The Forrester New Wave™ - Zero Trust Network Access, Q3 2021

5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Topics
REPORT Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
The Forrester New Wave™: Zero Trust Network

Access, Q3 2021
The 15 Providers That Matter Most And How They Stack Up
August 24, 2021
DH David Holmes
with Joseph Blankenship, Caroline Provost, Peggy Dostie
Summary
In Forrester's evaluation of the emerging market for Zero Trust network access, we identified the 15 most
significant providers in the category — Akamai Technologies, Appgate, Cisco, Citrix, Cloudflare, Google,
Juniper Networks, Netskope, Palo Alto Networks, Perimeter 81, Proofpoint, Tencent Security, VMware,
Wandera, and Zscaler — and evaluated them. This report details our findings about how well each vendor
scored against 10 criteria and where they stand in relation to each other. Security professionals can use
this report to select the right partner for their Zero Trust network access.
Unchain Users From VPNs With Zero Trust Network Access

Forrester’s crusade to kill the VPN found a champion in Zero Trust network access (ZTNA) during
the COVID-19 pandemic. VPN performance issues, more than any other factor, drove enterprises to
adopt ZTNA for secure remote access to keep their remote employees working. With ZTNA, users
can access on-premises applications using Zero Trust principles while allowing their two-way video
conference traffic to go directly out to the internet, thereby improving security posture and
employee experience. Ultimately, ZTNA reduces the need for employee VPNs and makes way for
infrastructure and security teams to adopt cloud-delivered networking and security capabilities, a
model Forrester calls the Zero Trust edge (ZTE), also known as secure access service edge (SASE).
ZTNA solutions have an on-prem component (an application gateway, connector, or encrypted
tunnel) and a separate authentication gateway that can be hosted either on-premises or delivered
in the cloud as a service. This evaluation includes representatives of each delivery model, but
ZTNA as a cloud-delivered service is the most common, reflecting the preferences of most
enterprise security buyers today.
ZTNA Evaluation Overview

The Forrester New Wave™ differs from our traditional Forrester Wave™. In the Forrester New Wave
evaluation, we assess only emerging technologies, and we base our analysis on a 10-criterion
About Forrester Reprints https://go.forrester.com/research/reprints/
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna-l… 1/16
survey and a 2-hour briefing with each evaluated vendor. We group the 10 criteria into current
offering and strategy (see Figure 1). We also review market presence.
Topics 15 vendors in this assessment: Akamai Technologies, Appgate, Cisco, Citrix,

We included
Cloudflare, Google, Juniper
Unchain Networks,
Users From VPNs … Netskope, Palo
ZTNA Alto Networks,
Evaluation Overview Perimeter 81, Vendor
Proofpoint,
QuickCards Supplemental Material
Tencent Security, VMware, Wandera, and Zscaler (see Figure 2 and see Figure 3). Each of these
vendors has:
A proprietary Zero Trust network access product or service. We included vendors that
demonstrate Zero Trust principles for on-premises application access by a remote workforce.
We included vendors whose products and services actively replace VPN infrastructure.
Annual ZTNA revenues of at least $5 million. We included vendors with at least $5 million
annual ZTNA revenues in the 12 months ending on the cutoff date.
At least 150 ZTNA customers and a global presence. We included vendors that have an install
base of at least 150 active ZTNA customer organizations in production, with at least 10% of
revenue outside the organization’s home region (NA, LATAM, APAC, or EMEA).
At least 100 full-time employees. We included vendors with at least 100 full-time employees to
better compare customer support, go-to-market, and ability to support strategic initiatives.
An unaided mindshare within the industry. The vendors we evaluated are frequently
mentioned in Forrester client inquiries, vendor selection RFPs, shortlists, consulting projects,
and case studies. These vendors are also mentioned by other vendors during Forrester
briefings as viable and formidable competitors.
Figure 1
Assessment Criteria: Zero Trust Network Access, Q3 2021
Topics
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
Figure 2
Forrester New Wave™: Zero Trust Network Access, Q3 2021
Topics
Figure 3
Forrester New Wave™: Zero Trust Network Access Scorecard, Q3 2021
Topics
Vendor QuickCards
Forrester evaluated 15 vendors and ranked them against 10 criteria. Here’s our take on each.
Palo Alto Networks: Forrester's Take

Our evaluation found that Palo Alto Networks (see Figure 4):
Offers a strong combination of deployment options, IDP integration, and nonweb apps. Prisma
Access can be self-hosted, consumed as a SaaS, or used in hybrid combinations. The vendor’s
support for authenticating and authorizing third parties is superior to other ZTNA solutions.
The solution can protect TCP- and UDP-based applications in addition to standard web apps.
Still needs to improve endpoint offering, including mobile. Customers say the mobile
experience Prisma Access still needs improvement, and they report some technical
challenges with the endpoint software for desktops and laptops.
Is a good fit for organizations seeking a hybrid of SaaS and on-premises software. Prisma
Access excels at securing the nonweb applications that are so common in complex on-prem
environments.
Palo Alto Networks Customer Reference Summary

Palo Alto Networks’ reference customers endorse the vendor’s high-level value prop: viability,
strategy, and engineering. They express minor dissatisfaction with endpoint headaches, including
the mobile experience and challenges with endpoint agent updates, a common complaint for the
vendor.
Figure 4
Palo Alto Networks QuickCard
Topics
Appgate: Forrester's Take

Our evaluation found that Appgate (see Figure 5):
Offers exceptional integration with services like ITSM and CMDB. Appgate is one of the few
vendors in this space specializing in ZTNA without taking on the entire Zero Trust edge
(ZTE/SASE) security model directly. Appgate delivers its security and business value through
distributed policy-enforcement points that integrate with solutions like ServiceNow.
Lags the leading competition on inline security inspection. ZTNA solutions are usually inline in
order to provide authentication and contextual authorization. Appgate’s inline security
inspection could be improved by adding more behavioral analytics and machine learning.
Is the best fit for companies that need high security and a self-hosted option. Appgate offers
its ZTNA as a SaaS, but also as a self-hosted option for enterprises and agencies that need it.
Its cryptographic single packet authorization (SPA) can make for a supertight network defense
posture.
Appgate Customer Reference Summary

Appgate’s enthusiastic reference customers say that while implementing Appgate they did
experience initial technical challenges around the endpoint agent operation, the vendor was good
at addressing the issues and that the service has come a long way in a short time.
Figure 5
Appgate QuickCard
VMware: Forrester's Take

Our evaluation found that VMware (see Figure 6):
Has superior inline security inspection and device posture security. VMware offers a broad set
of inline security techniques like watermarking, risk scoring, and behavioral analysis. VMware’s
ZTNA
Topicssolution integrates well with its own endpoint protection as well as major third-party
suites.
Must provide better support for access to legacy applications. Client organizations with
numerous legacy, nonweb applications are waiting for VMware to improve its remote desktop
capabilities.
Is the best fit for companies already invested in VMware’s portfolio. Organizations heavily
invested in VMware’s other offerings like Workspace One and Carbon Black will get the most
value from the vendor’s ZTNA solution.
VMware Customer Reference Summary

VMware’s customer references said they are excited about the vendor’s vision and strategy. They
were largely satisfied with the service, citing only that the onboarding process could be improved.
Figure 6
VMware QuickCard
Zscaler: Forrester's Take

Our evaluation found that Zscaler (see Figure 7):
Can take enormous deployments into its global network. Zscaler has the greatest ZTNA
mindshare among Forrester clients. The vendor is enrolling organizations with tens of
thousands, and in some cases, hundreds of thousands of users.
Needs to support server-initiated applications like VoIP. While Zscaler has support for most
common and TCP and UDP applications, it must add support for server-initiated applications
like VoIP/SIP. Call centers take note.
Works well for companies already using Zscaler for outbound security. A common complaint
with other vendors is the requirement for multiple endpoint agents. Zscaler customers don’t
have this issue since the vendor built the ZTNA solution into its secure web gateway client.
Zscaler Customer Reference Summary

While Zscaler customer references are enthusiastic about the vendor’s scalability and use of a
single client for ZTNA and SWG, they cite cost and traffic routing issues as areas for improvement.
Their sharpest criticism is around the vendor’s inability to handle VoIP/SIP call traffic.
Figure 7
Zscaler QuickCard
Topics
Perimeter 81: Forrester's Take

Our evaluation found that Perimeter 81 (see Figure 8):
Focuses on the cloud-delivered and managed SaaS experience. Perimeter 81’s ZTNA
management is intuitive and modern. Its ability to handle nonweb applications like VoIP is a
major differentiator in this field.
Needs to integrate with enterprise device security. Perimeter 81 still needs to add integration
with Microsoft endpoint security and apply more inline security and analytics.
Is the best fit for smaller enterprises that need ZTNA as a service, quickly. Perimeter 81’s self-
service portal allows smaller organizations to sign up quickly and onboard dozens of
applications in less than a month.
Perimeter 81 Customer Reference Summary

Perimeter 81 reference customers are among the most enthusiastic of those included in this
evaluation. They extol the vendor relationship, support, and dedication to improving the product
quickly. On the downside, they expressed frustration with an inability to download full logs.
Figure 8
Perimeter 81 QuickCard
Citrix: Forrester's Take

Our evaluation found that Citrix (see Figure 9):
Offers strong RDP/VDI and inline security capabilities. Citrix benefits from its heritage as
remote access and virtual desktop provider for its Zero Trust network access. The vendor
delivers
Topics a mature network gateway for on-prem applications and networking services like
printing and drive mapping.
Needs to complete integration with major EDR solutions. Citrix has Crowdstrike and Microsoft
integration on its roadmap, while most other ZTNA solutions integrate with one or both of
these.
Is the best fit for companies already invested in an on-prem Citrix infrastructure. Much of the
value that Citrix brings for ZTNA is embedded in its existing infrastructure. Citrix ties ZTNA into
the services the vendor has always provided for access and application delivery.
Citrix Customer Reference Summary

Citrix reference customers like the vendor’s atypical approach to ZTNA. One said, of the vendor’s
solution, that it supported their “clients across geographies and [their] very customized network
architecture.” They also praise the solution’s performance and user experience but cited a need for
more-granular IAM policy control.
Figure 9
Citrix QuickCard
Netskope: Forrester's Take

Our evaluation found that Netskope (see Figure 10):
Offers strong device posture security today and a great vision for tomorrow. Netskope excels
at device posture security, and customers cite a fast, easy rollout taking weeks where others
take months. Netskope has a solid vision for ZTNA and associated services.
Needs to add features to support third-party access. Netskope’s agentless support was still in
beta during this research. Netskope also needs to add multiple concurrent identity providers
(it currently supports only one). These two features are important to support contractors and
other third parties who have their own identity providers and where an agent can’t be
installed.
Should be on the shortlist for organizations moving to the Zero Trust edge. Organizations
looking to consolidate, consume, and cloud-deliver three technologies (ZTNA, CSG, SWG) with
a single vendor should seek out Netskope. In our research, customers cite that these other
capabilities are important to them.
Netskope Customer Reference Summary

Even with its current limitations, Netskope’s customers express enthusiasm for the service,
About Forrester Reprints
recognizing that the https://go.forrester.com/research/reprints/
product grew quickly and overlooking a few early rollout challenges. They
appreciate the speed at which the vendor provided fixes and report solid operation since.
Figure 10
Topics
Netskope QuickCard
Akamai: Forrester's Take

Our evaluation found that Akamai (see Figure 11):
Offers strong ecosystem integration and programmability. Akamai’s vision of “programmable

edge” enables hundreds of on-prem applications to be programmatically onboarded quickly.
Akamai’s Enterprise Application Access has rich integrations with identity providers, a critical
need for large enterprises with complex business partner requirements.
Needs to improve product experience. Like many vendors, the Akamai endpoint agent for
ZTNA is needlessly separate from Akamai’s other endpoint agents. The onboarding process
and management console need improvement as well.
Is a good fit for large enterprises that need managed services around ZTNA. As a vendor,
Akamai serves many large enterprises and has a mature product in EAA. Customers praised
the vendor’s professional services for assistance in onboarding and management.
Akamai Customer Reference Summary

Reference customers praised the device posture security and identity provider integration, citing
both as reasons they choose Akamai’s EAA. They also praised the managed services and support
that they get from Akamai as an enterprise vendor. They were dissatisfied with the ongoing client
agent management and question the vendor’s support for mobile devices.
Figure 11
Akamai QuickCard
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna… 10/16
Topics
Tencent Security: Forrester's Take

Our evaluation found that Tencent Security (see Figure 12):
Offers a broad range of deployment options. Tencent’s ZTNA solution can be delivered as
SaaS, self-hosted on-prem, self-hosted in multiple public clouds, or any of these in a hybrid
combination. The vendor offers agentless and agented options.
Needs to improve the onboarding process for applications. Customer references cited
difficulties onboarding challenges with many applications and specifically legacy applications.
Is a great fit for companies with a heavy APAC presence. Organizations that want to consume
ZTNA as a service across APAC can take advantage of Tencent’s numerous PoPs there.
Tencent Security Customer Reference Summary

Tencent Security’s reference customers have enrolled hundreds of thousands of end users into its
system. Two customers interviewed for this research enrolled over 50,000 users each. They
endorse Tencent’s ZTNA solution with just a bit of reservation, citing deployment challenges as an
issue.
Figure 12
Tencent Security QuickCard
Google: Forrester's Take

Our evaluation found that Google (see Figure 13):
Offers the strongest agentless capability and the biggest network in the space. Google’s
BeyondCorp Enterprise leverages the world’s most popular browser, Chrome, as its agent,
which
Topicsis already decrypting the end-user traffic. It’s also one of the only solutions offering
continuous verification. BeyondCorp Enterprise’s inline security inspection is among the most
extensive in this evaluation.
Needs to improve mobile experience, IDP integration. The mobile experience for ZTNA is poor
among nearly all ZTNA vendors, and Google’s needs improvement as well. Google also needs
to add support of multiple concurrent identity providers.
Is a good fit where GCP is a strategic partner. Customers already invested in the Google
ecosystem, using Google Workspace and its identity store, will feel right at home with
BeyondCorp Enterprise.
Google Customer Reference Summary

Existing GCP customers using GCP for ZTNA are quite happy with BeyondCorp Enterprise, citing
primarily the mobile experience as needing improvement. These customers are satisfied with
Google’s vision and roadmap and understand that even with a long beta, BeyondCorp Enterprise is
still a new product (it only officially debuted in 2021) with growing pains.
Figure 13
Google QuickCard
Cloudflare: Forrester's Take

Our evaluation found that Cloudflare (see Figure 14):
Offers strong integration with identity providers. Cloudflare excels at a critical capability — the
vendor’s ability to concurrently integrate with multiple identity providers to support a
contractor and partner business ecosystem with a Zero Trust approach to access.
Still needs device security. Cloudflare Access needs better integration with endpoint security
controls. Besides the usual web browsing signals it can see, it needs tighter integration with
the leading endpoint security suites that enterprises rely on.
Is a good fit for technically savvy, forwarding-looking IT shops. Companies that are already
familiar with Cloudflare’s way of doing things will find Cloudflare Access a natural addition to
their portfolio, but new customers will face a learning curve.
Cloudflare Customer Reference Summary

Cloudflare’s customer references say Cloudflare Access features run the gamut from “pretty good”
to “eh, not terrible.” They like the reliability, performance, and API capability of the service but cite
anemic RBAC and feature disparity across Cloudflare’s global network as areas ripe for
improvement.
Figure 14
Cloudflare QuickCard
Topics
Proofpoint: Forrester's Take

Our evaluation found that Proofpoint (see Figure 15):
Offers strong identity provider integration as well as client and network support. Proofpoint
picked a gem when it acquired Meta for its ZTNA solution. Customers can expect good
concurrent multi-IDP integration to support third-party access, and innovative networking.
Should invest more in inline inspection. The vendor’s analytics and inline security can be
improved. Proofpoint offers its own private network for routing customer packets, but it is the
smallest of these in this evaluation.
Will be attractive for business access to enterprise web applications. Proofpoint’s mature
security support organization and superior IDP integration make it a good fit for large
enterprises with global, third-party business arrangements.
Proofpoint Customer Reference Summary

Proofpoint did not participate in this evaluation and chose not to provide references.
Figure 15
Proofpoint QuickCard
Juniper Networks: Forrester's Take

Our evaluation found that Juniper Networks (see Figure 16):
Offers self-hosted Zero Trust network access. Juniper’s brand-new entrant in the burgeoning
ZTNA market is actually a combination of existing security products (like the SRX firewall) and
its acquisition of 128T.
Topics
Needs a SaaS offering.

Unchain Most
Users From organizations
VPNs … wantEvaluation
ZTNA to consume ZTNA as a service,
Overview but Juniper
Vendor QuickCards Supplemental Material
only delivers as self-hosted hardware or software. Juniper says a SaaS service is planned.
Is a fit for companies that are both on-premises and Juniper devotees. Given the self-hosted
nature of this solution and its use of SRX/vSRX as a controller, this ZTNA will find the most
favor with Juniper’s existing customers.
Juniper Networks Customer Reference Summary

Forrester was unable to reach customer references for Juniper Networks for this evaluation.
Figure 16
Juniper Networks QuickCard
Wandera: Forrester's Take

Our evaluation found that Wandera (see Figure 17):
Excels with its mobile offerings. Wandera brings its heritage in mobile security and access to
ZTNA. Even though tablets and smartphones effectively force all ZTNA vendors to look like
VPNs, Wandera delivers the strongest mobile offering.
Needs to improve its desktop offering. Wandera’s Mac and Windows offering are a weakness.
The vendor also needs to integrate with major endpoint protection suites.
Is the best fit for companies where mobile ZTNA is the primary driver. Organizations with fleets
of tablets will find that Wandera provides a mature solution with the fewest headaches that
works across the different mobile operating systems.
Wandera Customer Reference Summary

Wandera’s reference customers endorse the quality of the vendor’s mobile offerings, and cited the
upcoming acquisition by Jamf as a strategic positive for both vendors. They called out onboarding
issues they related to the immaturity of the Windows product.
Figure 17
Wandera QuickCard
Topics
Cisco: Forrester's Take

Our evaluation found that Cisco (see Figure 18):
Offers strong integration with Cisco multifactor authentication. Cisco’s ZTNA solution, is, in
fact, a side-effect of its Cisco Duo gateway. This means that Cisco Duo customers can utilize
the SaaS capabilities of Duo and host their access on-prem for a hybrid deployment.
Needs to leave AnyConnect behind, because ZTNA customers have. Cisco needs to offer
remote desktop functionality via Zero Trust and expand its integration for concurrent
contractor and partner identity providers. Our research for this report revealed that Cisco
AnyConnect was the most common VPN solution customers abandoned when adopting a true
ZTNA solution.
Is an appropriate choice for enterprises that have already bought into Duo. Duo is already a
significant solution in the authentication space; enterprises that have already invested in it can
stay within the Cisco ecosystem with Duo Secure Access.
Cisco Customer Reference Summary

Cisco did not participate in this evaluation and chose not to provide references.
Figure 18
Cisco QuickCard
Supplemental Material
The Forrester New Wave Methodology
We conducted primary research to develop a list of vendors that met our criteria for the evaluation
and definition of this emerging market. We evaluated vendors against 10 criteria, seven of which we
basedTopics
on product functionality and three of which we based on strategy. We also reviewed market
presence. We invited the top emerging vendors in this space to participate in an RFP-style
demonstration and interviewed customer references. We then ranked the vendors along each of
the criteria. We used a summation of the strategy scores to determine placement on the x-axis, a
summation of the current offering scores to determine placement on the y-axis, and the market
presence score to determine marker size. We designated the top-scoring vendors as Leaders.
Integrity Policy
We conduct all our research, including Forrester New Wave evaluations, in accordance with the
Integrity Policy posted on our website.
© 2022, Forrester Research, Inc. and/or its subsidiaries. All rights reserved.

The Forrester New Wave™ - Zero Trust Network Access, Q3 2021

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Forrester New Wave™ - Zero Trust Network Access, Q3 2021

Uploaded by

Copyright:

Available Formats

5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021

The Forrester New Wave™: Zero Trust Network Access, Q3 2021

The Forrester New Wave™: Zero Trust Network

with Joseph Blankenship, Caroline Provost, Peggy Dostie

Unchain Users From VPNs With Zero Trust Network Access

ZTNA Evaluation Overview

Topics 15 vendors in this assessment: Akamai Technologies, Appgate, Cisco, Citrix,

Assessment Criteria: Zero Trust Network Access, Q3 2021

About Forrester Reprints https://go.forrester.com/research/reprints/

The Forrester New Wave™: Zero Trust Network Access, Q3 2021

Forrester New Wave™: Zero Trust Network Access, Q3 2021

About Forrester Reprints https://go.forrester.com/research/reprints/

The Forrester New Wave™: Zero Trust Network Access, Q3 2021

Forrester New Wave™: Zero Trust Network Access Scorecard, Q3 2021

About Forrester Reprints https://go.forrester.com/research/reprints/

The Forrester New Wave™: Zero Trust Network Access, Q3 2021

Palo Alto Networks: Forrester's Take

Palo Alto Networks Customer Reference Summary

Palo Alto Networks QuickCard

About Forrester Reprints https://go.forrester.com/research/reprints/

The Forrester New Wave™: Zero Trust Network Access, Q3 2021

Appgate: Forrester's Take

Appgate Customer Reference Summary

VMware: Forrester's Take

VMware Customer Reference Summary

Zscaler: Forrester's Take

Zscaler Customer Reference Summary

The Forrester New Wave™: Zero Trust Network Access, Q3 2021

Perimeter 81: Forrester's Take

Perimeter 81 Customer Reference Summary

Citrix: Forrester's Take

About Forrester Reprints https://go.forrester.com/research/reprints/

Citrix Customer Reference Summary

Netskope: Forrester's Take

Netskope Customer Reference Summary

Akamai: Forrester's Take

Offers strong ecosystem integration and programmability. Akamai’s vision of “programmable

Akamai Customer Reference Summary

About Forrester Reprints https://go.forrester.com/research/reprints/

The Forrester New Wave™: Zero Trust Network Access, Q3 2021

Tencent Security: Forrester's Take

Tencent Security Customer Reference Summary

Tencent Security QuickCard

Google: Forrester's Take

About Forrester Reprints https://go.forrester.com/research/reprints/

Google Customer Reference Summary

Cloudflare: Forrester's Take

Cloudflare Customer Reference Summary

Proofpoint: Forrester's Take

Proofpoint Customer Reference Summary

Juniper Networks: Forrester's Take

About Forrester Reprints https://go.forrester.com/research/reprints/

Needs a SaaS offering.

Juniper Networks Customer Reference Summary

Juniper Networks QuickCard

Wandera: Forrester's Take

Wandera Customer Reference Summary

About Forrester Reprints https://go.forrester.com/research/reprints/

The Forrester New Wave™: Zero Trust Network Access, Q3 2021

Cisco: Forrester's Take

Cisco Customer Reference Summary

About Forrester Reprints https://go.forrester.com/research/reprints/

You might also like