To enable data protection, data security teams must ensure only the right people can access the right data and only for the right purpose. To help the data security team with implementation, the data governance team must define what “right” is for each context. For an application with the size, complexity and importance of a data lake, getting data protection right is a critically important challenge.

See the Top Data Lake Solutions

From Policies to Processes

Before an enterprise can worry about data lake technology specifics, the governance and security teams need to review the current policies for the company. The various policies regarding overarching principles such as access, network security, and data storage will provide basic principles that executives will expect to be applied to every technology within the organization, including data lakes.

Some changes to existing policies may need to be proposed to accommodate the data lake technology, but the policy guardrails are there for a reason — to protect the organization against lawsuits, breaking laws, and risk. With the overarching requirements in hand, the teams can turn to the practical considerations regarding the implementation of those requirements.

Data Lake Visibility

The first requirement to tackle for security or governance is visibility. In order to develop any control or prove control is properly configured, the organization must clearly identify:

• What is the data in the data lake?
• Who is accessing the data lake?
• What data is being accessed by who?
• What is being done with the data once accessed?

Different data lakes provide these answers using different technologies, but the technology can generally be classified as data classification and activity monitoring/logging.

Data classification

Data classification determines the value and inherent risk of the data to an organization. The classification determines what access might be permitted, what security controls should be applied, and what levels of alerts may need to be implemented.

The desired categories will be based upon criteria established by data governance, such as:

• Data Source: Internal data, partner data, public data, and others
• Regulated Data: Privacy data, credit card information, health information, etc.
• Department Data: Financial data, HR records, marketing data, etc.
• Data Feed Source: Security camera videos, pump flow data, etc.

The visibility into these classifications depends entirely upon the ability to inspect and analyze the data. Some data lake tools offer built-in features or additional tools that can be licensed to enhance the classification capabilities such as:

• Amazon Web Services (AWS): AWS offers Amazon Macie as a separately enabled tool to scan for sensitive data in a repository.
• Azure: Customers use built-in features of the Azure SQL Database, Azure Managed Instance, and Azure Synapse Analytics to assign categories, and they can license Microsoft Purview to scan for sensitive data in the dataset such as European passport numbers, U.S. social security numbers, and more.
• Databricks: Customers can use built-in features to search and modify data (compute fees may apply). 
• Snowflake: Customers use inherent features that include some data classification capabilities to locate sensitive data (compute fees may apply).

For sensitive data or internal designations not supported by features and add-on programs, the governance and security teams may need to work with the data scientists to develop searches. Once the data has been classified, the teams will then need to determine what should happen with that data.

For example, Databricks recommends deleting personal information from the European Union (EU) that falls under the General Data Protection Regulation (GDPR). This policy would avoid future expensive compliance issues with the EU’s “right to be forgotten” that would require a search and deletion of consumer data upon each request.

Other common examples for data treatment include:

• Data accessible for registered partners (customers, vendors, etc.)
• Data only accessible by internal teams (employees, consultants, etc.)
• Data restricted to certain groups (finance, research, HR, etc.)
• Regulated data available as read-only
• Important archival data, with no write-access permitted

The sheer size of data in a data lake can complicate categorization. Initially, data may need to be categorized by input, and teams need to make best guesses about the content until the content can be analyzed by other tools.

In all cases, once data governance has determined how the data should be handled, a policy should be drafted that the security team can reference. The security team will develop controls that enforce the written policy and develop tests and reports that verify that those controls are properly implemented.

See the Top Governance, Risk and Compliance (GRC) Tools

Activity monitoring and logging

The logs and reports provided by the data lake tools provide the visibility needed to test and report on data access within a data lake. This monitoring or logging of activity within the data lake provides the key components to verify effective data controls and ensure no inappropriate access is occuring.

As with data inspection, the tools will have various built-in features, but additional licenses or third-party tools may need to be purchased to monitor the necessary spectrum of access. For example:

• AWS: AWS Cloudtrail provides a separately enabled tool to track user activity and events, and AWS CloudWatch collects logs, metrics, and events from AWS resources and applications for analysis.
• Azure: Diagnostic logs can be enabled to monitor API (application programming interface) requests and API activity within the data lake. Logs can be stored within the account, sent to log analytics, or streamed to an event hub. And other activities can be tracked through other tools such as Azure Active Directory (access logs).
• Google: Google Cloud DLP detects different international PII (personal identifiable information) schemes.
• Databricks: Customers can enable logs and direct the logs to storage buckets.
• Snowflake: Customers can execute queries to audit specific user activity.

Data governance and security managers must keep in mind that data lakes are huge and that the access reports associated with the data lakes will be correspondingly immense. Storing the records for all API requests and all activity within the cloud may be burdensome and expensive.

To detect unauthorized usage will require granular controls, so inappropriate access attempts can generate meaningful alerts, actionable information, and limited information. The definitions of meaningful, actionable, and limited will vary based upon the capabilities of the team or the software used to analyze the logs and must be honestly assessed by the security and data governance teams.

Data Lake Controls

Useful data lakes will become huge repositories for data accessed by many users and applications. Good security will begin with strong, granular controls for authorization, data transfers, and data storage.

Where possible, automated security processes should be enabled to permit rapid response and consistent controls applied to the entire data lake.

Authorization

Authorization in data lakes works similar to any other IT infrastructure. IT or security managers assign users to groups, groups can be assigned to projects or companies, and each of these users, groups, projects, or companies can be assigned to resources.

In fact, many of these tools will link to existing user control databases such as Active Directory, so existing security profiles may be extended to the data link. Data governance and data security teams will need to create an association between various categorized resources within the data lake with specific groups such as:

• Raw research data associated with the research user group
• Basic financial data and budgeting resources associated with the company’s internal users
• Marketing research, product test data, and initial customer feedback data associated with the specific new product project group

Most tools will also offer additional security controls such as security assertion markup language (SAML) or multi-factor authentication (MFA). The more valuable the data, the more important it will be for security teams to require the use of these features to access the data lake data.

In addition to the classic authorization processes, the data managers of a data lake also need to determine the appropriate authorization to provide to API connections with data lakehouse software and data analysis software and for various other third-party applications connected to the data lake.

Each data lake will have their own way to manage the APIs and authentication processes. Data governance and data security managers need to clearly outline the high-level rules and allow the data security teams to implement them.

As a best practice, many data lake vendors recommend setting up the data to deny access by default to force data governance managers to specifically grant access. Additionally, the implemented rules should be verified through testing and monitoring through the records.

Data transfers

A giant repository of valuable data only becomes useful when it can be tapped for information and insight. To do so, the data or query responses must be pulled from the data lake and sent to the data lakehouse, third-party tool, or other resource.

These data transfers must be secure and controlled by the security team. The most basic security measure requires all traffic to be encrypted by default, but some tools will allow for additional network controls such as:

• Limit connection access to specific IP addresses, IP ranges, or subnets
• Private endpoints
• Specific networks
• API gateways
• Specified network routing and virtual network integration
• Designated tools (Lakehouse application, etc.)

Data storage

IT security teams often use the best practices for cloud storage as a starting point for storing data in data lakes. This makes perfect sense since the data lake will likely also be stored within the basic cloud storage on cloud platforms.

When setting up data lakes, vendors recommend setting the data lakes to be private and anonymous to prevent casual discovery. The data will also typically be encrypted at rest by default.

Some cloud vendors will offer additional options such as classified storage or immutable storage that provides additional security for stored data. When and how to use these and other cloud strategies will depend upon the needs of the organization.

See the Top Big Data Storage Tools

Developing Secure and Accessible Data Storage

Data lakes provide enormous value by providing a single repository for all enterprise data. Of course, this also paints an enormous target on the data lake for attackers that might want access to that data!

Basic data governance and security principles should be implemented first as written policies that can be approved and verified by the non-technical teams in the organization (legal, executives, etc.). Then, it will be up to data governance to define the rules and data security teams to implement the controls to enforce those rules.

Next, each security control will need to be continuously tested and verified to confirm that the control is working. This is a cyclical, and sometimes even a continuous, process that needs to be updated and optimized regularly.

While it’s certainly important to want the data to be safe, businesses also need to make sure the data remains accessible, so they don’t lose the utility of the data lake. By following these high-level processes, security and data lake experts can help ensure the details align with the principles.

Read next: Data Lake Strategy Options: From Self-Service to Full-Service

The post Data Lake Governance & Security Issues appeared first on IT Business Edge.

On the other hand, having all that critical data in one place can be an attractive target for hackers, who continuously probe defenses looking for weaknesses, and the penalties for data breaches can be enormous. IT security teams need a system that allows for security to differentiate between different categories of data to isolate and secure it against misuse.

Data lakes provide the current solution to maximizing data availability and protection. For large enterprises, their data managers and data security teams can choose from many different data lake vendors to suit their needs.

However, while anyone can create a data lake, not everyone will have the resources to achieve scale, extract value, and protect their resources on their own. Fortunately, vendors offer robust tools that permit smaller teams to obtain the benefits of a data lake without requiring the same resources to manage them.

See the Top Data Lake Solutions

What are Data Lakes?

Data lakes create a single repository for an organization’s raw data. Data feeds bring in data from databases, SaaS platforms, web crawlers, and even edge devices such as security cameras or industrial heat pumps.

Similar to a giant hard drive, data lakes also can incorporate folder structures and apply security to specific folders to limit access, read/write privileges, and deletion privileges to users and applications. However, unlike a hard drive, data lakes should be able to grow in size forever and never require a deletion of data because of space restrictions.

Data lakes support all data types, scale automatically, and support a wide range of analytics, from built-in features to external tools supported by APIs. Analytic tools can perform metadata or content searches or categorize data without changing the underlying data itself.

Self-service Data Lake Tools

Technically, if a company can fit all of its data onto a single hard drive, that is the equivalent of a data lake. However, most organizations have astronomically more data than that, and large enterprises need huge repositories.

Some organizations create their own data lakes in their own data centers. This endeavor requires much more investment in:

• Capital expense: buildings, hardware, software, access control systems
• Operational expense: electrical power, cooling systems, high-capacity internet/network connections, maintenance and repair costs
• Labor expense: IT and IT security employees to maintain the hardware, physical security

Vendors in this category provide tools needed for a team to create their own data lake. Organizations choosing these options will need to supply more time, expenses, and expertise to build, integrate, and secure their data lakes.

Apache: Hadoop & Spark

The Apache open-source projects provide the basis for many cloud computing tools. To create a data lake, an organization could combine Hadoop and Spark to create the base infrastructure and then consider related projects or third-party tools in the ecosystem to build out capabilities.

Apache Hadoop provides scalable distributed processing of large data sets with unstructured or structured data content. Hadoop provides the storage solution and basic search and analysis tools for data.

Apache Spark provides a scalable open-source engine that batches data, streams data, performs SQL analytics, trains machine learning algorithms, and performs exploratory data analysis (EDA) on huge data sets. Apache Spark provides deep analysis tools for more sophisticated examinations of the data than available in the basic Hadoop deployment.

Hewlett Packard Enterprise (HPE) GreenLake

The HPE GreenLake service provides pre-integrated hardware and software that can be deployed in internal data centers or in colocation facilities. HPE handles the heavy lifting for the deployment and charges clients based upon their usage.

HPE will monitor usage and scale the deployment of the Hadoop data lake based upon need and provide support for design and deployment of other applications. This service turbo-charges a typical internal-deployment of Hadoop by outsourcing some of the labor and expertise to HPE.

Cloud Data Lake Tools

Cloud data lake tools provide the infrastructure and the basic tools needed to provide a turn-key data lake. Customers use built-in tools to attach data feeds, storage, security, and APIs to access and explore the data.

After selecting options, some software packages will already be integrated into the data lake upon launch. When a customer selects a cloud option, it will immediately be ready to intake data and will not need to wait for shipping, hardware installation, software installation, etc.

However, in an attempt to maximize the customizability of the data lake, these tools tend to push more responsibility to the customer. Connecting data feeds, external data analytics, or applying security will be more manual a process than compared with full-service solutions.

Some data lake vendors provide data lakehouse tools to attach to the data lake and provide an interface for data analysis and transfer. There may also be other add-on tools available that provide the features available in full-service solutions.

Customers can choose either the bare-bones data lake and then do more heavy lifting or pay extra for features that create the more full-service version. These vendors also tend not to encourage multi-cloud development and focus on driving more business towards their own cloud platforms.

Amazon Web Services (AWS) Data Lake

AWS provides enormous options for cloud infrastructure. Their data lake offering provides an automatically-configured collection of core AWS services to store and process raw data.

Incorporated tools permit users or apps to analyze, govern, search, share, tag, and transform subsets of data internally or with external users. Federated templates integrate with Microsoft Active Directory to incorporate existing data segregation rules already deployed internally within a company.

Google Cloud

Google offers data lake solutions that can house an entire data lake or simply help process a data lake workload from an external source (typically internal data centers). Google Cloud claims that moving from an on-premises Hadoop deployment to a Google Cloud-hosted deployment can lower costs by 54%.

Google offers its own BigQuery analytics that captures data in real-time using a streaming ingestion feature. Google supports Apache Spark and Hadoop migration, integrated data science and analytics, and cost management tools.

Microsoft Azure

Microsoft’s Azure Data Lake solution deploys Apache Spark and Apache Hadoop as fully-managed cloud offerings as well as other analytic clusters such as Hive, Storm, and Kafka. Azure data lake includes Microsoft solutions for enterprise-grade security, auditing, and support.

Azure Data Lake integrates easily with other Microsoft products or existing IT infrastructure and is fully scalable. Customers can define and launch a data lake very quickly and use their familiarity with other Microsoft products to intuitively navigate through options.

See the Top Big Data Storage Tools

Full-service Data Lake Tools

Full-service data lake vendors add layers of security, user-friendly GUIs, and constrain some features in favor of ease-of-use. These vendors may provide additional analysis features built into their offerings to provide additional value.

Some companies cannot or strategically choose not to store all of their data with a single cloud provider. Other data managers may simply want a flexible platform or might be trying to stitch together data resources from acquired subsidiaries that used different cloud vendors.

Most of the vendors in this category do not offer data hosting and act as agnostic data managers and promote using multi-cloud data lakes. However, some of these vendors offer their own cloud solutions and offer a fully integrated full-service offering that can access multiple clouds or transition the data to their fully-controlled platform.

Cloudera Cloud Platform

Cloudera’s Data Platform provides a unifying software to ingest and manage a data lake potentially spread across public and private cloud resources. Cloudera optimizes workloads based on analytics and machine learning as well as provides integrated interfaces to secure and govern platform data and metadata with integrated interfaces.

Cohesity

Cohesity’s Helios platform offers a unified platform that provides data lake and analysis capabilities. The platform may be licensed as a SaaS solution, as software for self-hosted data lakes, or for partner-managed data lakes.

Databricks

Databricks provides data lake house and data lake solutions built on open source technology with integrated security and data governance. Customers can explore data, build models collaboratively, and access preconfigured ML environments. Databricks works across multiple cloud vendors and manages the data repositories through a consolidated interface.

Domo

Domo provides a platform that enables a full range of data lake solutions from storage to application development. Domo augments existing data lakes or customers can host data on the Domo cloud.

IBM

IBM cloud-based data lakes can be deployed on any cloud and builds governance, integration, and virtualization into the core principles of their solution. IBM data lakes can access IBM’s pioneering Watson AI for analysis as well as access many other IBM tools for queries, scalability, and more.

Oracle

Oracle’s Big Data Service deploys a private version of Cloudera’s cloud platform and integration with their own Data Lakehouse solution and the Oracle cloud platform. Oracle builds on their mastery of database technology to provide strong tools for data queries, data management, security, governance, and AI development.

Snowflake

Snowflake provides a full service data lake solution that can integrate storage and computing solutions from AWS, Microsoft, or Google. Data managers do not need to know how to set up, maintain, or support servers and networks and therefore can use Snowflake without previously establishing any cloud databases.

Also read: Snowflake vs. Databricks: Big Data Platform Comparison

Choosing a Data Lake Strategy and Architecture

Data analytics continues to rise in importance as companies find more uses for wider varieties of data. Data lakes provide an option to store, manage, and analyze all data sources for an organization even as they try to figure out what is important and useful.

This article provides an overview of different strategies to deploy data lakes and different technologies available. The list of vendors is not comprehensive and new competitors are constantly entering the market.

Don’t start by selecting a vendor. First start with an understanding of company resources available to support a data lake.

If the available resources are small, the company will likely need to pursue a full-service option over an in-house data center. However, many other important characteristics play a role in determining the optimal vendor, such as:

• Business use case
• AI compatibility
• Searchability
• Compatibility with data lakehouse or other data searching tools
• Security
• Data governance

Once established, data lakes can be moved, but this could be a very expensive proposition since most data lakes will be enormous. Organizations should take their time and try test runs on a smaller scale before they commit fully to a single vendor or platform.

Read next: 10 Top Data Companies

The post Data Lake Strategy Options: From Self-Service to Full-Service appeared first on IT Business Edge.

IT managers seek to protect these users, devices and resources by moving the IT perimeter and rerouting all data through corporate control to prevent unauthorized access. One method to accomplish this goal is to use zero trust.

There are many zero trust solutions addressing the five key categories of Zero Trust Architecture (ZTA): 

• Identity
• Devices
• Networks
• Data
• Applications and Workloads

However, for most organizations limitations of budgets and IT team bandwidth will force selective adoption of ZTA and a focus on solutions that can be implemented quickly, inexpensively, and comprehensively with minimal expense. Zero Trust Network Access (ZTNA) will likely be one of the easiest methods for an organization to begin to adopt ZTA so we will focus on the top low-cost turnkey ZTNA products.

This list is aimed more at small and mid-sized businesses (SMBs) seeking low-cost, easy to implement solutions, so larger enterprises might want to see our list of Top Zero Trust Security Solutions & Software.

Jump ahead to the top low-cost zero trust solutions:

• Appaegis
• Banyan Security
• Cloudflare
• GoodAccess
• NordLayer
• OpenVPN
• Perimeter 81
• Zentry Sentry
• Other zero trust solutions

What is Zero Trust?

The basic concepts behind ZTA were developed by Forrester Research and require an organization to treat all resources as if they are fully exposed to the internet. No users may be trusted by default, all users should be restricted to the minimum access needed, and fully comprehensive monitoring should be in place.

The firewalls and hardened security layers that used to exist only at the access point to a network now must be shifted and implemented for each endpoint, server, container, and even application. Each access request and session must start with the assumption that the user and device may be compromised and requires fresh verification.

U.S. Government agencies have received requirements to achieve zero trust security goals and many corporate executives also seek to improve their security and compliance using zero trust architecture.

Zero Trust does not require new tools or technologies to implement. Operating systems, firewalls, and other tools can be implemented on a device-by-device or application-by-application basis to implement zero trust.

However, new ZTA-branded tools often simplify the process for IT managers to implement. Instead of a variety of different tools with overlapping or even conflicting rules, ZTA tools provide a single place to implement policies and then push those policies out to linked technologies.

IT managers define what applications, databases, servers, and networks will be available to the end user from a central management console. However, keep in mind that to implement ZTA, companies must be ready to granularly differentiate between users and devices.

Any organization that does not use the features of ZTA to provide minimum needed access simply has recreated a non-ZTA trusted network with more expensive technology.

Note: We’ve included a glossary of key zero trust terms at the bottom of this article if any need clarification. 

Top Low-Cost Zero Trust Product Criteria

We reviewed many different vendors for this article and zero trust is too broad to compare or cover them all in a single article. To make this list of the top low-cost zero trust options we focused on a limited set of criteria that could provide value to the broadest range of organizations.

Vendors that made this list provide a solution that could be started very quickly, with minimal IT labor, and with no internal installation required. We focused on turn-key SaaS solutions that an IT manager could implement in a matter of hours and deploy to the entire organization.

These Zero Trust Network Access (ZTNA) products must replace or complement Virtual Private Network (VPN) access and publicly list their pricing for comparison. While many companies may offer free trials or tiers, we only list vendors that have a cost below $15 / user per month for their basic paid tier of service.

These solutions also must provide fully encrypted connections and support multi-factor authentication. These solutions should also support access to legacy IT infrastructure.

Types of Zero Trust Network Access Providers

ZTNA can be accomplished in many different ways, but a turnkey solution tends to be offered either as a browser-based solution or a global edge network solution.

Browser Based Solutions

These companies accomplish the practical equivalent of ZTNA through a secure browser. End users download the browser to their local endpoint and must use it to access corporate resources. The vendor also provides a cloud-based app that allows the IT manager to add and manage users and corporate resources in a single software package.

Global Edge Network Solutions

Vendors in the Global Edge Network category replace existing wired or software-defined network infrastructure with a cloud-based equivalent software-defined network on a subscription basis. The internet provides the wires and the vendor provides encrypted connections between the users and the protected resources.

While the details of deployment may vary, generally an agent or connector will be installed to cloud-based or on-premises resources such as servers, containers, and applications. These connectors create a secure tunnel to a Global Edge Network that can sometimes replace the need for firewall rules or DMZ architectures.

Administrators then use a SaaS management interface to select resources to make available to end users using access policies. Users then connect to the encrypted network through a standard browser or through an app.

Some vendors focus on Secure Web Gateways and others focus on cloud-based VPN Servers, but when delivering ZTNA their offerings tend to combine features of gateways, VPNs, and even CASB. Be sure to review the specific offerings of a vendor to ensure they meet the needed requirements.

The Top Zero Trust Network Access Providers

Our criteria narrowed the list down to the following companies:

• Appaegis
• Banyan Security
• Cloudflare
• GoodAccess
• NordLayer
• OpenVPN
• Perimeter 81
• Zentry Sentry

Appaegis

Appaegis Access Fabric deploys as a browser and provides a light-weight alternative to virtual desktop infrastructure (VDI). The tool provides fully-logged role-based access controls (RBAC) to provide granular security controls and tight reporting for audits.

IT managers use a cloud management portal to control agentless app access, data access permission, and team and role-based policies. Location based access control, API support, and user activity logging are available in the paid tiers.

Appaegis provides four tiers of pricing that is quoted monthly, but paid annually:

• Free:
  • up to 5 users, 1 network, 1 servers/applications, 1 GB data / month
  • App MFA supported
  • PII Data Detection
• Basic (all features of the Free tier plus): 
  • $9.95 / user / month
  • up to 50 users, 50 servers/applications, 10 GB data / month
  • SMS MFA supported
  • User activity logging
  • Application security and monitoring for OneDrive, SharePoint, Office 365, Google Workspace
• Team (all features of the Basic tier plus):
  • No public price published
  • up to 100 users, 100 servers/applications, 20 GB data / month 
  • Isolated Password Vault
  • SAML support
  • API Support
• Professional (all features of the Team tier plus): 
  • No public price published
  • up to 5000 users, 1000 servers/applications, 50 GB data / month
  • IdP MFA supported
  • Custom Domain Name

Team and Professional tiers do not list pricing, but 14 day free trials are available for each tier.

Banyan Security

Banyan Security is a global edge network solution that provides multi-cloud, application, and service access through a real-time least-privileged solution that leverages an organization’s existing identity and security tools. The tool requires deployment of a Banyan Connector to corporate resources, set up through the Bayan Cloud Command Center, and access to the Banyan Global Edge Network.

Banyan’s Cloud Command Center policies use human-readable syntax based on user identity and device trust that integrate with corporate identity and security tools. Users then connect through a standard browser or through the optional Banyan app that also permits device registration and a catalog of available resources.

Banyan Security provides three tiers of pricing that is quoted monthly, but paid annually:

• Free: 
  • up to 20 users
  • Auditing & reporting of access and use
  • Community support (only)
• Business (all of free tier features plus): 
  • $5 / user / month
  • Integration with enterprise SSO
  • Mobile app
  • Customization of trust scores
  • SAML and OIDC Federation for SaaS applications
  • SaaS application policies
  • Defined service level agreement (SLA) and dedicated support
• Enterprise (all of Business tier features plus): 
  • No public price published
  • Self-hosted access
  • Cloud resource discovery
  • Integration with advanced security tools such as EDR, UEM, UEBA.
  • Zero-touch install
  • Tunnel options for private domains or split tunnels
  • IdP passwordless authentication 
  • Cloak SaaS Identities and restricted app access to authorized devices

Cloudflare

The internet giant Cloudflare makes its name providing distributed hosting services for corporate websites. However, they also offer Zero Trust Services, a global edge solution that provides ZTNA, Secure Web Gateways, Private Routing to IP/Hosts, Network FaaS, HTTP/S Inspection, DNS Resolution and filters, and CASB services.

Cloudflare provides an agnostic platform that integrates with a variety of existing identity, endpoint security, and cloud applications. Cloudflare’s ZTNA can be accessed from a high-speed global edge network from over 200 cities spread out across the world.

Cloudflare provides three tiers of pricing:

• Free: 
  • up to 50 users
  • Up to 3 network locations
  • Up to 24 hours of activity logging
  • Secure Web Gateway w/ recursive DNS filters
  • Security categories and threat intelligence feeds
  • 100+ categories for content acceptable use 
  • AV inspection
  • CASB services
  • FaaS
  • Community support (only)
• Standard (all of free tier features plus): 
  • $7 / user / month
  • Browser Isolation available for $10 per user per month
  • No user limit
  • Up to 20 network locations
  • Up to 30 days of activity logging
  • Email and chat support with a defined SLA
• Enterprise (all of Standard tier features plus): 
  • No public price published, customized pricing billed annually
  • Browser Isolation available 
  • Up to 250 network locations
  • Up to 6 months of DNS activity logging
  • Priority phone, email and chat support with defined SLA
  • Logpush to SIEM/cloud storage
  • Cert-based auth for IoT
  • Editable IP network locations

GoodAccess

GoodAccess markets their ZTNA edge solution as cloud-based VPN-as-a-service for teams with access gateways in more than 35 cities and in 23 countries around the world. IT managers can easily create management profiles for different classifications of users and easily assign both users and resources to the classification to enable least-privileged access.

GoodAccess provides four tiers of pricing. Customer that select annual billing can enjoy a 20% discount off of the price billed monthly:

• Free: 
  • up to 100 users
  • Mobile and desktop client apps
  • Basic threat blocking through automated detection and denial of malicious domains
  • Knowledge base support (only)
• Essential (all of free tier features plus): 
  • $5 / user / month
  • Minimum 10 users
  • Dedicated gateway with static IP and an option for a backup gateway
  • Dedicated private network
  • Split tunneling
  • 2-factor authentication
  • Gateway-level access logs for compliance and security review
  • Email and chat support 
• Advanced (all of Standard tier features plus): 
  • $9 / user / month
  • Minimum 10 users
  • 1 cloud and branch connector to an office LAN
  • Identity-based network level access control
  • Custom domain blocking
  • SSO
  • Custom domain names
• Premium (all of Advanced features plus:
  • $12 / user / month
  • Minimum 20 users
  • 5 cloud and branch connectors
  • Backup gateway included
  • Phone support and dedicated customer success manager

NordLayer

NordLayer builds on its successful NordVPN solution to offer a SASE and ZTNA turn-key solution. Available in more than 30 countries, the edge solution focuses on quick and easy installation to provide AES 256-bit encryption, threat-blocking, and MFA support for all offered levels. The solution is basically a VPN but with the additional security of fine-grained zero trust access controls set by admins.

NordLayer offers three tiers of pricing and a free trial period. Customer that select annual billing can enjoy a 18-22% savings from the price billed monthly:

• Basic: 
  • $9 / user / month
  • Mobile and desktop client apps
  • Unlimited users and license transferability
  • No traffic limitations
  • Centralized settings and billing
  • 2-factor authentication and SSO support for Google, Azure AD, Okta and OneLogin.
  • Autoconnect
  • Jailbroken/Rooted device detection
  • 24 / 7 live support
• Advanced (all of Basic tier features plus): 
  • $11 / user / month
  • Dedicated server with static IP up to 1Gbps speed $50 / month / server
  • IP allowlisting and Custom DNS
  • Biometric MFA support
  • Priority support support and dedicated account management
• Custom (all of Advanced tier features plus): 
  • Customized solutions with customized pricing
  • Premium support for custom technical implementations

OpenVPN

OpenVPN offers an option for a self-hosted VPN server, but this article focuses on the OpenVPN Cloud edge solution that does not require any server infrastructure. OpenVPN client software can be installed on Windows, MacOS, and Linux.

Open VPN supports SAML 2.0 and LDAP authentication and email or application-based MFA. Pricing is volume based and depends upon the number of simultaneous VPN connections per month. It is a single tier of service that can be billed monthly or customers can save 20% by paying annually:

• Up to 3 concurrent connections are free
• 10 connections are $7.50 / connection / month
• 100 connections are $3.00 / connection / month
• 2,000 connections are $1.56 / connection / month
• Customized pricing is available for more than 2,000 connections per month.

Perimeter 81

Perimeter 81 offers turn-key ZTNA connections from over 40 global locations. Their simple administration interface offers quick and easy network development with granular user controls to define user groups, available applications, work days, devices suitable for connection, and more.

Perimeter 81 offers four tiers of service billed monthly or customers can save 20% with annual billing:

• Essentials: 
  • $10 / user / month
  • Minimum 5 users
  • $50 / month / gateway with 500 Mbps performance
  • 2 applications
  • 14 days of activity and audit reports
  • Split tunneling
  • Private DNS
• Premium (all of Essentials tier features plus): 
  • $15 / user / month
  • Minimum 10 users
  • $50 / month / gateway with 1000 Mbps / Gateway
  • 10 applications
  • FaaS with up to 10 policies
  • 30 days of activity and audit reports
  • Always-on VPN
  • DNS Filtering
  • SSO support
• Premium Plus (all of Premium tier features plus): 
  • $20 / user / month
  • Minimum 20 users
  • $50 / month / gateway with 1000 Mbps / Gateway
  • 100 applications
  • FaaS with up to 100 policies
  • API Support
• Enterprise (all of Premium Plus tier features plus): 
  • Customized pricing for a customized solution
  • Minimum 50 users
  • $50 / month / gateway with 1000 Mbps / Gateway
  • Unlimited applications
  • Unlimited FaaS policies
  • 60 days of activity and audit reports

Zentry Sentry

Zentry avoids VPN troubleshooting by providing ZTNA over TLS through HTML5 browsers without any clients to download, configure or manage. The Zentry control panel permits granular control over applications and resources without VPN infrastructure or installing clients on local resources.

Zentry provides three tiers of pricing that can be paid monthly, or customers can enjoy a discount by paying annually:

• Free: 
  • up to 5 users, 1 site, 3 applications
  • 2 weeks of activity and audit reports
  • Two-factor authentication
  • LDAP/AD
  • Email support
• Basic (all features of the free tier plus): 
  • $10 / user / month
  • up to 300 users, 5 sites, unlimited applications
  • 1 month of activity and audit reports
  • SAML/OIDC
  • SSO support
  • Email and phone support 
  • Customer success manager
• Team: 
  • No public price published
  • Unlimited users, sites, applications and activity and audit reports
  • Anomaly detection
  • 24/7 email and phone support

Other Zero Trust Vendors

Many other products attempt to fill the Zero Trust Network Access niche with methods to securely connect all workers with all resources. However, there were two types of vendors that we did not consider for this article.

First, some vendors don’t list their prices on their websites so their cost could not be compared with other vendors. Some of these vendors will offer free trials and many will also have technology partners that can help explain features and drawbacks to an interested customer.

The other type of vendor was ZTNA providers that required significant installations and could not be considered turn-key. If the vendor needed cloud computers, dedicated servers, or virtual machines established we considered the threshold too high to be considered for this article.

This does not mean that our recommended vendors are the best solution for a specific organization’s needs. IT managers looking for even more options can consider these additional solutions:

• Akamai Enterprise Application Access provides a cloud-based secure web gateway that delivers real-time intelligence and detection engines to provide multi-layered security.
• Avast Business’ Secure Private Access provides a ZTNA alternative to VPN connections with their cloud-based solution.
• Axis Security’s Atmos product line delivers secure remote access, CASB, DLP, and other features. Different levels of subscriptions include different Atmos licenses to deliver different capabilities.
• Appgate offers a Software Defined Perimeter (SDP) product that provides single packet-level authorization security, microsegmentation, and continuous verification of access. Government pricing is quoted by AWS at roughly $12 per day for 25 users or roughly $15 per user per month. However, non-government customers need to go through partners and MSP resellers.
• BlackBerry’s CylanceGateway automatically enforces corporate policies across an AI-driven Zero Trust Network that also incorporates endpoint security and granular policy management.
• Cato Networks secure remote access is delivered via their SASE solution. Their solution is unusual because the billing is based upon traffic speed and throughput instead of mainly per-user fees.
• Check Point’s Harmony security solution offers endpoint security, clientless connectivity, VPN remote access, email security, mobile security, and secure internet browsing as a bundle.
• Cyolo provides a Zero Trust platform that supports a wide range of endpoints and cloud applications. It attempts to replace many different legacy tools such as CASB, MFA, ADC, NAC, VPN, and PAM with a unified security and networking tool.
• Google Cloud BeyondCorp provides ZTNA protection for organizations that can establish, secure and manage HTTPS load balancers or virtual machines on Google Cloud. While the costs are competitive with turn-key SaaS solutions, not all organizations have the ability to manage cloud resources.
• Iboss provides a Zero Trust platform that replaces VPN with a solution that delivers SASE, Browser Isolation, CASB, and DLP.
• InstaSafe provides hosted controllers and installable gateways to create fully encrypted channels for authentication and access to cloud resources, applications, and local resources. While reasonably priced at $8 / user / month this solution also requires IT teams to install local gateway ($35 / month / gateway) which exceeded the technical work required to make our list of solutions.
• Ivanti markets their Neurons as a cloud-based Zero Trust Access solution. Ivanti modules also support asset discovery, operational intelligence, and patch management.
• Jamf’s Wandera product provides private access, threat defense, and enforce data policies.
• NetMotion offers a remote access solution that provides both software defined perimeter (SDP) and VPN connections to cloud-based and local resources. Their solution requires customers to install the software on self-managed local or cloud-hosted servers.
• Netskope offers SSE and SASE zero trust solutions through system integrators and service providers. Pricing for individual components (CASB, etc.) can be located on the web or through the AWS marketplace, but a single price for the zero trust package is not publicly available.
• Proofpoint offers cloud-based security products that deliver Secure Service Edge solutions such as secure access and secure remote access for contractors. 
• RevBits Zero Trust Network provides a thin-client application that fully encrypts user access to corporate resources.
• Broadcom’s Symantec Secure Access Cloud provides a SaaS zero trust access solution to replace VPN technology with agentless, cloud-delivered infrastructure..
• Tempered’s Airwall solution replaces VPNs with an encrypted software defined perimeter (SDP) network. This permits microsegmentation and eliminates VPN congestion issues.
• TerraZone’s ZoneZero creates software defined perimeters that can enhance VPN services to make them zero trust networks.
• Twingate delivers a multi-step authentication process that requires at least two different components to permit communication between users and resources. Twingate’s solution requires deployment of a docker container or native linux service on remote networks which is a bit more work than a turnkey solution.
• TrueFort focuses on zero trust microsegmentation, workload hardening, and file integrity monitoring.
• Trustgrid is a ZTNA platform for application development. Up to 10 users and 25 nodes for $1,995 / month ($19.95 / user per month). More expensive option, but it allows for docker containers to run and update at the edge without centralized management or architecture.
• Versa Networks launched their cloud-based Secure Access VPN-as-a-service in 2020 with a price of $7.50 per user per month. However, current SASE Services do not list prices on the website and require contacting the company or a partner for a quote.
• VMware Horizon offers a digital workspace that can provide ZTNA features. However, this product is designed to integrate with other VMware solutions and does not appear to work as a turn-key solution.
• Zscaler delivers a cloud-based ZTNA solution by routing all traffic through its cloud filters for authorization, inspection, and control. While some pricing can be found in the AWS marketplace, IT managers generally need to contact Zscaler for pricing.

Zero Trust Buying Considerations

As with all IT needs, zero trust can be implemented in many different ways. ZTNA will likely be one of the easiest methods to start adopting zero trust and organizations with constrained resources will seek vendors that provide easy adoption with minimal IT labor for support and implementation.

We analyzed many different ZTNA companies and only eight companies could be verified to provide a low-cost solution that could be implemented quickly. These solutions likely will satisfy the needs of any company with an emergency need or limited resources; however, organizations should investigate their options thoroughly before making a decision.

Glossary of Common Zero Trust Acronyms

When dealing with new technologies, vendors take short cuts and pummel potential customers with an endless barrage of acronyms. For those who want to understand these offerings, it helps to review these acronyms for clarity.

AD = Active Directory = The Microsoft-developed user management database for Windows domains.

ADC = Active Directory Controller = A server hosting and managing AD

API = Application Programming Interface = A software interface using common connectors between different software applications.

App = Application abbreviated

AWS = Amazon Web Services = the cloud services and infrastructure developed and hosted by Amazon

AV = Anti-Virus = Endpoint anti-malware software

CASB = Cloud Access Security Broker = On-prem or cloud-based security software that monitors activity and enforces security policies between users and cloud applications.

CDR = Content Disarm & Reconstruction = A security solution that inspect packets and attempts to detect and remove exploits, executable code, and malformed packets.

DaaS = Desktop-as-a-Service = A remote access service in which desktops will be hosted in the cloud and become available when a remote user logs in and launches a session.

DLP = Data Loss Prevention = Software that inspects data use to prevent data theft or loss based upon policies and user identities.

DNS = Domain Name Service (or Server) = The IT service that matches domain name requests with IP addresses. EX: when a user types google.com into a browser a DNS server will look up the name and route the browser request to the associate IP address, perhaps 172.217.204.102. Some sites have multiple IP addresses and local DNS entries may vary.

EDR = Endpoint Detection & Response = Advanced endpoint protection that can proactively take a variety of actions in response to the detection of malware or attacker behavior.

FaaS = Firewall-as-a-Service = Firewalls set up and managed as a service.

HTML5 = Hyper Text Markup Language 5 = The modern HTML version powering the internet.

HTTP = Hypertext Transfer Protocol = Application layer protocol to transmit HTML documents between websites and end users.

HTTPS = HTTP Secure = An encrypted version of HTTP.

HTTP/S = HTTP/HTTPS abbreviated

IaaS = Infrastructure-as-a-Service = A managed service that replace part or all of the IT infrastructure needed by an organization (networks, switches, routers, etc.).

IdP = Identity Provider = An authentication tool that provides a single set of login credentials that verify user identities across multiple platforms, networks, or applications.

IP = Internet Protocol = Often used in the context of an IP address which is the series of numbers that identify any device attached to a network.

IT = Information Technology = The technology associated with data, computers, networks, IT security, etc.

LDAP =Lightweight Directory Access Protocol = A generic term for a user management database that manages identities and access.

MFA = Multi-Factor Authentication = Multiple means by which to verify a user’s identity for authentication purposes.

NAC = Network Access Controller = A solution that inspects users and devices to verify that they have permission to access the network based upon defined policies.

OIDC = OpenID Connect = An open-source authentication protocol and part of the OAuth 2.0 framework.

PAM = Privileged Access Management = Various access control and monitoring tools and technologies used to secure access to critical information and resources.

PII = Personally Identifiable Information = Personal information for customers, employees, etc. While the definition is broad, most organizations primarily are concerned with regulated PII such as social security numbers, credit card numbers, and healthcare information.

RBI = Remote Browser Isolation = A secure browser that effectively puts a web browser and hosts it in a container on the device hosting the browser.

SaaS = Software-as-a-Service = Software licensed on a month-by-month basis typically installed and centrally managed by the software company in the cloud.

SAML = Security Assertion Markup Language = A standard used by security domains to exchange authentication and authorization identities. SAML 2.0 is the current version.

SASE = Secure Access Service Edge = A security framework developed by Gartner that converts networks and their security into cloud-delivered platforms.

SDP = Software Defined Perimeter = A network perimeter defined by software instead of wires and networking equipment.

SIEM = Security Information and Event Management = Security tool used to gather alerts and logs for investigation and analysis.

SLA = Service Level Agreement = Determines the level of service between a vendor and a customer; agreements often center on availability and reliability.

SMS = Short Message Service = A text messaging protocol

SSE = Secure Services Edge = A Gartner defined product category for cloud-based security to create safe access to websites, SaaS, and other applications.

SSO = Single Sign On = An authentication scheme that creates a trusted identity that can be passed on to other applications or websites without additional authentication.

SWG = Secure Web Gateway = A networking tool that enforces corporate acceptable use policies and protects users from web-based threats.

TLS = Transport Layer Security = A cryptographic protocol to provide secure communication over a computer network. It is incorporated into various other protocols (email, HTTPS, etc.) and replaced Secure Sockets Layer (SSL).

UEBA = User and Entity Behavior Analytics = Technology that analyzes user behavior for signs of anomalies or malicious actions.

UEM = Unified Endpoint Management = Technologies that secure and manage devices and operating systems from a single command console.

VDI = Virtual Desktop Infrastructure = Similar to DaaS, this technology provides desktops for remote access staff.

VPN = Virtual Public Network = A remote access protocol that creates an encrypted connection between an endpoint and a network. 

ZTA = Zero Trust Architecture = IT infrastructure that embraces zero-trust principles.

ZTNA = Zero Trust Network Access = IT Networks (specifically) that embrace zero-trust principles.

Read next: Deploying SASE: What You Should Know to Secure Your Network

The post Top 8 Zero Trust Network Access Products for Small Businesses appeared first on IT Business Edge.