Market Guide for Zero Trust Network Access (ZTNA)

Market guide for Zero Trust Network Access is a report by Gartner, a firm that conducts and shares research on a broad range of technologies to provide businesses with actionable insights, guidance and tools that enable faster, smarter decisions and stronger performance on an organization’s mission-critical priorities.

Last published in February 2022, Gartner’s Market Guide for Zero Trust Network Access defines and analyzes the market for Zero Trust Network Access (ZTNA) products and services. It also identifies benefits, use cases and risks, lists representative vendors and makes recommendations for incorporating ZTNA in an organization’s security stack.

While the full report is licensed for distribution, the contents of the report are briefly summarized here. Key findings include:

• Interest in the ZTNA market is driven by increased focus on Zero Trust strategies and the need to provide secure, flexible connectivity for hybrid workforces.
• The primary motivation for considering ZTNA is an interest in reducing risk by replacing Virtual Private Network (VPN) technology.
• Organizations are deploying both agent-based ZTNA in SASE architecture and agentless ZTNA to support third-party devices and BYOD initiatives.
• The lines between segmentation technologies are blurring as ZTNA providers offer combined solutions for identity-based segmentation and ZTNA.

While ZTNA products were initially viewed as VPN replacements, the ZTNA market today is based on the desire to establish a standardized architecture for Zero Trust networking. Gartner views ZTNA technology as an important step in maturing Zero Trust programs. Along with Secure Web Gateways (SWGs) and Cloud Access Security Brokers (CASBs), ZTNA products are part of the key technology components of the Security Service Edge (SSE) market.

ZTNA products reduce the attack surface by using a trust broker to provide identity and context-aware access to resources. Using the principles of Zero Trust, ZTNA solutions grant access based on the identity of users and devices and on attributes and contexts such as geolocation, devices security posture and time and date. When users and devices have been successfully authenticated and authorized, ZTNA solutions grants access only to the resources required at the time. ZTNA also improves connectivity and removes the need to expose applications to the internet.

The ZTNA market is maturing and growing quickly, with a 60 percent year-over-year growth rate. The market is increasingly focused on deploying ZTNA in SSE agent-based architecture, though there is increased demand for agentless deployments for use cases involving unmanaged devices and/or third-party access. Gartner predicts that in the near term to midterm, stand-alone ZTNA vendors will have difficulty competing with vendors offering fully integrated SSE and SASE solutions that include SWG, DLP and CASB offerings.

Gartner’s Market Guide for Zero Trust Network Access outlines the benefits and uses of ZTNA products as well as the risks.

ZTNA offers immediate benefits, significantly improving security with contextual, risk-based and least privilege access to applications. ZTNA also improves the user experience, agility, adaptability and ease of management. Cloud-based ZTNA offerings offer additional benefits in scalability and ease of deployment. To minimize latency and satisfy regional logging and inspection requirements, larger ZTNA vendors have built hundreds of points of presence (PoPs) worldwide.

ZTNA use cases include:

• Providing access to applications and services for partners, suppliers, contractors and other collaborators without requiring a VPN or DMZ.
• Authentication based on user behavior, enabling stricter but adaptive access control.
• Enabling encryption all the way from the endpoint to the ZTNA gateway.
• Providing application-specific access for remote employees and IT contractors as an alternative to VPN-based access.
• Controlling administrative access to applications as a more affordable alternative to full privilege access management tools. 
• Extending access to acquired organizations during M&A activities without having to combine networks.
• Reducing insider threats by isolating high-value enterprise applications and implementing separation of duties for administrative access.
• Authenticating users on personal devices.
• Creating secure enclaves of Internet of Things (IoT) devices.
• Protecting internal systems from hostile networks by removing inbound access.

Though ZTNA significantly reduces overall risks, IT teams must be aware of risks that remain. These include (but are not limited to):

• Single point of failure. When a ZTNA’s trust broker is down, fully isolated applications passing through a ZTNA service will stop working. This risk can be mitigated by choosing ZTNA services with physical and geographic redundancy and robust SLAs.
• Latency. The location of a ZTNA’s trust broker may create latency that impacts the user experience. Organizations can decrease latency by choosing vendors that offer multiple PoPs. 
• Compromised user credentials. Attackers may use compromised user credentials on a local device to observe and exfiltrate information from the device. This threat can be mitigated by choosing ZTNA architectures that combine device authentication with user authentication.

Gartner’s Market Guide for Zero Trust Network Access offers several recommendations for organizations considering Zero Trust Network Access products.

• Before selecting and deploying ZTNA technology, organizations should create a high-level Zero Trust strategy and ensure that identity and access management technologies and processes are mature and well understood. Additionally, organizations should not assume that deploying ZTNA products is the only step in implementing a broader Zero Trust strategy.
• If replacing VPNs is the primary goal of moving to ZTNA, IT teams should assess the current VPN landscape to evaluate the capabilities of a ZTNA vendor and determine whether the benefits of implementing ZTNA are sufficient. Looking for targeted sets of users that can switch to ZTNA from VPNs can help provide immediate value while improving security posture.
• To avoid the complexity of multiple agents on managed devices, organizations should consider choosing a technology provider that can deliver ZTNA services as part of a wider SASE architecture.
• Organizations should prioritize the selection of ZTNA vendors based on ability to realize specific use cases for end-user access as well as the organization’s endpoint and application architecture.

Recognized by Gartner, Forrester and NSS Labs as a leader in cybersecurity, Forcepoint offers a powerful ZTNA solution as part of a Forcepoint ONE, a comprehensive, data-first SASE security platform. Forcepoint ZTNA provides Zero Trust remote access to private apps from anywhere, enabling advanced control over data in use across managed or unmanaged devices. 

Forcepoint ZTNA provides organizations and IT teams with:

• Zero Trust for private network access. Forcepoint seamlessly extends Zero Trust to private applications in internal data centers and private clouds and limits user access to only the apps and data they need.
• Frictionless access from any device. Forcepoint ZTNA supports BYOD and secure access for employees and contractor by offering agentless deployment for managed and unmanaged devices.
• Remote access to on-premises resources. The Forcepoint ONE SmartEdge agent enables identity-based access control and high-speed performance to TCP-based applications.
• Best-of-breed DLP for private apps. With Forcepoint ZTNA, IT teams can continuously secure data in private web apps with industry-leading data security featuring 190+ pre-defined policies and malware scanning.
• Superior scalability and performance. Forcepoint ONE is built on the AWS hyperscaler platform, enabling organizations to easily add new users and locations and to count on 99.99% service uptime with no planned downtime.