Professional Documents
Culture Documents
The Forrester New Wave™ - Zero Trust Network Access, Q3 2021
The Forrester New Wave™ - Zero Trust Network Access, Q3 2021
Topics
REPORT Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
DH David Holmes
Summary
In Forrester's evaluation of the emerging market for Zero Trust network access, we identified the 15 most
significant providers in the category — Akamai Technologies, Appgate, Cisco, Citrix, Cloudflare, Google,
Juniper Networks, Netskope, Palo Alto Networks, Perimeter 81, Proofpoint, Tencent Security, VMware,
Wandera, and Zscaler — and evaluated them. This report details our findings about how well each vendor
scored against 10 criteria and where they stand in relation to each other. Security professionals can use
this report to select the right partner for their Zero Trust network access.
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna-l… 1/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
survey and a 2-hour briefing with each evaluated vendor. We group the 10 criteria into current
The Forrester New Wave™: Zero Trust Network Access, Q3 2021
offering and strategy (see Figure 1). We also review market presence.
Tencent Security, VMware, Wandera, and Zscaler (see Figure 2 and see Figure 3). Each of these
vendors has:
A proprietary Zero Trust network access product or service. We included vendors that
demonstrate Zero Trust principles for on-premises application access by a remote workforce.
We included vendors whose products and services actively replace VPN infrastructure.
Annual ZTNA revenues of at least $5 million. We included vendors with at least $5 million
annual ZTNA revenues in the 12 months ending on the cutoff date.
At least 150 ZTNA customers and a global presence. We included vendors that have an install
base of at least 150 active ZTNA customer organizations in production, with at least 10% of
revenue outside the organization’s home region (NA, LATAM, APAC, or EMEA).
At least 100 full-time employees. We included vendors with at least 100 full-time employees to
better compare customer support, go-to-market, and ability to support strategic initiatives.
An unaided mindshare within the industry. The vendors we evaluated are frequently
mentioned in Forrester client inquiries, vendor selection RFPs, shortlists, consulting projects,
and case studies. These vendors are also mentioned by other vendors during Forrester
briefings as viable and formidable competitors.
Figure 1
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna-l… 2/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Topics
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
Figure 2
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna-l… 3/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Topics
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
Figure 3
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna-l… 4/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Topics
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
Vendor QuickCards
Forrester evaluated 15 vendors and ranked them against 10 criteria. Here’s our take on each.
Offers a strong combination of deployment options, IDP integration, and nonweb apps. Prisma
Access can be self-hosted, consumed as a SaaS, or used in hybrid combinations. The vendor’s
support for authenticating and authorizing third parties is superior to other ZTNA solutions.
The solution can protect TCP- and UDP-based applications in addition to standard web apps.
Still needs to improve endpoint offering, including mobile. Customers say the mobile
experience Prisma Access still needs improvement, and they report some technical
challenges with the endpoint software for desktops and laptops.
Is a good fit for organizations seeking a hybrid of SaaS and on-premises software. Prisma
Access excels at securing the nonweb applications that are so common in complex on-prem
environments.
Figure 4
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna-l… 5/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Topics
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
Offers exceptional integration with services like ITSM and CMDB. Appgate is one of the few
vendors in this space specializing in ZTNA without taking on the entire Zero Trust edge
(ZTE/SASE) security model directly. Appgate delivers its security and business value through
distributed policy-enforcement points that integrate with solutions like ServiceNow.
Lags the leading competition on inline security inspection. ZTNA solutions are usually inline in
order to provide authentication and contextual authorization. Appgate’s inline security
inspection could be improved by adding more behavioral analytics and machine learning.
Is the best fit for companies that need high security and a self-hosted option. Appgate offers
its ZTNA as a SaaS, but also as a self-hosted option for enterprises and agencies that need it.
Its cryptographic single packet authorization (SPA) can make for a supertight network defense
posture.
Figure 5
Appgate QuickCard
Has superior inline security inspection and device posture security. VMware offers a broad set
The Forrester New Wave™: Zero Trust Network Access, Q3 2021
of inline security techniques like watermarking, risk scoring, and behavioral analysis. VMware’s
ZTNA
Topicssolution integrates well with its own endpoint protection as well as major third-party
suites.
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
Must provide better support for access to legacy applications. Client organizations with
numerous legacy, nonweb applications are waiting for VMware to improve its remote desktop
capabilities.
Is the best fit for companies already invested in VMware’s portfolio. Organizations heavily
invested in VMware’s other offerings like Workspace One and Carbon Black will get the most
value from the vendor’s ZTNA solution.
Figure 6
VMware QuickCard
Can take enormous deployments into its global network. Zscaler has the greatest ZTNA
mindshare among Forrester clients. The vendor is enrolling organizations with tens of
thousands, and in some cases, hundreds of thousands of users.
Needs to support server-initiated applications like VoIP. While Zscaler has support for most
common and TCP and UDP applications, it must add support for server-initiated applications
like VoIP/SIP. Call centers take note.
Works well for companies already using Zscaler for outbound security. A common complaint
with other vendors is the requirement for multiple endpoint agents. Zscaler customers don’t
have this issue since the vendor built the ZTNA solution into its secure web gateway client.
Figure 7
Zscaler QuickCard
About Forrester Reprints https://go.forrester.com/research/reprints/
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna-l… 7/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Topics
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
Focuses on the cloud-delivered and managed SaaS experience. Perimeter 81’s ZTNA
management is intuitive and modern. Its ability to handle nonweb applications like VoIP is a
major differentiator in this field.
Needs to integrate with enterprise device security. Perimeter 81 still needs to add integration
with Microsoft endpoint security and apply more inline security and analytics.
Is the best fit for smaller enterprises that need ZTNA as a service, quickly. Perimeter 81’s self-
service portal allows smaller organizations to sign up quickly and onboard dozens of
applications in less than a month.
Figure 8
Perimeter 81 QuickCard
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna-l… 8/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Offers strong RDP/VDI and inline security capabilities. Citrix benefits from its heritage as
The Forrester New Wave™: Zero Trust Network Access, Q3 2021
remote access and virtual desktop provider for its Zero Trust network access. The vendor
delivers
Topics a mature network gateway for on-prem applications and networking services like
printing and drive mapping.
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
Needs to complete integration with major EDR solutions. Citrix has Crowdstrike and Microsoft
integration on its roadmap, while most other ZTNA solutions integrate with one or both of
these.
Is the best fit for companies already invested in an on-prem Citrix infrastructure. Much of the
value that Citrix brings for ZTNA is embedded in its existing infrastructure. Citrix ties ZTNA into
the services the vendor has always provided for access and application delivery.
Figure 9
Citrix QuickCard
Offers strong device posture security today and a great vision for tomorrow. Netskope excels
at device posture security, and customers cite a fast, easy rollout taking weeks where others
take months. Netskope has a solid vision for ZTNA and associated services.
Needs to add features to support third-party access. Netskope’s agentless support was still in
beta during this research. Netskope also needs to add multiple concurrent identity providers
(it currently supports only one). These two features are important to support contractors and
other third parties who have their own identity providers and where an agent can’t be
installed.
Should be on the shortlist for organizations moving to the Zero Trust edge. Organizations
looking to consolidate, consume, and cloud-deliver three technologies (ZTNA, CSG, SWG) with
a single vendor should seek out Netskope. In our research, customers cite that these other
capabilities are important to them.
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna-l… 9/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
appreciate the speed at which the vendor provided fixes and report solid operation since.
The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Figure 10
Topics
Netskope QuickCard
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
Needs to improve product experience. Like many vendors, the Akamai endpoint agent for
ZTNA is needlessly separate from Akamai’s other endpoint agents. The onboarding process
and management console need improvement as well.
Is a good fit for large enterprises that need managed services around ZTNA. As a vendor,
Akamai serves many large enterprises and has a mature product in EAA. Customers praised
the vendor’s professional services for assistance in onboarding and management.
Figure 11
Akamai QuickCard
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna… 10/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Topics
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
Offers a broad range of deployment options. Tencent’s ZTNA solution can be delivered as
SaaS, self-hosted on-prem, self-hosted in multiple public clouds, or any of these in a hybrid
combination. The vendor offers agentless and agented options.
Needs to improve the onboarding process for applications. Customer references cited
difficulties onboarding challenges with many applications and specifically legacy applications.
Is a great fit for companies with a heavy APAC presence. Organizations that want to consume
ZTNA as a service across APAC can take advantage of Tencent’s numerous PoPs there.
Figure 12
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna… 11/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Offers the strongest agentless capability and the biggest network in the space. Google’s
The Forrester New Wave™: Zero Trust Network Access, Q3 2021
BeyondCorp Enterprise leverages the world’s most popular browser, Chrome, as its agent,
which
Topicsis already decrypting the end-user traffic. It’s also one of the only solutions offering
continuous verification. BeyondCorp Enterprise’s inline security inspection is among the most
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
extensive in this evaluation.
Needs to improve mobile experience, IDP integration. The mobile experience for ZTNA is poor
among nearly all ZTNA vendors, and Google’s needs improvement as well. Google also needs
to add support of multiple concurrent identity providers.
Is a good fit where GCP is a strategic partner. Customers already invested in the Google
ecosystem, using Google Workspace and its identity store, will feel right at home with
BeyondCorp Enterprise.
Figure 13
Google QuickCard
Offers strong integration with identity providers. Cloudflare excels at a critical capability — the
vendor’s ability to concurrently integrate with multiple identity providers to support a
contractor and partner business ecosystem with a Zero Trust approach to access.
Still needs device security. Cloudflare Access needs better integration with endpoint security
controls. Besides the usual web browsing signals it can see, it needs tighter integration with
the leading endpoint security suites that enterprises rely on.
Is a good fit for technically savvy, forwarding-looking IT shops. Companies that are already
familiar with Cloudflare’s way of doing things will find Cloudflare Access a natural addition to
their portfolio, but new customers will face a learning curve.
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna… 12/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Figure 14
The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Cloudflare QuickCard
Topics
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
Offers strong identity provider integration as well as client and network support. Proofpoint
picked a gem when it acquired Meta for its ZTNA solution. Customers can expect good
concurrent multi-IDP integration to support third-party access, and innovative networking.
Should invest more in inline inspection. The vendor’s analytics and inline security can be
improved. Proofpoint offers its own private network for routing customer packets, but it is the
smallest of these in this evaluation.
Will be attractive for business access to enterprise web applications. Proofpoint’s mature
security support organization and superior IDP integration make it a good fit for large
enterprises with global, third-party business arrangements.
Figure 15
Proofpoint QuickCard
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna… 13/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Offers self-hosted Zero Trust network access. Juniper’s brand-new entrant in the burgeoning
The Forrester New Wave™: Zero Trust Network Access, Q3 2021
ZTNA market is actually a combination of existing security products (like the SRX firewall) and
its acquisition of 128T.
Topics
only delivers as self-hosted hardware or software. Juniper says a SaaS service is planned.
Is a fit for companies that are both on-premises and Juniper devotees. Given the self-hosted
nature of this solution and its use of SRX/vSRX as a controller, this ZTNA will find the most
favor with Juniper’s existing customers.
Figure 16
Excels with its mobile offerings. Wandera brings its heritage in mobile security and access to
ZTNA. Even though tablets and smartphones effectively force all ZTNA vendors to look like
VPNs, Wandera delivers the strongest mobile offering.
Needs to improve its desktop offering. Wandera’s Mac and Windows offering are a weakness.
The vendor also needs to integrate with major endpoint protection suites.
Is the best fit for companies where mobile ZTNA is the primary driver. Organizations with fleets
of tablets will find that Wandera provides a mature solution with the fewest headaches that
works across the different mobile operating systems.
Figure 17
Wandera QuickCard
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna… 14/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
Topics
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
Offers strong integration with Cisco multifactor authentication. Cisco’s ZTNA solution, is, in
fact, a side-effect of its Cisco Duo gateway. This means that Cisco Duo customers can utilize
the SaaS capabilities of Duo and host their access on-prem for a hybrid deployment.
Needs to leave AnyConnect behind, because ZTNA customers have. Cisco needs to offer
remote desktop functionality via Zero Trust and expand its integration for concurrent
contractor and partner identity providers. Our research for this report revealed that Cisco
AnyConnect was the most common VPN solution customers abandoned when adopting a true
ZTNA solution.
Is an appropriate choice for enterprises that have already bought into Duo. Duo is already a
significant solution in the authentication space; enterprises that have already invested in it can
stay within the Cisco ecosystem with Duo Secure Access.
Figure 18
Cisco QuickCard
Supplemental Material
The Forrester New Wave Methodology
About Forrester Reprints https://go.forrester.com/research/reprints/
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna… 15/16
5/27/22, 12:32 PM The Forrester New Wave™: Zero Trust Network Access, Q3 2021
We conducted primary research to develop a list of vendors that met our criteria for the evaluation
The Forrester New Wave™: Zero Trust Network Access, Q3 2021
and definition of this emerging market. We evaluated vendors against 10 criteria, seven of which we
basedTopics
on product functionality and three of which we based on strategy. We also reviewed market
presence. We invited the top emerging vendors in this space to participate in an RFP-style
Unchain Users From VPNs … ZTNA Evaluation Overview Vendor QuickCards Supplemental Material
demonstration and interviewed customer references. We then ranked the vendors along each of
the criteria. We used a summation of the strategy scores to determine placement on the x-axis, a
summation of the current offering scores to determine placement on the y-axis, and the market
presence score to determine marker size. We designated the top-scoring vendors as Leaders.
Integrity Policy
We conduct all our research, including Forrester New Wave evaluations, in accordance with the
Integrity Policy posted on our website.
© 2022, Forrester Research, Inc. and/or its subsidiaries. All rights reserved.
https://reprints2.forrester.com/#/assets/2/174/RES176124/report?utm_source=marketo&utm_medium=email&utm_campaign=Global-DA-EN-21-08-20-7014u000001h9xoAAA-P3-Prisma_Access-sse-start-with-ztna… 16/16