EAA. Customers praised the vendor’s professional services for assistance in
   onboarding and management.

Akamai Customer Reference Summary
Reference customers praised the device posture security and identity provider
integration, citing both as reasons they choose Akamai’s EAA. They also praised
the managed services and support that they get from Akamai as an enterprise
vendor. They were dissatisfied with the ongoing client agent management and
question the vendor’s support for mobile devices.
Figure 11Akamai QuickCard

Tencent Security: Forrester's Take
Our evaluation found that Tencent Security (see Figure 12):
   

 * Offers a broad range of deployment options. Tencent’s ZTNA solution can be
   delivered as SaaS, self-hosted on-prem, self-hosted in multiple public
   clouds, or any of these in a hybrid combination. The vendor offers agentless
   and agented options.

 * Needs to improve the onboarding process for applications. Customer references
   cited difficulties onboarding challenges with many applications and
   specifically legacy applications.

   

 * Is a great fit for companies with a heavy APAC presence. Organizations that
   want to consume ZTNA as a service across APAC can take advantage of Tencent’s
   numerous PoPs there.

Tencent Security Customer Reference Summary
Tencent Security’s reference customers have enrolled hundreds of thousands of
end users into its system. Two customers interviewed for this research enrolled
over 50,000 users each. They endorse Tencent’s ZTNA solution with just a bit of
reservation, citing deployment challenges as an issue.
Figure 12Tencent Security QuickCard

Google: Forrester's Take
Our evaluation found that Google (see Figure 13):
   

 * Offers the strongest agentless capability and the biggest network in the
   space. Google’s BeyondCorp Enterprise leverages the world’s most popular
   browser, Chrome, as its agent, which is already decrypting the end-user
   traffic. It’s also one of the only solutions offering continuous
   verification. BeyondCorp Enterprise’s inline security inspection is among the
   most extensive in this evaluation.

 * Needs to improve mobile experience, IDP integration. The mobile experience
   for ZTNA is poor among nearly all ZTNA vendors, and Google’s needs
   improvement as well. Google also needs to add support of multiple concurrent
   identity providers.

 * Is a good fit where GCP is a strategic partner. Customers already invested in
   the Google ecosystem, using Google Workspace and its identity store, will
   feel right at home with BeyondCorp Enterprise.

Google Customer Reference Summary
Existing GCP customers using GCP for ZTNA are quite happy with BeyondCorp
Enterprise, citing primarily the mobile experience as needing improvement. These
customers are satisfied with Google’s vision and roadmap and understand that
even with a long beta, BeyondCorp Enterprise is still a new product (it only
officially debuted in 2021) with growing pains.
Figure 13Google QuickCard

Cloudflare: Forrester's Take
Our evaluation found that Cloudflare (see Figure 14):
   

 * Offers strong integration with identity providers. Cloudflare excels at a
   critical capability — the vendor’s ability to concurrently integrate with
   multiple identity providers to support a contractor and partner business
   ecosystem with a Zero Trust approach to access.

 * Still needs device security. Cloudflare Access needs better integration with
   endpoint security controls. Besides the usual web browsing signals it can
   see, it needs tighter integration with the leading endpoint security suites
   that enterprises rely on.

 * Is a good fit for technically savvy, forwarding-looking IT shops. Companies
   that are already familiar with Cloudflare’s way of doing things will find
   Cloudflare Access a natural addition to their portfolio, but new customers
   will face a learning curve.

Cloudflare Customer Reference Summary
Cloudflare’s customer references say Cloudflare Access features run the gamut
from “pretty good” to “eh, not terrible.” They like the reliability,
performance, and API capability of the service but cite anemic RBAC and feature
disparity across Cloudflare’s global network as areas ripe for improvement.
Figure 14Cloudflare QuickCard

Proofpoint: Forrester's Take
Our evaluation found that Proofpoint (see Figure 15):
   

 * Offers strong identity provider integration as well as client and network
   support. Proofpoint picked a gem when it acquired Meta for its ZTNA solution.
   Customers can expect good concurrent multi-IDP integration to support
   third-party access, and innovative networking.

 * Should invest more in inline inspection. The vendor’s analytics and inline
   security can be improved. Proofpoint offers its own private network for
   routing customer packets, but it is the smallest of these in this evaluation.

 * Will be attractive for business access to enterprise web applications.
   Proofpoint’s mature security support organization and superior IDP
   integration make it a good fit for large enterprises with global, third-party
   business arrangements.

Proofpoint Customer Reference Summary
Proofpoint did not participate in this evaluation and chose not to provide
references.
Figure 15Proofpoint QuickCard

Juniper Networks: Forrester's Take
Our evaluation found that Juniper Networks (see Figure 16):
   

 * Offers self-hosted Zero Trust network access. Juniper’s brand-new entrant in
   the burgeoning ZTNA market is actually a combination of existing security
   products (like the SRX firewall) and its acquisition of 128T.

 * Needs a SaaS offering. Most organizations want to consume ZTNA as a service,
   but Juniper only delivers as self-hosted hardware or software. Juniper says a
   SaaS service is planned.

 * Is a fit for companies that are both on-premises and Juniper devotees. Given
   the self-hosted nature of this solution and its use of SRX/vSRX as a
   controller, this ZTNA will find the most favor with Juniper’s existing
   customers.

Juniper Networks Customer Reference Summary
Forrester was unable to reach customer references for Juniper Networks for this
evaluation.
Figure 16Juniper Networks QuickCard

Wandera: Forrester's Take
Our evaluation found that Wandera (see Figure 17):
   

 * Excels with its mobile offerings. Wandera brings its heritage in mobile
   security and access to ZTNA. Even though tablets and smartphones effectively
   force all ZTNA vendors to look like VPNs, Wandera delivers the strongest
   mobile offering.

 * Needs to improve its desktop offering. Wandera’s Mac and Windows offering are
   a weakness. The vendor also needs to integrate with major endpoint protection
   suites.

 * Is the best fit for companies where mobile ZTNA is the primary driver.
   Organizations with fleets of tablets will find that Wandera provides a mature
   solution with the fewest headaches that works across the different mobile
   operating systems.

Wandera Customer Reference Summary
Wandera’s reference customers endorse the quality of the vendor’s mobile
offerings, and cited the upcoming acquisition by Jamf as a strategic positive
for both vendors. They called out onboarding issues they related to the
immaturity of the Windows product.
Figure 17Wandera QuickCard

Cisco: Forrester's Take
Our evaluation found that Cisco (see Figure 18):
   

 * Offers strong integration with Cisco multifactor authentication. Cisco’s ZTNA
   solution, is, in fact, a side-effect of its Cisco Duo gateway. This means
   that Cisco Duo customers can utilize the SaaS capabilities of Duo and host
   their access on-prem for a hybrid deployment.

 * Needs to leave AnyConnect behind, because ZTNA customers have. Cisco needs to
   offer remote desktop functionality via Zero Trust and expand its integration
   for concurrent contractor and partner identity providers. Our research for
   this report revealed that Cisco AnyConnect was the most common VPN solution
   customers abandoned when adopting a true ZTNA solution.

 * Is an appropriate choice for enterprises that have already bought into Duo.
   Duo is already a significant solution in the authentication space;
   enterprises that have already invested in it can stay within the Cisco
   ecosystem with Duo Secure Access.

Cisco Customer Reference Summary
Cisco did not participate in this evaluation and chose not to provide
references.
Figure 18Cisco QuickCard



SUPPLEMENTAL MATERIAL

The Forrester New Wave Methodology
We conducted primary research to develop a list of vendors that met our criteria
for the evaluation and definition of this emerging market. We evaluated vendors
against 10 criteria, seven of which we based on product functionality and three
of which we based on strategy. We also reviewed market presence. We invited the
top emerging vendors in this space to participate in an RFP-style demonstration
and interviewed customer references. We then ranked the vendors along each of
the criteria. We used a summation of the strategy scores to determine placement
on the x-axis, a summation of the current offering scores to determine placement
on the y-axis, and the market presence score to determine marker size. We
designated the top-scoring vendors as Leaders.
Integrity Policy
We conduct all our research, including Forrester New Wave evaluations, in
accordance with the Integrity Policy posted on our website.

About Forrester Reprints
https://go.forrester.com/research/reprints/
© 2021, Forrester Research, Inc. and/or its subsidiaries. All rights reserved.

This website uses cookies to deliver functionality and customize your
experience. By using this website, you are agreeing to our use of cookies. View
our cookie policy for more details.

Accept cookies