Many employees and contractors work offsite in home networks, coffee shops, hotels, and other untrusted networks. Meanwhile, many cloud applications and data repositories have also migrated outside of the centralized control of an organization’s IT environment.
IT managers seek to protect these users, devices and resources by moving the IT perimeter and rerouting all data through corporate control to prevent unauthorized access. One method to accomplish this goal is to use zero trust.
There are many zero trust solutions addressing the five key categories of Zero Trust Architecture (ZTA):
- Identity
- Devices
- Networks
- Data
- Applications and Workloads
However, for most organizations limitations of budgets and IT team bandwidth will force selective adoption of ZTA and a focus on solutions that can be implemented quickly, inexpensively, and comprehensively with minimal expense. Zero Trust Network Access (ZTNA) will likely be one of the easiest methods for an organization to begin to adopt ZTA so we will focus on the top low-cost turnkey ZTNA products.
This list is aimed more at small and mid-sized businesses (SMBs) seeking low-cost, easy to implement solutions, so larger enterprises might want to see our list of Top Zero Trust Security Solutions & Software.
Jump ahead to the top low-cost zero trust solutions:
- Appaegis
- Banyan Security
- Cloudflare
- GoodAccess
- NordLayer
- OpenVPN
- Perimeter 81
- Zentry Sentry
- Other zero trust solutions
What is Zero Trust?
The basic concepts behind ZTA were developed by Forrester Research and require an organization to treat all resources as if they are fully exposed to the internet. No users may be trusted by default, all users should be restricted to the minimum access needed, and fully comprehensive monitoring should be in place.
The firewalls and hardened security layers that used to exist only at the access point to a network now must be shifted and implemented for each endpoint, server, container, and even application. Each access request and session must start with the assumption that the user and device may be compromised and requires fresh verification.
U.S. Government agencies have received requirements to achieve zero trust security goals and many corporate executives also seek to improve their security and compliance using zero trust architecture.
Zero Trust does not require new tools or technologies to implement. Operating systems, firewalls, and other tools can be implemented on a device-by-device or application-by-application basis to implement zero trust.
However, new ZTA-branded tools often simplify the process for IT managers to implement. Instead of a variety of different tools with overlapping or even conflicting rules, ZTA tools provide a single place to implement policies and then push those policies out to linked technologies.
IT managers define what applications, databases, servers, and networks will be available to the end user from a central management console. However, keep in mind that to implement ZTA, companies must be ready to granularly differentiate between users and devices.
Any organization that does not use the features of ZTA to provide minimum needed access simply has recreated a non-ZTA trusted network with more expensive technology.
Note: We’ve included a glossary of key zero trust terms at the bottom of this article if any need clarification.
Top Low-Cost Zero Trust Product Criteria
We reviewed many different vendors for this article and zero trust is too broad to compare or cover them all in a single article. To make this list of the top low-cost zero trust options we focused on a limited set of criteria that could provide value to the broadest range of organizations.
Vendors that made this list provide a solution that could be started very quickly, with minimal IT labor, and with no internal installation required. We focused on turn-key SaaS solutions that an IT manager could implement in a matter of hours and deploy to the entire organization.
These Zero Trust Network Access (ZTNA) products must replace or complement Virtual Private Network (VPN) access and publicly list their pricing for comparison. While many companies may offer free trials or tiers, we only list vendors that have a cost below $15 / user per month for their basic paid tier of service.
These solutions also must provide fully encrypted connections and support multi-factor authentication. These solutions should also support access to legacy IT infrastructure.
Types of Zero Trust Network Access Providers
ZTNA can be accomplished in many different ways, but a turnkey solution tends to be offered either as a browser-based solution or a global edge network solution.
Browser Based Solutions
These companies accomplish the practical equivalent of ZTNA through a secure browser. End users download the browser to their local endpoint and must use it to access corporate resources. The vendor also provides a cloud-based app that allows the IT manager to add and manage users and corporate resources in a single software package.
Global Edge Network Solutions
Vendors in the Global Edge Network category replace existing wired or software-defined network infrastructure with a cloud-based equivalent software-defined network on a subscription basis. The internet provides the wires and the vendor provides encrypted connections between the users and the protected resources.
While the details of deployment may vary, generally an agent or connector will be installed to cloud-based or on-premises resources such as servers, containers, and applications. These connectors create a secure tunnel to a Global Edge Network that can sometimes replace the need for firewall rules or DMZ architectures.
Administrators then use a SaaS management interface to select resources to make available to end users using access policies. Users then connect to the encrypted network through a standard browser or through an app.
Some vendors focus on Secure Web Gateways and others focus on cloud-based VPN Servers, but when delivering ZTNA their offerings tend to combine features of gateways, VPNs, and even CASB. Be sure to review the specific offerings of a vendor to ensure they meet the needed requirements.
The Top Zero Trust Network Access Providers
Our criteria narrowed the list down to the following companies:
- Appaegis
- Banyan Security
- Cloudflare
- GoodAccess
- NordLayer
- OpenVPN
- Perimeter 81
- Zentry Sentry
Appaegis
Appaegis Access Fabric deploys as a browser and provides a light-weight alternative to virtual desktop infrastructure (VDI). The tool provides fully-logged role-based access controls (RBAC) to provide granular security controls and tight reporting for audits.
IT managers use a cloud management portal to control agentless app access, data access permission, and team and role-based policies. Location based access control, API support, and user activity logging are available in the paid tiers.
Appaegis provides four tiers of pricing that is quoted monthly, but paid annually:
- Free:
- up to 5 users, 1 network, 1 servers/applications, 1 GB data / month
- App MFA supported
- PII Data Detection
- Basic (all features of the Free tier plus):
- $9.95 / user / month
- up to 50 users, 50 servers/applications, 10 GB data / month
- SMS MFA supported
- User activity logging
- Application security and monitoring for OneDrive, SharePoint, Office 365, Google Workspace
- Team (all features of the Basic tier plus):
- No public price published
- up to 100 users, 100 servers/applications, 20 GB data / month
- Isolated Password Vault
- SAML support
- API Support
- Professional (all features of the Team tier plus):
- No public price published
- up to 5000 users, 1000 servers/applications, 50 GB data / month
- IdP MFA supported
- Custom Domain Name
Team and Professional tiers do not list pricing, but 14 day free trials are available for each tier.
Banyan Security
Banyan Security is a global edge network solution that provides multi-cloud, application, and service access through a real-time least-privileged solution that leverages an organization’s existing identity and security tools. The tool requires deployment of a Banyan Connector to corporate resources, set up through the Bayan Cloud Command Center, and access to the Banyan Global Edge Network.
Banyan’s Cloud Command Center policies use human-readable syntax based on user identity and device trust that integrate with corporate identity and security tools. Users then connect through a standard browser or through the optional Banyan app that also permits device registration and a catalog of available resources.
Banyan Security provides three tiers of pricing that is quoted monthly, but paid annually:
- Free:
- up to 20 users
- Auditing & reporting of access and use
- Community support (only)
- Business (all of free tier features plus):
- $5 / user / month
- Integration with enterprise SSO
- Mobile app
- Customization of trust scores
- SAML and OIDC Federation for SaaS applications
- SaaS application policies
- Defined service level agreement (SLA) and dedicated support
- Enterprise (all of Business tier features plus):
- No public price published
- Self-hosted access
- Cloud resource discovery
- Integration with advanced security tools such as EDR, UEM, UEBA.
- Zero-touch install
- Tunnel options for private domains or split tunnels
- IdP passwordless authentication
- Cloak SaaS Identities and restricted app access to authorized devices
Cloudflare
The internet giant Cloudflare makes its name providing distributed hosting services for corporate websites. However, they also offer Zero Trust Services, a global edge solution that provides ZTNA, Secure Web Gateways, Private Routing to IP/Hosts, Network FaaS, HTTP/S Inspection, DNS Resolution and filters, and CASB services.
Cloudflare provides an agnostic platform that integrates with a variety of existing identity, endpoint security, and cloud applications. Cloudflare’s ZTNA can be accessed from a high-speed global edge network from over 200 cities spread out across the world.
Cloudflare provides three tiers of pricing:
- Free:
- up to 50 users
- Up to 3 network locations
- Up to 24 hours of activity logging
- Secure Web Gateway w/ recursive DNS filters
- Security categories and threat intelligence feeds
- 100+ categories for content acceptable use
- AV inspection
- CASB services
- FaaS
- Community support (only)
- Standard (all of free tier features plus):
- $7 / user / month
- Browser Isolation available for $10 per user per month
- No user limit
- Up to 20 network locations
- Up to 30 days of activity logging
- Email and chat support with a defined SLA
- Enterprise (all of Standard tier features plus):
- No public price published, customized pricing billed annually
- Browser Isolation available
- Up to 250 network locations
- Up to 6 months of DNS activity logging
- Priority phone, email and chat support with defined SLA
- Logpush to SIEM/cloud storage
- Cert-based auth for IoT
- Editable IP network locations
GoodAccess
GoodAccess markets their ZTNA edge solution as cloud-based VPN-as-a-service for teams with access gateways in more than 35 cities and in 23 countries around the world. IT managers can easily create management profiles for different classifications of users and easily assign both users and resources to the classification to enable least-privileged access.
GoodAccess provides four tiers of pricing. Customer that select annual billing can enjoy a 20% discount off of the price billed monthly:
- Free:
- up to 100 users
- Mobile and desktop client apps
- Basic threat blocking through automated detection and denial of malicious domains
- Knowledge base support (only)
- Essential (all of free tier features plus):
- $5 / user / month
- Minimum 10 users
- Dedicated gateway with static IP and an option for a backup gateway
- Dedicated private network
- Split tunneling
- 2-factor authentication
- Gateway-level access logs for compliance and security review
- Email and chat support
- Advanced (all of Standard tier features plus):
- $9 / user / month
- Minimum 10 users
- 1 cloud and branch connector to an office LAN
- Identity-based network level access control
- Custom domain blocking
- SSO
- Custom domain names
- Premium (all of Advanced features plus:
- $12 / user / month
- Minimum 20 users
- 5 cloud and branch connectors
- Backup gateway included
- Phone support and dedicated customer success manager
NordLayer
NordLayer builds on its successful NordVPN solution to offer a SASE and ZTNA turn-key solution. Available in more than 30 countries, the edge solution focuses on quick and easy installation to provide AES 256-bit encryption, threat-blocking, and MFA support for all offered levels. The solution is basically a VPN but with the additional security of fine-grained zero trust access controls set by admins.
NordLayer offers three tiers of pricing and a free trial period. Customer that select annual billing can enjoy a 18-22% savings from the price billed monthly:
- Basic:
- $9 / user / month
- Mobile and desktop client apps
- Unlimited users and license transferability
- No traffic limitations
- Centralized settings and billing
- 2-factor authentication and SSO support for Google, Azure AD, Okta and OneLogin.
- Autoconnect
- Jailbroken/Rooted device detection
- 24 / 7 live support
- Advanced (all of Basic tier features plus):
- $11 / user / month
- Dedicated server with static IP up to 1Gbps speed $50 / month / server
- IP allowlisting and Custom DNS
- Biometric MFA support
- Priority support support and dedicated account management
- Custom (all of Advanced tier features plus):
- Customized solutions with customized pricing
- Premium support for custom technical implementations
OpenVPN
OpenVPN offers an option for a self-hosted VPN server, but this article focuses on the OpenVPN Cloud edge solution that does not require any server infrastructure. OpenVPN client software can be installed on Windows, MacOS, and Linux.
Open VPN supports SAML 2.0 and LDAP authentication and email or application-based MFA. Pricing is volume based and depends upon the number of simultaneous VPN connections per month. It is a single tier of service that can be billed monthly or customers can save 20% by paying annually:
- Up to 3 concurrent connections are free
- 10 connections are $7.50 / connection / month
- 100 connections are $3.00 / connection / month
- 2,000 connections are $1.56 / connection / month
- Customized pricing is available for more than 2,000 connections per month.
Perimeter 81
Perimeter 81 offers turn-key ZTNA connections from over 40 global locations. Their simple administration interface offers quick and easy network development with granular user controls to define user groups, available applications, work days, devices suitable for connection, and more.
Perimeter 81 offers four tiers of service billed monthly or customers can save 20% with annual billing:
- Essentials:
- $10 / user / month
- Minimum 5 users
- $50 / month / gateway with 500 Mbps performance
- 2 applications
- 14 days of activity and audit reports
- Split tunneling
- Private DNS
- Premium (all of Essentials tier features plus):
- $15 / user / month
- Minimum 10 users
- $50 / month / gateway with 1000 Mbps / Gateway
- 10 applications
- FaaS with up to 10 policies
- 30 days of activity and audit reports
- Always-on VPN
- DNS Filtering
- SSO support
- Premium Plus (all of Premium tier features plus):
- $20 / user / month
- Minimum 20 users
- $50 / month / gateway with 1000 Mbps / Gateway
- 100 applications
- FaaS with up to 100 policies
- API Support
- Enterprise (all of Premium Plus tier features plus):
- Customized pricing for a customized solution
- Minimum 50 users
- $50 / month / gateway with 1000 Mbps / Gateway
- Unlimited applications
- Unlimited FaaS policies
- 60 days of activity and audit reports
Zentry Sentry
Zentry avoids VPN troubleshooting by providing ZTNA over TLS through HTML5 browsers without any clients to download, configure or manage. The Zentry control panel permits granular control over applications and resources without VPN infrastructure or installing clients on local resources.
Zentry provides three tiers of pricing that can be paid monthly, or customers can enjoy a discount by paying annually:
- Free:
- up to 5 users, 1 site, 3 applications
- 2 weeks of activity and audit reports
- Two-factor authentication
- LDAP/AD
- Email support
- Basic (all features of the free tier plus):
- $10 / user / month
- up to 300 users, 5 sites, unlimited applications
- 1 month of activity and audit reports
- SAML/OIDC
- SSO support
- Email and phone support
- Customer success manager
- Team:
- No public price published
- Unlimited users, sites, applications and activity and audit reports
- Anomaly detection
- 24/7 email and phone support
Other Zero Trust Vendors
Many other products attempt to fill the Zero Trust Network Access niche with methods to securely connect all workers with all resources. However, there were two types of vendors that we did not consider for this article.
First, some vendors don’t list their prices on their websites so their cost could not be compared with other vendors. Some of these vendors will offer free trials and many will also have technology partners that can help explain features and drawbacks to an interested customer.
The other type of vendor was ZTNA providers that required significant installations and could not be considered turn-key. If the vendor needed cloud computers, dedicated servers, or virtual machines established we considered the threshold too high to be considered for this article.
This does not mean that our recommended vendors are the best solution for a specific organization’s needs. IT managers looking for even more options can consider these additional solutions:
- Akamai Enterprise Application Access provides a cloud-based secure web gateway that delivers real-time intelligence and detection engines to provide multi-layered security.
- Avast Business’ Secure Private Access provides a ZTNA alternative to VPN connections with their cloud-based solution.
- Axis Security’s Atmos product line delivers secure remote access, CASB, DLP, and other features. Different levels of subscriptions include different Atmos licenses to deliver different capabilities.
- Appgate offers a Software Defined Perimeter (SDP) product that provides single packet-level authorization security, microsegmentation, and continuous verification of access. Government pricing is quoted by AWS at roughly $12 per day for 25 users or roughly $15 per user per month. However, non-government customers need to go through partners and MSP resellers.
- BlackBerry’s CylanceGateway automatically enforces corporate policies across an AI-driven Zero Trust Network that also incorporates endpoint security and granular policy management.
- Cato Networks secure remote access is delivered via their SASE solution. Their solution is unusual because the billing is based upon traffic speed and throughput instead of mainly per-user fees.
- Check Point’s Harmony security solution offers endpoint security, clientless connectivity, VPN remote access, email security, mobile security, and secure internet browsing as a bundle.
- Cyolo provides a Zero Trust platform that supports a wide range of endpoints and cloud applications. It attempts to replace many different legacy tools such as CASB, MFA, ADC, NAC, VPN, and PAM with a unified security and networking tool.
- Google Cloud BeyondCorp provides ZTNA protection for organizations that can establish, secure and manage HTTPS load balancers or virtual machines on Google Cloud. While the costs are competitive with turn-key SaaS solutions, not all organizations have the ability to manage cloud resources.
- Iboss provides a Zero Trust platform that replaces VPN with a solution that delivers SASE, Browser Isolation, CASB, and DLP.
- InstaSafe provides hosted controllers and installable gateways to create fully encrypted channels for authentication and access to cloud resources, applications, and local resources. While reasonably priced at $8 / user / month this solution also requires IT teams to install local gateway ($35 / month / gateway) which exceeded the technical work required to make our list of solutions.
- Ivanti markets their Neurons as a cloud-based Zero Trust Access solution. Ivanti modules also support asset discovery, operational intelligence, and patch management.
- Jamf’s Wandera product provides private access, threat defense, and enforce data policies.
- NetMotion offers a remote access solution that provides both software defined perimeter (SDP) and VPN connections to cloud-based and local resources. Their solution requires customers to install the software on self-managed local or cloud-hosted servers.
- Netskope offers SSE and SASE zero trust solutions through system integrators and service providers. Pricing for individual components (CASB, etc.) can be located on the web or through the AWS marketplace, but a single price for the zero trust package is not publicly available.
- Proofpoint offers cloud-based security products that deliver Secure Service Edge solutions such as secure access and secure remote access for contractors.
- RevBits Zero Trust Network provides a thin-client application that fully encrypts user access to corporate resources.
- Broadcom’s Symantec Secure Access Cloud provides a SaaS zero trust access solution to replace VPN technology with agentless, cloud-delivered infrastructure..
- Tempered’s Airwall solution replaces VPNs with an encrypted software defined perimeter (SDP) network. This permits microsegmentation and eliminates VPN congestion issues.
- TerraZone’s ZoneZero creates software defined perimeters that can enhance VPN services to make them zero trust networks.
- Twingate delivers a multi-step authentication process that requires at least two different components to permit communication between users and resources. Twingate’s solution requires deployment of a docker container or native linux service on remote networks which is a bit more work than a turnkey solution.
- TrueFort focuses on zero trust microsegmentation, workload hardening, and file integrity monitoring.
- Trustgrid is a ZTNA platform for application development. Up to 10 users and 25 nodes for $1,995 / month ($19.95 / user per month). More expensive option, but it allows for docker containers to run and update at the edge without centralized management or architecture.
- Versa Networks launched their cloud-based Secure Access VPN-as-a-service in 2020 with a price of $7.50 per user per month. However, current SASE Services do not list prices on the website and require contacting the company or a partner for a quote.
- VMware Horizon offers a digital workspace that can provide ZTNA features. However, this product is designed to integrate with other VMware solutions and does not appear to work as a turn-key solution.
- Zscaler delivers a cloud-based ZTNA solution by routing all traffic through its cloud filters for authorization, inspection, and control. While some pricing can be found in the AWS marketplace, IT managers generally need to contact Zscaler for pricing.
Zero Trust Buying Considerations
As with all IT needs, zero trust can be implemented in many different ways. ZTNA will likely be one of the easiest methods to start adopting zero trust and organizations with constrained resources will seek vendors that provide easy adoption with minimal IT labor for support and implementation.
We analyzed many different ZTNA companies and only eight companies could be verified to provide a low-cost solution that could be implemented quickly. These solutions likely will satisfy the needs of any company with an emergency need or limited resources; however, organizations should investigate their options thoroughly before making a decision.
Glossary of Common Zero Trust Acronyms
When dealing with new technologies, vendors take short cuts and pummel potential customers with an endless barrage of acronyms. For those who want to understand these offerings, it helps to review these acronyms for clarity.
AD = Active Directory = The Microsoft-developed user management database for Windows domains.
ADC = Active Directory Controller = A server hosting and managing AD
API = Application Programming Interface = A software interface using common connectors between different software applications.
App = Application abbreviated
AWS = Amazon Web Services = the cloud services and infrastructure developed and hosted by Amazon
AV = Anti-Virus = Endpoint anti-malware software
CASB = Cloud Access Security Broker = On-prem or cloud-based security software that monitors activity and enforces security policies between users and cloud applications.
CDR = Content Disarm & Reconstruction = A security solution that inspect packets and attempts to detect and remove exploits, executable code, and malformed packets.
DaaS = Desktop-as-a-Service = A remote access service in which desktops will be hosted in the cloud and become available when a remote user logs in and launches a session.
DLP = Data Loss Prevention = Software that inspects data use to prevent data theft or loss based upon policies and user identities.
DNS = Domain Name Service (or Server) = The IT service that matches domain name requests with IP addresses. EX: when a user types google.com into a browser a DNS server will look up the name and route the browser request to the associate IP address, perhaps 172.217.204.102. Some sites have multiple IP addresses and local DNS entries may vary.
EDR = Endpoint Detection & Response = Advanced endpoint protection that can proactively take a variety of actions in response to the detection of malware or attacker behavior.
FaaS = Firewall-as-a-Service = Firewalls set up and managed as a service.
HTML5 = Hyper Text Markup Language 5 = The modern HTML version powering the internet.
HTTP = Hypertext Transfer Protocol = Application layer protocol to transmit HTML documents between websites and end users.
HTTPS = HTTP Secure = An encrypted version of HTTP.
HTTP/S = HTTP/HTTPS abbreviated
IaaS = Infrastructure-as-a-Service = A managed service that replace part or all of the IT infrastructure needed by an organization (networks, switches, routers, etc.).
IdP = Identity Provider = An authentication tool that provides a single set of login credentials that verify user identities across multiple platforms, networks, or applications.
IP = Internet Protocol = Often used in the context of an IP address which is the series of numbers that identify any device attached to a network.
IT = Information Technology = The technology associated with data, computers, networks, IT security, etc.
LDAP =Lightweight Directory Access Protocol = A generic term for a user management database that manages identities and access.
MFA = Multi-Factor Authentication = Multiple means by which to verify a user’s identity for authentication purposes.
NAC = Network Access Controller = A solution that inspects users and devices to verify that they have permission to access the network based upon defined policies.
OIDC = OpenID Connect = An open-source authentication protocol and part of the OAuth 2.0 framework.
PAM = Privileged Access Management = Various access control and monitoring tools and technologies used to secure access to critical information and resources.
PII = Personally Identifiable Information = Personal information for customers, employees, etc. While the definition is broad, most organizations primarily are concerned with regulated PII such as social security numbers, credit card numbers, and healthcare information.
RBI = Remote Browser Isolation = A secure browser that effectively puts a web browser and hosts it in a container on the device hosting the browser.
SaaS = Software-as-a-Service = Software licensed on a month-by-month basis typically installed and centrally managed by the software company in the cloud.
SAML = Security Assertion Markup Language = A standard used by security domains to exchange authentication and authorization identities. SAML 2.0 is the current version.
SASE = Secure Access Service Edge = A security framework developed by Gartner that converts networks and their security into cloud-delivered platforms.
SDP = Software Defined Perimeter = A network perimeter defined by software instead of wires and networking equipment.
SIEM = Security Information and Event Management = Security tool used to gather alerts and logs for investigation and analysis.
SLA = Service Level Agreement = Determines the level of service between a vendor and a customer; agreements often center on availability and reliability.
SMS = Short Message Service = A text messaging protocol
SSE = Secure Services Edge = A Gartner defined product category for cloud-based security to create safe access to websites, SaaS, and other applications.
SSO = Single Sign On = An authentication scheme that creates a trusted identity that can be passed on to other applications or websites without additional authentication.
SWG = Secure Web Gateway = A networking tool that enforces corporate acceptable use policies and protects users from web-based threats.
TLS = Transport Layer Security = A cryptographic protocol to provide secure communication over a computer network. It is incorporated into various other protocols (email, HTTPS, etc.) and replaced Secure Sockets Layer (SSL).
UEBA = User and Entity Behavior Analytics = Technology that analyzes user behavior for signs of anomalies or malicious actions.
UEM = Unified Endpoint Management = Technologies that secure and manage devices and operating systems from a single command console.
VDI = Virtual Desktop Infrastructure = Similar to DaaS, this technology provides desktops for remote access staff.
VPN = Virtual Public Network = A remote access protocol that creates an encrypted connection between an endpoint and a network.
ZTA = Zero Trust Architecture = IT infrastructure that embraces zero-trust principles.
ZTNA = Zero Trust Network Access = IT Networks (specifically) that embrace zero-trust principles.
Read next: Deploying SASE: What You Should Know to Secure Your Network