Zero Trust Solutions and Vendors
“Zero trust” is often a long, tough journey. But it doesn’t need to be. And the answer is actually simple once we separate reality from the marketing fluff from many zero trust vendors. Everyone claims to have a zero trust solution including the top security vendors like Cisco, Palo Alto Networks, Zscaler, CrowdStrike, and Okta. This article is an overview of zero trust and an example from a major new player in secure networking and the leading open source zero trust platform provider NetFoundry.
Zero Trust Overview
Let’s start with the problem. There are two main reasons why “zero trust” is difficult:
- Most “zero trust” solutions are not zero trust. Ironically, they trust the Internet! Trusting the Internet causes complexity and other problems.
- Most “zero trust” solutions are too broad and disruptive. They impact entire user groups or sites, backhaul everything, cause performance problems, and disrupt the WAN and firewalls. They are too broad to be effective for specific use cases such as private data center-hosted apps, third-party access, multi-cloud, IoT, APIs, and remote management.
NetFoundry’s Ziti platform helps businesses simplify the journey by taking the opposite approach of the industry’s “zero trust solutions”:
- NetFoundry does not trust the Internet. No open inbound ports. No firewall hole punching. No reliance on IP addresses or public DNS. You can choose to use federated IDPS and MFA, but you are not forced to – you use it when you decide it is appropriate. You don’t even need to trust NetFoundry itself – it is built on open source OpenZiti – you don’t need to trust the label on the tin, or hope the black box does what it says it does.
- NetFoundry enables you to choose your path and makes it so your paths are not disruptive. Move at any level, even individual apps, such that business priorities determine the journey. Every app is routed independently – no performance-impacting backhaul tunnels. Add use cases without disrupting existing networks or firewalls. And, because NetFoundry covers use cases like APIs, remote management, IoT, private DC apps, and 3rd party access, you don’t need to cobble together an assortment of different solutions.
Let’s take a more detailed look at how NetFoundry differs from the top zero trust vendors:
NetFoundry principle #1:
Don’t trust the Internet = simpler secure networking
Unlike “zero trust” approaches, NetFoundry’s NetFoundry service enables you to not trust the Internet, at all (read the “great zero trust lie” appendix to see how solutions marketed as “zero trust” actually trust the Internet). What does it mean to not trust the Internet?
- No open inbound firewall ports in front of your servers. Not 443. Not 80. No ACLs or hole-punching schemes. No pseudo-random ports. Nothing.
- Your servers are no longer exposed to the Internet, but your users consume your service from the Internet or whatever network they are on.
- With NetFoundry, each app session is authorized before it is allowed to connect on the overlay network – the ‘firewall’ moves to the origin of the app session.
- Authorization is based on strong identities (cryptographically verified certificates), rather than IP addresses, and attribute-based access.
This distrust of the Internet is enabled by the private Ziti overlay network fabrics (self-hosted in the OpenZiti open source option, or hosted by NetFoundry or NetFoundry partners in the NetFoundry option). Authorized endpoints open outbound sessions to the private overlay network fabric; the fabric merges the sessions.
NetFoundry principle #2:
The app is the new edge = simpler secure networking
NetFoundry endpoints treat the app as the new edge. What in the world does that mean?
- Direct routing. Each app is routed independently and directly, from its source. For example, a user may be using some apps or APIs in which the servers are in a nearby private data center or edge site. Rather than first backhauling those apps or APIs to somewhere else, the NetFoundry endpoints will route those sessions directly. Meanwhile, other apps and APIs are also routed directly to other sites, according to your policies (such as latency minimization, geofencing, and interface costs).
- Your policies are in control. Not all apps need to be routed over NetFoundry. If your policy states that Netflix or YouTube should go directly to your Internet gateway, proxy, or CASB, then the NetFoundry endpoint will follow that policy.
- Your business priorities determine your path. You have full control of your zero trust path. For example, start with one app, a certain user group, specific sites, a time-sensitive use case…or some combination. It is up to you, and the rest of your users or apps will be unaffected.
- No network disruption. NetFoundry forms app-specific, microsegmented zero trust overlays. This means you run it over any WAN or Internet, without disruption. NetFoundry has endpoints in each major cloud marketplace. Spin them up in minutes using your existing DevOps and cloud orchestration tools.
- No firewall disruption. Since NetFoundry doesn’t require any open inbound ports, your firewalls are also not disrupted.
- Every use case. NetFoundry endpoints go anywhere – even inside your apps or APIs, as code (agentless). You can also use host-based agents and virtualized/containerized gateways. NetFoundry endpoints serve every use case including APIs, IoT, multi-cloud, remote management, and 3rd party access. This means you avoid piling up different solutions for different use cases.
- Combine cybersecurity and network. NetFoundry covers both sides, like an SD-WAN that is natively secure or a cybersecurity solution with an embedded overlay network.
Comparing the Top Zero Trust Vendors
The primary differences between Cisco, Palo Alto Networks, Zscaler, CrowdStrike, Okta, and NetFoundry lie in their core focuses and approaches:
- Cisco: Focuses on comprehensive security solutions for network, endpoint, and cloud security, emphasizing advanced threat protection and scalability
. - Palo Alto Networks: Known for its next-generation firewall technology and cloud security solutions, with a strong emphasis on real-time threat detection and a user-friendly interface
. - Zscaler: Specializes in cloud-native Zero Trust Network Access (ZTNA) solutions, providing secure web gateways and replacing traditional VPNs with a least-privileged access model
. - CrowdStrike: Renowned for its endpoint security expertise, leveraging a cloud-native architecture and behavioral analytics for real-time threat detection
. - Okta: Focuses on identity-centric security, offering Single Sign-On (SSO) and adaptive authentication to streamline user access management
. - NetFoundry: Distinctly emphasizes Zero Trust Networking through its platform, which avoids trusting the internet by eliminating open inbound ports, using cryptographically verified identities, and providing flexible, app-specific microsegmentation without disrupting existing networks or firewalls
. It also is the only vendor that enables companies to embed zero trust networking in their applications, eliminating the need to rely on perimeter security.
In summary, while Cisco, Palo Alto Networks, Zscaler, CrowdStrike, and Okta provide comprehensive and specialized security solutions across different aspects of network and cloud security. NetFoundry uniquely focuses on Zero Trust Networking with a strong emphasis on flexibility, software-defined overlays, embedding, and the management of secure connectivity.
Appendix: the great “zero trust” lie
Most “zero trust” implementations authorize everyone, even if they appear to be on a certain LAN or WAN. This is sensible—very sensible. IDPS, MFA, biometrics, certificates, and hardware root of trust help.
But the problem is not just the robustness of the authorization step. The problem is when the authorization takes place. In most “zero trust”, the auth still takes place after the network connection (layer 3) – the ports in front of the server are still open.
This also serves as an excellent litmus test to cut through vendor hype: if your team can’t use a deny-all inbound policy on your firewalls, without any ACL exceptions, then the vendor’s “zero trust” solution actually trusts the Internet.
So, ironically, despite the “zero trust” moniker, the web or app server is still initially allowing (trusting) the layer 3 Internet connection, and then trying to weed out the unauthorized users. Of course, silly marketing terms aside, we do need to trust something. But in “zero trust”, we are implicitly trusting the layer 3 connection from the Internet! The result is these “zero trust” approaches are akin to letting 200,000 fans into a stadium for a World Cup soccer match, and then trying to figure out who has tickets. Except it is billions of fans (users, attackers, bots). And it is a stadium (your network) with virtually unlimited seats. And the “fans” move at the speed of light, literally.
Despite the dangers of that authorize-after-connect model, the attacker will most likely be denied once it fails to authorize – the initial connection will be torn down. Unfortunately, bugs, business logic gaps, misconfigurations, and vulnerabilities enable attackers to essentially bypass this public auth gate. This means anyone or anything on the Internet can be an attacker since everyone is allowed to connect before they are made to authorize. And that’s why the improvements that most “zero trust” solutions make on authorization are helpful but not sufficient – the authorization takes place after the initial network connection is made – too late in some cases. Hence, global cyber attack damage is now over $1 trillion per year. Hence why “zero trust” solutions are often incredibly complex and difficult to implement – you still need other solutions to fill the holes – giving you a new problem of figuring out how to patch everything together.