Many employees and contractors work offsite in home networks, coffee shops, hotels, and other untrusted networks. Meanwhile, many cloud applications and data repositories have also migrated outside of the centralized control of an organization’s IT environment.
IT managers seek to protect these users, devices and resources by moving the IT perimeter and rerouting all data through corporate control to prevent unauthorized access. One method to accomplish this goal is to use zero trust.
There are many zero trust solutions addressing the five key categories of Zero Trust Architecture (ZTA):
However, for most organizations limitations of budgets and IT team bandwidth will force selective adoption of ZTA and a focus on solutions that can be implemented quickly, inexpensively, and comprehensively with minimal expense. Zero Trust Network Access (ZTNA) will likely be one of the easiest methods for an organization to begin to adopt ZTA so we will focus on the top low-cost turnkey ZTNA products.
This list is aimed more at small and mid-sized businesses (SMBs) seeking low-cost, easy to implement solutions, so larger enterprises might want to see our list of Top Zero Trust Security Solutions & Software.
Jump ahead to the top low-cost zero trust solutions:
The basic concepts behind ZTA were developed by Forrester Research and require an organization to treat all resources as if they are fully exposed to the internet. No users may be trusted by default, all users should be restricted to the minimum access needed, and fully comprehensive monitoring should be in place.
The firewalls and hardened security layers that used to exist only at the access point to a network now must be shifted and implemented for each endpoint, server, container, and even application. Each access request and session must start with the assumption that the user and device may be compromised and requires fresh verification.
U.S. Government agencies have received requirements to achieve zero trust security goals and many corporate executives also seek to improve their security and compliance using zero trust architecture.
Zero Trust does not require new tools or technologies to implement. Operating systems, firewalls, and other tools can be implemented on a device-by-device or application-by-application basis to implement zero trust.
However, new ZTA-branded tools often simplify the process for IT managers to implement. Instead of a variety of different tools with overlapping or even conflicting rules, ZTA tools provide a single place to implement policies and then push those policies out to linked technologies.
IT managers define what applications, databases, servers, and networks will be available to the end user from a central management console. However, keep in mind that to implement ZTA, companies must be ready to granularly differentiate between users and devices.
Any organization that does not use the features of ZTA to provide minimum needed access simply has recreated a non-ZTA trusted network with more expensive technology.
Note: We’ve included a glossary of key zero trust terms at the bottom of this article if any need clarification.
We reviewed many different vendors for this article and zero trust is too broad to compare or cover them all in a single article. To make this list of the top low-cost zero trust options we focused on a limited set of criteria that could provide value to the broadest range of organizations.
Vendors that made this list provide a solution that could be started very quickly, with minimal IT labor, and with no internal installation required. We focused on turn-key SaaS solutions that an IT manager could implement in a matter of hours and deploy to the entire organization.
These Zero Trust Network Access (ZTNA) products must replace or complement Virtual Private Network (VPN) access and publicly list their pricing for comparison. While many companies may offer free trials or tiers, we only list vendors that have a cost below $15 / user per month for their basic paid tier of service.
These solutions also must provide fully encrypted connections and support multi-factor authentication. These solutions should also support access to legacy IT infrastructure.
ZTNA can be accomplished in many different ways, but a turnkey solution tends to be offered either as a browser-based solution or a global edge network solution.
These companies accomplish the practical equivalent of ZTNA through a secure browser. End users download the browser to their local endpoint and must use it to access corporate resources. The vendor also provides a cloud-based app that allows the IT manager to add and manage users and corporate resources in a single software package.
Vendors in the Global Edge Network category replace existing wired or software-defined network infrastructure with a cloud-based equivalent software-defined network on a subscription basis. The internet provides the wires and the vendor provides encrypted connections between the users and the protected resources.
While the details of deployment may vary, generally an agent or connector will be installed to cloud-based or on-premises resources such as servers, containers, and applications. These connectors create a secure tunnel to a Global Edge Network that can sometimes replace the need for firewall rules or DMZ architectures.
Administrators then use a SaaS management interface to select resources to make available to end users using access policies. Users then connect to the encrypted network through a standard browser or through an app.
Some vendors focus on Secure Web Gateways and others focus on cloud-based VPN Servers, but when delivering ZTNA their offerings tend to combine features of gateways, VPNs, and even CASB. Be sure to review the specific offerings of a vendor to ensure they meet the needed requirements.
Our criteria narrowed the list down to the following companies:
Appaegis Access Fabric deploys as a browser and provides a light-weight alternative to virtual desktop infrastructure (VDI). The tool provides fully-logged role-based access controls (RBAC) to provide granular security controls and tight reporting for audits.
IT managers use a cloud management portal to control agentless app access, data access permission, and team and role-based policies. Location based access control, API support, and user activity logging are available in the paid tiers.
Appaegis provides four tiers of pricing that is quoted monthly, but paid annually:
Team and Professional tiers do not list pricing, but 14 day free trials are available for each tier.
Banyan Security is a global edge network solution that provides multi-cloud, application, and service access through a real-time least-privileged solution that leverages an organization’s existing identity and security tools. The tool requires deployment of a Banyan Connector to corporate resources, set up through the Bayan Cloud Command Center, and access to the Banyan Global Edge Network.
Banyan’s Cloud Command Center policies use human-readable syntax based on user identity and device trust that integrate with corporate identity and security tools. Users then connect through a standard browser or through the optional Banyan app that also permits device registration and a catalog of available resources.
Banyan Security provides three tiers of pricing that is quoted monthly, but paid annually:
The internet giant Cloudflare makes its name providing distributed hosting services for corporate websites. However, they also offer Zero Trust Services, a global edge solution that provides ZTNA, Secure Web Gateways, Private Routing to IP/Hosts, Network FaaS, HTTP/S Inspection, DNS Resolution and filters, and CASB services.
Cloudflare provides an agnostic platform that integrates with a variety of existing identity, endpoint security, and cloud applications. Cloudflare’s ZTNA can be accessed from a high-speed global edge network from over 200 cities spread out across the world.
Cloudflare provides three tiers of pricing:
GoodAccess markets their ZTNA edge solution as cloud-based VPN-as-a-service for teams with access gateways in more than 35 cities and in 23 countries around the world. IT managers can easily create management profiles for different classifications of users and easily assign both users and resources to the classification to enable least-privileged access.
GoodAccess provides four tiers of pricing. Customer that select annual billing can enjoy a 20% discount off of the price billed monthly:
NordLayer builds on its successful NordVPN solution to offer a SASE and ZTNA turn-key solution. Available in more than 30 countries, the edge solution focuses on quick and easy installation to provide AES 256-bit encryption, threat-blocking, and MFA support for all offered levels. The solution is basically a VPN but with the additional security of fine-grained zero trust access controls set by admins.
NordLayer offers three tiers of pricing and a free trial period. Customer that select annual billing can enjoy a 18-22% savings from the price billed monthly:
OpenVPN offers an option for a self-hosted VPN server, but this article focuses on the OpenVPN Cloud edge solution that does not require any server infrastructure. OpenVPN client software can be installed on Windows, MacOS, and Linux.
Open VPN supports SAML 2.0 and LDAP authentication and email or application-based MFA. Pricing is volume based and depends upon the number of simultaneous VPN connections per month. It is a single tier of service that can be billed monthly or customers can save 20% by paying annually:
Perimeter 81 offers turn-key ZTNA connections from over 40 global locations. Their simple administration interface offers quick and easy network development with granular user controls to define user groups, available applications, work days, devices suitable for connection, and more.
Perimeter 81 offers four tiers of service billed monthly or customers can save 20% with annual billing:
Zentry avoids VPN troubleshooting by providing ZTNA over TLS through HTML5 browsers without any clients to download, configure or manage. The Zentry control panel permits granular control over applications and resources without VPN infrastructure or installing clients on local resources.
Zentry provides three tiers of pricing that can be paid monthly, or customers can enjoy a discount by paying annually:
Many other products attempt to fill the Zero Trust Network Access niche with methods to securely connect all workers with all resources. However, there were two types of vendors that we did not consider for this article.
First, some vendors don’t list their prices on their websites so their cost could not be compared with other vendors. Some of these vendors will offer free trials and many will also have technology partners that can help explain features and drawbacks to an interested customer.
The other type of vendor was ZTNA providers that required significant installations and could not be considered turn-key. If the vendor needed cloud computers, dedicated servers, or virtual machines established we considered the threshold too high to be considered for this article.
This does not mean that our recommended vendors are the best solution for a specific organization’s needs. IT managers looking for even more options can consider these additional solutions:
As with all IT needs, zero trust can be implemented in many different ways. ZTNA will likely be one of the easiest methods to start adopting zero trust and organizations with constrained resources will seek vendors that provide easy adoption with minimal IT labor for support and implementation.
We analyzed many different ZTNA companies and only eight companies could be verified to provide a low-cost solution that could be implemented quickly. These solutions likely will satisfy the needs of any company with an emergency need or limited resources; however, organizations should investigate their options thoroughly before making a decision.
When dealing with new technologies, vendors take short cuts and pummel potential customers with an endless barrage of acronyms. For those who want to understand these offerings, it helps to review these acronyms for clarity.
AD = Active Directory = The Microsoft-developed user management database for Windows domains.
ADC = Active Directory Controller = A server hosting and managing AD
API = Application Programming Interface = A software interface using common connectors between different software applications.
App = Application abbreviated
AWS = Amazon Web Services = the cloud services and infrastructure developed and hosted by Amazon
AV = Anti-Virus = Endpoint anti-malware software
CASB = Cloud Access Security Broker = On-prem or cloud-based security software that monitors activity and enforces security policies between users and cloud applications.
CDR = Content Disarm & Reconstruction = A security solution that inspect packets and attempts to detect and remove exploits, executable code, and malformed packets.
DaaS = Desktop-as-a-Service = A remote access service in which desktops will be hosted in the cloud and become available when a remote user logs in and launches a session.
DLP = Data Loss Prevention = Software that inspects data use to prevent data theft or loss based upon policies and user identities.
DNS = Domain Name Service (or Server) = The IT service that matches domain name requests with IP addresses. EX: when a user types google.com into a browser a DNS server will look up the name and route the browser request to the associate IP address, perhaps 172.217.204.102. Some sites have multiple IP addresses and local DNS entries may vary.
EDR = Endpoint Detection & Response = Advanced endpoint protection that can proactively take a variety of actions in response to the detection of malware or attacker behavior.
FaaS = Firewall-as-a-Service = Firewalls set up and managed as a service.
HTML5 = Hyper Text Markup Language 5 = The modern HTML version powering the internet.
HTTP = Hypertext Transfer Protocol = Application layer protocol to transmit HTML documents between websites and end users.
HTTPS = HTTP Secure = An encrypted version of HTTP.
HTTP/S = HTTP/HTTPS abbreviated
IaaS = Infrastructure-as-a-Service = A managed service that replace part or all of the IT infrastructure needed by an organization (networks, switches, routers, etc.).
IdP = Identity Provider = An authentication tool that provides a single set of login credentials that verify user identities across multiple platforms, networks, or applications.
IP = Internet Protocol = Often used in the context of an IP address which is the series of numbers that identify any device attached to a network.
IT = Information Technology = The technology associated with data, computers, networks, IT security, etc.
LDAP =Lightweight Directory Access Protocol = A generic term for a user management database that manages identities and access.
MFA = Multi-Factor Authentication = Multiple means by which to verify a user’s identity for authentication purposes.
NAC = Network Access Controller = A solution that inspects users and devices to verify that they have permission to access the network based upon defined policies.
OIDC = OpenID Connect = An open-source authentication protocol and part of the OAuth 2.0 framework.
PAM = Privileged Access Management = Various access control and monitoring tools and technologies used to secure access to critical information and resources.
PII = Personally Identifiable Information = Personal information for customers, employees, etc. While the definition is broad, most organizations primarily are concerned with regulated PII such as social security numbers, credit card numbers, and healthcare information.
RBI = Remote Browser Isolation = A secure browser that effectively puts a web browser and hosts it in a container on the device hosting the browser.
SaaS = Software-as-a-Service = Software licensed on a month-by-month basis typically installed and centrally managed by the software company in the cloud.
SAML = Security Assertion Markup Language = A standard used by security domains to exchange authentication and authorization identities. SAML 2.0 is the current version.
SASE = Secure Access Service Edge = A security framework developed by Gartner that converts networks and their security into cloud-delivered platforms.
SDP = Software Defined Perimeter = A network perimeter defined by software instead of wires and networking equipment.
SIEM = Security Information and Event Management = Security tool used to gather alerts and logs for investigation and analysis.
SLA = Service Level Agreement = Determines the level of service between a vendor and a customer; agreements often center on availability and reliability.
SMS = Short Message Service = A text messaging protocol
SSE = Secure Services Edge = A Gartner defined product category for cloud-based security to create safe access to websites, SaaS, and other applications.
SSO = Single Sign On = An authentication scheme that creates a trusted identity that can be passed on to other applications or websites without additional authentication.
SWG = Secure Web Gateway = A networking tool that enforces corporate acceptable use policies and protects users from web-based threats.
TLS = Transport Layer Security = A cryptographic protocol to provide secure communication over a computer network. It is incorporated into various other protocols (email, HTTPS, etc.) and replaced Secure Sockets Layer (SSL).
UEBA = User and Entity Behavior Analytics = Technology that analyzes user behavior for signs of anomalies or malicious actions.
UEM = Unified Endpoint Management = Technologies that secure and manage devices and operating systems from a single command console.
VDI = Virtual Desktop Infrastructure = Similar to DaaS, this technology provides desktops for remote access staff.
VPN = Virtual Public Network = A remote access protocol that creates an encrypted connection between an endpoint and a network.
ZTA = Zero Trust Architecture = IT infrastructure that embraces zero-trust principles.
ZTNA = Zero Trust Network Access = IT Networks (specifically) that embrace zero-trust principles.
Read next: Deploying SASE: What You Should Know to Secure Your Network
The go-to resource for IT professionals from all corners of the tech world looking for cutting edge technology solutions that solve their unique business challenges. We aim to help these professionals grow their knowledge base and authority in their field with the top news and trends in the technology space.
Advertise with TechnologyAdvice on IT Business Edge and our other IT-focused platforms.
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
