Summative Assessment Research Project

Security Tools such as MBSA, Wireshark, Windows Backup, etc. 

• Prepare a rough outline of project proposal you would like to submit. Discuss the topic and draft project proposal with the instructor.
• Conduct further research on the topic. Make a detailed proposal. In the project proposal you should:

      a.      Introduce the topic scenario 

      b.      Describe the methodology to be adopted fro performing the test.

      c.       State the timeline for the project completion.

      d.      Include references and authorization letters 

22/03/2020

Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 1/8

Project Report Submission

Due No Due Date Points 60 Submitting a file upload
Available Mar 16 at 3am – Mar 23 at 2:59am 7 days

Submit Assignment

Summative Assessment Research Project: 60 pts.

Directions on Project:

Guidelines on Graduate Project

Following are the guidelines for your graduate project.

Selecting a Topic

Choose a project topic from one of your completed labs from the previous weeks. You may go back
through the lab content to familiarize yourself with the information required to complete your project.
Prepare a rough outline of project proposal you would like to submit. Discuss the topic and draft
project proposal with the instructor.
Conduct further research on the topic. Make a detailed proposal. In the project proposal you should:

a. Introduce the topic scenario

b. Describe the methodology to be adopted fro performing the test.

c. State the timeline for the project completion.

d. Include references and authorization letters

Working on the Project

You have to complete your project within the stipulated deadlines. Plan your project accordingly
While meeting the executives of a company in relation to your project, make sure you have
appropriate approvals and request letters from the concerned university department or company.
Make sure your instructor approves questionnaires designed for any survey in relation to the project.
You must use any data collected in course of the research, only for the approved project. You must
not share collected information with other students.
Make notes of key points during the course of research. It would save lot of time in preparation of
project report.

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 2/8

Make sure all relevant journals, magazines, papers and books are available in the university library.
Analysis is the most critical part of the project and forms basis for all findings. Make sure you make
use of appropriate statistical tools in analysis.

Writing a Project Report

Review the style guidelines for project report
The project report should not exceed 7,000 words
Abstract should be between 150-250 words
Select A4 size; page orientation should be portrait. Specify “1” margin on all sides.
Number all pages consecutively. Start every chapter on a new page.
Provide double spacing
You should use Times New Roman Font- “12” for text and “10” for footnotes. Use a larger font size
for section headings.
A project report must contain:

Content Section

a. Title Page

Preliminariesb. Table of Contents

c. Abstract

d. Introduction and background

Body of the report

e. Problem statement

f. Objectives of the project

g. Literature review

h. Methodology adopted

i. Results – project findings

j. Recommendations

k. Conclusion

l. Bibliography References

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 3/8

Research Paper (60)

m. Appendix

n. List of figures and tables

o. Index words (if required)

Be clear and precise. Express your ideas in a logical way.
Abstract should reflect the essence of the project
The introduction should provide the overview of the topic and highlight its significance
Clearly indicate the objectives of your project.
Describe all the methods used such as interviews, questionnaires in the methodology section.
Ensure that literature review is in your own words. Analyze other person’s contribution to the topic.
Identify the gaps in the literature. Emphasize on the likely contribution of your project to the existing
literature on the topic.
Describe your findings from analysis in the results section. As this is the most critical part of the
project, ensure that there are no errors in analysis. Make proper inferences from analysis and
findings.
The conclusion section should summarize your objectives, findings and learning’s from the project.
Provide useful supplementary information in the Appendix.
Avoid plagiarism. The project report should reflect your understanding of the topic. The majority of
the paper should be in your own words and reflect your own ideas.
Give credit for all referenced work. Provide appropriate citation and references for all quotations.
Ensure that papers referenced are relevant and not outdated.
Your paper should be reader friendly. Use footnotes to explain difficult terms.
Don’t use text from Wikipedia in footnotes
All tables and figures must be suitably numbered and titled. Give appropriate credit.
On completion, go through the entire project. Ensure there are no proofing errors and you have
adhered to all guidelines related to the project.

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 4/8

Criteria Ratings Pts

6.0 pts

18.0 pts

18.0 pts

Introduction 6.0 pts
Exceeds
Standards
Strong introduction
of topics key
question(s), terms,
Clearly delineates
subtopics to be
reviewed. Specific
thesis statement

3.0 pts
Meets
Standards
Conveys topic
and key
question(s).
Clearly
delineates
subtopics to be
reviewed.
General thesis
statement

2.0 pts
Needs Some
Improvement
to Meet
Standards
Coveys topic,
but not key
question(s).
Describes
subtopics to be
reviewed.
General thesis
statement.

1.0 pts
Needs
Substantial
Improvement to
Meet Standards
Does not
adequately
convey topic.
Does not describe
subtopics to be
reviewed. Lacks
adequate theses
statement.Focus and

Sequencing
18.0 pts
Exceeds
Standards
All material clearly
related to subtopic,
main topic. Strong
organization and
integration of
material within
subtopics. Strong
transitions linking
subtopics, and
main topic.

9.0 pts
Meets
Standards
All material
clearly related to
subtopic, main
topic and
logically
organized within
subtopics. Clear,
varied transitions
linking subtopics,
and main topic.

5.0 pts
Needs Some
Improvement to
Meet Standards
Most material
clearly related to
subtopic, main
topic. Material
may not be
organized within
subtopics.
Attempts to
provide variety
of transitions.

1.0 pts
Needs
Substantial
Improvement
to Meet
Standards
Little evidence
material is
logically
organized into
topic, subtopics
or related to
topic. Many
transitions are
unclear or
unsubstantiated.

Support, Citations,
and References

18.0 pts
Exceeds
Standards
Strong peer-
reviewed research
based support for
thesis, references
and citations are
thoroughly and
clearly indicated
after every quote or
an authors
statement or idea.

9.0 pts
Meets Standards
Good research
based support for
thesis, references
and citations are
adequately and
clearly indicated
after most quotes
or an authors
statement or idea.

5.0 pts
Needs Some
Improvement to
Meet Standards
Some research
based support for
thesis,
references and
citations are
inconsistently
indicated after a
few quotes or an
authors
statement or
idea.

1.0 pts
Needs
Substantial
Improvement
to Meet
Standards
limited or no
peer-
reviewed
research
based
support for
thesis,
references
and citations
are absent.

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 5/8

Criteria Ratings Pts
6.0 pts
6.0 pts
6.0 pts

—

Spelling and
Grammar

6.0 pts
Exceeds
Standards
Work has no
misspellings or
grammatical
errors.

3.0 pts
Meets
Standards
Work has 1 or 2
misspellings or
grammatical
errors

2.0 pts
Needs Some
Improvement to
Meet Standards
Work has several
misspellings or
grammatical
errors

1.0 pts
Needs
Substantial
Improvement to
Meet Standards
Work has
numerous
misspellings or
grammatical errors

Conclusion 6.0 pts
Exceeds
Standards
Strong review of key
conclusions and
integration with
thesis statement.
Insightful and
supported
discussion of impact
of the researched
material.

3.0 pts
Meets
Standards
Good review of
key conclusions
and integration
with thesis
statement. Good
discussion on
impact of
researched
material.

2.0 pts
Needs Some
Improvement
to Meet
Standards
Review of key
conclusions.
Some
integration with
thesis
statement.
Discusses
impact of
researched
material on
topic.

1.0 pts
Needs
Substantial
Improvement
to Meet
Standards
Does not
summarize
evidence with
response to
thesis
statements.
Does not
discuss the
impact of
researched
material.

Citations and
References

6.0 pts
Exceeds
Standards
All references and
citations are
correctly written
and present.

3.0 pts
Meets
Standards
One reference
or citations
missing or
incorrectly
written.

2.0 pts
Needs Some
Improvement to
Meet Standards
Two references
or citations
missing or
incorrectly
written.

1.0 pts
Needs
Substantial
Improvement to
Meet Standards
Reference and
citation errors
detract
significantly from
paper.

 1. Understand
fundamental
networking concepts,
analyze networking
protocols and
implement
established
standards to design
a robust networking
infrastructure.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations

3.0 pts
Meets
Expectations

0.0 pts
Does Not Meet
Expectations

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 6/8

Criteria Ratings Pts
—
—
—
—

 2. Assess
potential
vulnerabilities and
threats to network
infrastructure, predict
the implication of
network security
breaches and
analyze the available
countermeasures.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations

0.0 pts
Does Not Meet
Expectations

 3. Examine
different network
security
mechanisms,
analyze available
security controls and
develop strategies to
implement and
configure these
controls.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

 4. Understand the
role of network
security policies, and
develop
comprehensive
policies that help in
protecting network
infrastructure.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

 5. Understand the
working of various
networking devices,
and develop
strategies for secure
configuration of
these devices.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 7/8

Criteria Ratings Pts
—
—
—
—

 6. Identify security
issues with operating
systems and
network-based
applications, analyze
the common
vulnerabilities and
implement best
practices to harden
networks.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

 7. Analyze
cryptography
algorithms and
encryption
techniques, and
design
implementation
strategies for privacy
and security of
information.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

 8. Compare and
contrast various
network security
tools, and make
decisions to deploy
proper security tools
based on evidence,
information, and
research.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

 9. Evaluate
physical security
mechanisms,
examine the issues
and recommend the
countermeasures to
safeguard the
network
infrastructure.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 8/8

Total Points: 60.0

Criteria Ratings Pts
—

 10. Examine the
impact of an incident
in the network and
develop policies,
processes, and
guidelines for
incident handling and
disaster recovery.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

22/03/2020

Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 1/8

Project Report Submission

Due No Due Date Points 60 Submitting a file upload
Available Mar 16 at 3am – Mar 23 at 2:59am 7 days

Submit Assignment

Summative Assessment Research Project: 60 pts.

Directions on Project:

Guidelines on Graduate Project

Following are the guidelines for your graduate project.

Selecting a Topic

Choose a project topic from one of your completed labs from the previous weeks. You may go back
through the lab content to familiarize yourself with the information required to complete your project.
Prepare a rough outline of project proposal you would like to submit. Discuss the topic and draft
project proposal with the instructor.
Conduct further research on the topic. Make a detailed proposal. In the project proposal you should:

a. Introduce the topic scenario

b. Describe the methodology to be adopted fro performing the test.

c. State the timeline for the project completion.

d. Include references and authorization letters

Working on the Project

You have to complete your project within the stipulated deadlines. Plan your project accordingly
While meeting the executives of a company in relation to your project, make sure you have
appropriate approvals and request letters from the concerned university department or company.
Make sure your instructor approves questionnaires designed for any survey in relation to the project.
You must use any data collected in course of the research, only for the approved project. You must
not share collected information with other students.
Make notes of key points during the course of research. It would save lot of time in preparation of
project report.

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 2/8

Make sure all relevant journals, magazines, papers and books are available in the university library.
Analysis is the most critical part of the project and forms basis for all findings. Make sure you make
use of appropriate statistical tools in analysis.

Writing a Project Report

Review the style guidelines for project report
The project report should not exceed 7,000 words
Abstract should be between 150-250 words
Select A4 size; page orientation should be portrait. Specify “1” margin on all sides.
Number all pages consecutively. Start every chapter on a new page.
Provide double spacing
You should use Times New Roman Font- “12” for text and “10” for footnotes. Use a larger font size
for section headings.
A project report must contain:

Content Section

a. Title Page

Preliminariesb. Table of Contents

c. Abstract

d. Introduction and background

Body of the report

e. Problem statement

f. Objectives of the project

g. Literature review

h. Methodology adopted

i. Results – project findings

j. Recommendations

k. Conclusion

l. Bibliography References

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 3/8

Research Paper (60)

m. Appendix

n. List of figures and tables

o. Index words (if required)

Be clear and precise. Express your ideas in a logical way.
Abstract should reflect the essence of the project
The introduction should provide the overview of the topic and highlight its significance
Clearly indicate the objectives of your project.
Describe all the methods used such as interviews, questionnaires in the methodology section.
Ensure that literature review is in your own words. Analyze other person’s contribution to the topic.
Identify the gaps in the literature. Emphasize on the likely contribution of your project to the existing
literature on the topic.
Describe your findings from analysis in the results section. As this is the most critical part of the
project, ensure that there are no errors in analysis. Make proper inferences from analysis and
findings.
The conclusion section should summarize your objectives, findings and learning’s from the project.
Provide useful supplementary information in the Appendix.
Avoid plagiarism. The project report should reflect your understanding of the topic. The majority of
the paper should be in your own words and reflect your own ideas.
Give credit for all referenced work. Provide appropriate citation and references for all quotations.
Ensure that papers referenced are relevant and not outdated.
Your paper should be reader friendly. Use footnotes to explain difficult terms.
Don’t use text from Wikipedia in footnotes
All tables and figures must be suitably numbered and titled. Give appropriate credit.
On completion, go through the entire project. Ensure there are no proofing errors and you have
adhered to all guidelines related to the project.

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 4/8

Criteria Ratings Pts

6.0 pts

18.0 pts

18.0 pts

Introduction 6.0 pts
Exceeds
Standards
Strong introduction
of topics key
question(s), terms,
Clearly delineates
subtopics to be
reviewed. Specific
thesis statement

3.0 pts
Meets
Standards
Conveys topic
and key
question(s).
Clearly
delineates
subtopics to be
reviewed.
General thesis
statement

2.0 pts
Needs Some
Improvement
to Meet
Standards
Coveys topic,
but not key
question(s).
Describes
subtopics to be
reviewed.
General thesis
statement.

1.0 pts
Needs
Substantial
Improvement to
Meet Standards
Does not
adequately
convey topic.
Does not describe
subtopics to be
reviewed. Lacks
adequate theses
statement.Focus and

Sequencing
18.0 pts
Exceeds
Standards
All material clearly
related to subtopic,
main topic. Strong
organization and
integration of
material within
subtopics. Strong
transitions linking
subtopics, and
main topic.

9.0 pts
Meets
Standards
All material
clearly related to
subtopic, main
topic and
logically
organized within
subtopics. Clear,
varied transitions
linking subtopics,
and main topic.

5.0 pts
Needs Some
Improvement to
Meet Standards
Most material
clearly related to
subtopic, main
topic. Material
may not be
organized within
subtopics.
Attempts to
provide variety
of transitions.

1.0 pts
Needs
Substantial
Improvement
to Meet
Standards
Little evidence
material is
logically
organized into
topic, subtopics
or related to
topic. Many
transitions are
unclear or
unsubstantiated.

Support, Citations,
and References

18.0 pts
Exceeds
Standards
Strong peer-
reviewed research
based support for
thesis, references
and citations are
thoroughly and
clearly indicated
after every quote or
an authors
statement or idea.

9.0 pts
Meets Standards
Good research
based support for
thesis, references
and citations are
adequately and
clearly indicated
after most quotes
or an authors
statement or idea.

5.0 pts
Needs Some
Improvement to
Meet Standards
Some research
based support for
thesis,
references and
citations are
inconsistently
indicated after a
few quotes or an
authors
statement or
idea.

1.0 pts
Needs
Substantial
Improvement
to Meet
Standards
limited or no
peer-
reviewed
research
based
support for
thesis,
references
and citations
are absent.

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 5/8

Criteria Ratings Pts
6.0 pts
6.0 pts
6.0 pts

—

Spelling and
Grammar

6.0 pts
Exceeds
Standards
Work has no
misspellings or
grammatical
errors.

3.0 pts
Meets
Standards
Work has 1 or 2
misspellings or
grammatical
errors

2.0 pts
Needs Some
Improvement to
Meet Standards
Work has several
misspellings or
grammatical
errors

1.0 pts
Needs
Substantial
Improvement to
Meet Standards
Work has
numerous
misspellings or
grammatical errors

Conclusion 6.0 pts
Exceeds
Standards
Strong review of key
conclusions and
integration with
thesis statement.
Insightful and
supported
discussion of impact
of the researched
material.

3.0 pts
Meets
Standards
Good review of
key conclusions
and integration
with thesis
statement. Good
discussion on
impact of
researched
material.

2.0 pts
Needs Some
Improvement
to Meet
Standards
Review of key
conclusions.
Some
integration with
thesis
statement.
Discusses
impact of
researched
material on
topic.

1.0 pts
Needs
Substantial
Improvement
to Meet
Standards
Does not
summarize
evidence with
response to
thesis
statements.
Does not
discuss the
impact of
researched
material.

Citations and
References

6.0 pts
Exceeds
Standards
All references and
citations are
correctly written
and present.

3.0 pts
Meets
Standards
One reference
or citations
missing or
incorrectly
written.

2.0 pts
Needs Some
Improvement to
Meet Standards
Two references
or citations
missing or
incorrectly
written.

1.0 pts
Needs
Substantial
Improvement to
Meet Standards
Reference and
citation errors
detract
significantly from
paper.

 1. Understand
fundamental
networking concepts,
analyze networking
protocols and
implement
established
standards to design
a robust networking
infrastructure.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations

3.0 pts
Meets
Expectations

0.0 pts
Does Not Meet
Expectations

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 6/8

Criteria Ratings Pts
—
—
—
—

 2. Assess
potential
vulnerabilities and
threats to network
infrastructure, predict
the implication of
network security
breaches and
analyze the available
countermeasures.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations

0.0 pts
Does Not Meet
Expectations

 3. Examine
different network
security
mechanisms,
analyze available
security controls and
develop strategies to
implement and
configure these
controls.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

 4. Understand the
role of network
security policies, and
develop
comprehensive
policies that help in
protecting network
infrastructure.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

 5. Understand the
working of various
networking devices,
and develop
strategies for secure
configuration of
these devices.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 7/8

Criteria Ratings Pts
—
—
—
—

 6. Identify security
issues with operating
systems and
network-based
applications, analyze
the common
vulnerabilities and
implement best
practices to harden
networks.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

 7. Analyze
cryptography
algorithms and
encryption
techniques, and
design
implementation
strategies for privacy
and security of
information.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

 8. Compare and
contrast various
network security
tools, and make
decisions to deploy
proper security tools
based on evidence,
information, and
research.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

 9. Evaluate
physical security
mechanisms,
examine the issues
and recommend the
countermeasures to
safeguard the
network
infrastructure.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

22/03/2020 Project Report Submission

https://eccouncil.instructure.com/courses/476/assignments/13810 8/8

Total Points: 60.0

Criteria Ratings Pts
—

 10. Examine the
impact of an incident
in the network and
develop policies,
processes, and
guidelines for
incident handling and
disaster recovery.
threshold: 3.0 pts

5.0 pts
Exceeds
Expectations
3.0 pts
Meets
Expectations
0.0 pts
Does Not Meet
Expectations

Market Guide for Zero Trust Network Access
Published: 29 April 2019 ID: G00386774

Analyst(s): Steve Riley, Neil MacDonald, Lawrence Orans

Zero trust network access replaces traditional technologies, which require
companies to extend excessive trust to employees and partners to connect
and collaborate. Security and risk management leaders should plan pilot
ZTNA projects for employee/partner-facing applications.

Key Findings
■ Digital business transformation requires that systems, services, APIs, data and processes be

accessible through multiple ecosystems anywhere, anytime, from any device over the internet.
This expands the surface area for attackers to target.

■ Secure access capabilities must evolve to the cloud, where the users are and where
applications and services are moving. Many software-defined perimeter offerings are cloud-
based.

■ IP addresses and location are no longer practical to establish sufficient trust for network
access.

■ Zero trust network access provides adaptive, identity-aware, precision access. Removing
network location as a position of advantage eliminates excessive implicit trust.

■ ZTNA improves flexibility, agility and scalability, enabling digital ecosystems to work without
exposing services directly to the internet, reducing risks of distributed denial of service attacks.

■ Although virtual private network replacement is a common driver for the adoption of ZTNA,
ZTNA can also offer a solution for allowing unmanaged devices to securely access applications.

Recommendations
Security and risk management leaders responsible for secure network access should:

■ Go beyond using IP addresses and network location as a proxy for access trust. Use ZTNA for
application-level access only after sufficient user and device authentication.

■ Replace designs for employee- and partner-facing applications that expose services to direct
internet connections. Pilot a ZTNA deployment using a digital business service that needs to be
accessible to partners as a use case.

■ Phase out legacy VPN-based access for high-risk use cases and begin phasing in ZTNA. This
reduces the ongoing need to support widely deployed VPN clients and introduces clientless
identity- and device-aware access. Support unmanaged devices for employees.

■ Choose ZTNA products/services that expand identity assurance beyond a single factor, which is
an important supplement to the ZTNA principle of context-based/adaptive access control.

Strategic Planning Assumptions

By 2022, 80% of new digital business applications opened up to ecosystem partners will be
accessed through zero trust network access (ZTNA).

By 2023, 60% of enterprises will phase out most of their remote access virtual private networks
(VPNs) in favor of ZTNA.

By 2023, 40% of enterprises will have adopted ZTNA for other use cases described in this research.

Market Definition

ZTNA, which is also known as a software-defined perimeter (SDP), creates an identity- and context-
based, logical-access boundary around an application or set of applications. The applications are
hidden from discovery, and access is restricted via a trust broker to a set of named entities. The
broker verifies the identity, context and policy adherence of the specified participants before
allowing access. This removes the application assets from public visibility and significantly reduces
the surface area for attack.

Market Description

The old security mindset of “inside means trusted” and “outside means untrusted” is broken in the
world of digital business, which requires anywhere, anytime, any device access to services that may
not be located “inside” an on-premises data center. Similarly, the old model expects all
programmers to be security engineers, building intrinsically secure networked applications, and
incorporating sophisticated authentication and access controls. That does not scale today.

The new model presents an approach in which a trust broker mediates connections between
applications and users. ZTNA abstracts away and centralizes the security mechanisms so that the
security engineers and staff can be responsible for them. ZTNA starts with a default deny posture of
zero trust. It grants access based on identity, plus other attributes and context (such as time/date,
geolocation and device posture), and adaptively offers the appropriate trust required at the time.
The result is a more resilient environment with improved flexibility and better monitoring. ZTNA will
appeal to organizations looking for adaptive and secure ways to connect and collaborate with their
digital business ecosystem, remote workers and partners.

ZTNA provides controlled access to resources, reducing the surface area for attack. The isolation
afforded by ZTNA improves connectivity, removing the need to directly expose applications to the

Page 2 of 15 Gartner, Inc. | G00386774

internet. The internet becomes an untrusted transport and access to applications occurs through an
intermediary. The intermediary can be a cloud service controlled by a third-party provider or a self-
hosted service. In either case, incoming traffic to applications always passes through the
intermediary after users have successfully authenticated to it.

In many cases, entity behavior is continuously monitored for abnormal activity, as described in
Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) framework (see “Zero Trust Is
an Initial Step on the Roadmap to CARTA”). In a sense, ZTNA creates individualized “virtual
perimeters” that encompass only the user, the device and the application. ZTNA normalizes the user
experience, removing the access distinctions that exist when on, versus off, the corporate network.

Market Direction

The ZTNA notion has been gaining momentum since an initial specification for software-defined
perimeters (SDP) was introduced at the Cloud Security Alliance Summit in 2014. The initial SDP
specification addressed web-based applications only, and updates to the specification have lagged,
but they are expected later in 2019. Commercial products roughly based on this initial specification
are available, as are products based on Google’s BeyondCorp zero trust networking vision — also
limited to web-enabled applications only. In addition, a large number of alternative commercial
products using other approaches that are not limited to web applications have entered the market.

The ZTNA market is still nascent, but it’s growing quickly. It has piqued the interest of organizations
seeking a more flexible alternative to VPNs and those seeking more precise access and session
control to applications located on-premises and in the cloud. ZTNA vendors continue to attract
venture capital funding. This, in turn, encourages new startups to enter the market and seek ways to
differentiate. Merger and acquisition (M&A) activity in this market has begun, with three startup
vendors now having been acquired by larger networking, telecommunications and security vendors.

Although ZTNA offerings differ in their technical approaches, they provide generally the same
fundamental value proposition:

■ Removing applications and services from direct visibility on the public internet.

■ Enabling precision (“just in time” and “just enough”) access for named users to specific
applications only after an assessment of the identity, device health (highly encouraged) and
context has been made.

■ Enabling access independent of the user’s physical location or the device’s IP address (except
where policy prohibits — e.g., for specific areas of the world). Access policies are based on
user, device and application identities.

■ Granting access only to the specific application, not the underlying network. This limits the need
for excessive access to all ports and protocols or all applications, some of which the user may
not be entitled to.

■ Providing end-to-end encryption of network communications.

Gartner, Inc. | G00386774 Page 3 of 15

https://cloudsecurityalliance.org/artifacts/sdp-specification-v1-0/

https://www.beyondcorp.com/

■ Providing optional inspection of the traffic stream for excessive risks in the form of sensitive
data handling and malware.

■ Enabling optional monitoring of the session for indications of unusual activity, duration or
bandwidth requirements.

■ Providing a consistent user experience for accessing applications — clientless or via a ZTNA
client regardless of network location.

Gartner has identified different approaches vendors have adopted as they develop products and
services for the market.

Client-Initiated ZTNA

These offerings more closely follow the original Cloud Security Alliance (CSA) SDP specification. An
agent installed on authorized devices sends information about its security context to a controller.
The controller prompts the user on the device for authentication and returns a list of allowed
applications. After the user and device are authenticated, the controller provisions connectivity from
the device through a gateway that shields services from direct internet access. The shielding
protects applications from distributed denial of service (DDoS) attacks.

Some products remain in the data path once the controller establishes connectivity; others remove
themselves. This approach is difficult, if not impossible, to implement on an unmanaged device, due
to the requirement to install an agent. In some cases, a third-party mobile threat defense (MTD)
product — which users may be more willing to accept than full device management — can provide
a posture assessment to the trust broker. (See Figure 1 for a conceptual model.)

Figure 1. Conceptual Model of Client-Initiated ZTNA

Page 4 of 15 Gartner, Inc. | G00386774

Service-Initiated ZTNA

These models more closely follow the Google BeyondCorp vision. A connector installed in the same
network as the application establishes and maintains an outbound connection to the provider’s
cloud. Users authenticate to the provider to access protected applications. The provider then
typically authenticates to an enterprise identity management product. Application traffic passes
through the provider’s cloud, which provides isolation from direct access via a proxy. Enterprise
firewalls require no openings for inbound traffic. However, the provider’s network becomes another
element of network security that must be evaluated.

The advantage of this model is that no agent is required on the end user’s device, making it an
attractive approach for unmanaged devices. The disadvantage is that the application’s protocols
must be based on HTTP/HTTPS, limiting the approach to web applications and protocols such as
Secure Shell (SSH) or Remote Desktop Protocol (RDP) over http. (See Figure 2 for a conceptual
model.)

Figure 2. Conceptual Model of Service-Initiated ZTNA

Some vendors offer both alternatives. This provides enterprises with the ability to mix and match, as
needed, to address specific use cases.

Market Analysis

The internet was designed to connect things easily, not to block connections. The internet uses
inherently weak identifiers (specifically, IP addresses) to connect. If you have an IP address and a
route, you can connect and communicate to other IP addresses, which were never designed to be
authentication mechanisms. The messy problem of authentication is handled by higher levels of the

Gartner, Inc. | G00386774 Page 5 of 15

stack, typically the OS and application layers. For network connectivity, this default allow posture
creates an excessive amount of implicit trust.

Attackers abuse this trust. The first companies that connected to the public internet quickly found
out that they needed a demarcation point where their internal network connected to the internet.
This ultimately created what has become a multibillion dollar market for perimeter firewalls.
Networked systems on the inside were “trusted” and free to communicate with each other. External
systems were “untrusted” and communications with the outside, inbound or outbound, were
blocked by default. If needs arose for communication with the outside, these required a series of
exceptions (i.e., holes) in the firewall, which were difficult and cumbersome to maintain and monitor.

This trusted/untrusted network security model is a relatively coarse and crude control, but it was
initially effective. However, it creates excessive trust (on the inside) that is abused by attackers from
the outside (once they penetrate the defenses and reach the inside). When external access to our
systems and services is needed, we typically do one of two things. For some users, we create a
VPN to allow the user to pass through the firewall and connect to the internal network. Once
“inside,” the VPN connection is treated as trusted.

Alternatively, we place the front end to the service in a segmented part of the network with direct
internet connectivity — referred to as a demilitarized zone (DMZ) — so users can access it. Both
alternatives create excessive trust and do little to restrict lateral movement, resulting in latent risk. In
the case of VPNs, attackers with credentialed access now have access to our networks. (The Target
HVAC breach is an example.) Likewise, if the service is exposed in the DMZ, anyone on the internet
— including all the attackers — can see it as well, even if it is protected by a web application firewall
(WAF).

Excessive network trust leads to excessive latent risk. This will inevitably be exploited, leading to
breaches and bringing legal, financial and regulatory exposure. Network connectivity (even the right
to “ping” or see a server) should not be an entitlement; it should be earned based on trust. Gartner
believes the time has come to isolate services and applications from the dangers of the public
internet, and to provide compartmentalized access only to required applications in any given
context. The tremendous increase in the number of internet-connected services, and the growing
likelihood that services and users could be located at virtually any IP address, exacerbate the
weaknesses of the old model.

Benefits and Uses

The benefits of ZTNA are immediate. Similar to a traditional VPN, services brought within the ZTNA
environment are no longer visible on the public internet and, thus, are shielded from attackers. In
addition, ZTNA brings significant benefits in user experience, agility, adaptability and ease of policy
management. For cloud-based ZTNA offerings, scalability and ease of adoption are additional
benefits. ZTNA enables digital business transformation scenarios that are ill-suited to legacy access
approaches. As a result of digital transformation efforts, most enterprises will have more
applications, services and data outside their enterprises than inside. Cloud-based ZTNA services
place the security controls where the users and applications are — in the cloud. Some of the larger
ZTNA vendors have invested in dozens of points of presence worldwide for low-latency user/device
access.

Page 6 of 15 Gartner, Inc. | G00386774

Several use cases lend themselves to ZTNA:

■ Opening applications and services to collaborative ecosystem members, such as distribution
channels, suppliers, contractors or retail outlets, without requiring a VPN or DMZ. Access is
more tightly coupled to applications and services.

■ Normalizing the user experience for application access — ZTNA eliminates the distinction
between being on and off the corporate network.

■ Carrying encryption all the way to the endpoints for scenarios where you don’t trust the carrier
or cloud provider.

■ Providing application-specific access for IT contractors and remote or mobile employees as an
alternative to VPN-based access.

■ Extending access to an acquired organization during M&A activities, without having to configure
site-to-site VPN and firewall rules.

■ Permitting users in potentially dangerous areas of the world to interact with applications and
data in ways that reduce or eliminate the risks that originate in those areas — pay attention to
requirements for strong identity and endpoint protection.

■ Isolating high-value enterprise applications within the network or cloud to reduce insider threats
and affect separation of duties for administrative access.

■ Authenticating users on personal devices — ZTNA can improve security and simplify bring your
own device (BYOD) programs by reducing full management requirements and enabling more-
secure direct application access.

■ Creating secure enclaves of Internet of Things (IoT) devices or a virtual-appliance-based
connector on the IoT network segment for connection.

■ Cloaking systems on hostile networks, such as systems that would otherwise face the public
internet, used for collaboration.

■ Enabling SaaS applications to connect back to enterprise systems and data for processes that
require SaaS applications to interact with enterprise on-premises or infrastructure as a service
(IaaS)-based services.

Risks

Although ZTNA greatly reduces overall risks, it doesn’t eliminate every risk completely, as these
examples illustrate:

■ The trust broker could become a single point of any kind of failure. Fully isolated applications
using ZTNA will stop working when the ZTNA service is down. Well-designed ZTNA services
include physical and geographic redundancy with multiple entry and exit points to minimize the
likelihood of outages affecting overall availability. Furthermore, a vendor’s SLA (or lack thereof)
can be an indicator of how robust it views their offering. Favor vendors with SLAs that minimize
business disruptions.

Gartner, Inc. | G00386774 Page 7 of 15

■ Attackers could attempt to compromise the trust broker system. Although unlikely, the risk isn’t
zero. ZTNA services built on public clouds or major internet carriers benefit from the provider’s
strong tenant isolation mechanisms. Nevertheless, collapse of the tenant isolation would allow
an attacker to penetrate the systems of the vendor’s customers and move laterally within and
between them. A compromised trust broker should fail over to a redundant one immediately. If it
can’t, then it should fail closed — that is, if it can’t deflect abuse, it should disconnect from the
internet. Favor vendors who adopt this stance.

■ Compromised user credentials could allow an attacker on the local device to observe and
exfiltrate information from the device. ZTNA architectures that combine device authentication
with user authentication contain this threat to a degree, stopping the attack from propagating
beyond the device itself. We suggest that, wherever possible, stronger authentication for access
be used.

■ Some ZTNA vendors have chosen to focus their developments on supporting web application
protocols only (HTTP/HTTPS). Carrying legacy applications and protocols through a ZTNA
service could prove to be more difficult.

■ The market is in flux, and smaller vendors could disappear or be acquired.

Evaluation Factors

When evaluating ZTNA technologies, here are the key questions to ask:

■ Does the vendor require that an endpoint agent be installed? What OSs are supported? What
mobile devices? How well does the agent behave in the presence of other agents?

■ Does the offering support single packet authentication (SPA) as an initial form of identity
verification to the trust broker? SPA allows the broker to ignore any attempts to communicate,
unless the first attempt contains a specialized, encrypted packet.

■ Does the offering provide the ability to perform a security posture assessment of the device (OS
version, patch levels, password and encryption policies, etc.), without requiring a unified
endpoint management (UEM) tool? Is any option provided for achieving this on unmanaged
devices?

■ Does the offering integrate with UEM providers, or can the local agent determine device health
and security posture as a factor in the access decision? What UEM vendors has the ZTNA
vendor partnered with?

■ What authentication standards does the trust broker support? Is integration with an on-
premises directory or cloud-based identity services available? Does the trust broker integrate
with the organization’s existing identity provider? Does the trust broker support common
options for multifactor authentication (MFA)? Can the provider enforce strong user
authentication for administrators?

■ Is there user and entity behavior analytics (UEBA) functionality that can identify when something
anomalous happens within the ZTNA-protected environment?

Page 8 of 15 Gartner, Inc. | G00386774

■ Some ZTNA products are delivered partly or wholly as cloud-based services. Does this meet the
organization’s security and residency requirements? Has the vendor undergone one or more
third-party attestations, such as SOC 2 or ISO 27001?

■ How geographically diverse are the vendor’s entry and exit points (referred to as edge locations
and/or points of presence) worldwide? What edge/physical infrastructure providers or
colocation facilities does the vendor use?

■ What is the vendor’s technical behavior when the ZTNA service comes under sustained attack?
Does the service fail closed (thus blocking digital business partners from accessing enterprise
services) or does the service fail open? Is it possible to selectively choose fail-closed or fail-
open for specific enterprise applications? If fail-open is a requirement, don’t forget to add in
other layers of defense to protect applications no longer shielded by the ZTNA service.

■ Does the offering support only web applications, or can legacy applications also gain the same
security advantages?

■ What algorithms and key lengths has the vendor chosen? What third-party certifications has the
vendor obtained? Does the vendor’s product description demonstrate an understanding of
contemporary cryptographic practices, or is it laced with too-good-to-be-true crypto “snake
oil”?

■ After the user and device pass authentication, does the trust broker remain resident in the data
path? This approach deserves consideration. Trust brokers that remain in the data path offer
greater visibility and can monitor for unusual and suspicious activities. They could, however,
become bottlenecks or single points of failure. Designs that include failover support mitigate
this concern, but could be vulnerable to DDoS attacks that attempt to bypass inspection.

■ Can the vendor provide inspection of session flows and content for inappropriate sensitive data
handling, malware detection and unusual behaviors?

■ To what extent is partial or full cloaking, or allowing or prohibiting inbound connections, a part
of the isolated application’s security requirements? Perhaps the more minimal protection of a
content delivery network (CDN) is sufficient. Different enterprise applications might have
different requirements.

■ Does the provider maintain a bug bounty program and have a credible, responsible, public or
private disclosure policy? It is critical for software providers to constantly test for and remove
product vulnerabilities. Favor providers that actively do so.

ZTNA Alternatives

There are several alternative approaches to ZTNA:

■ Legacy VPNs remain popular, but they might not provide sufficient risk management for
exposed services and may be difficult to manage, given the dynamic nature of digital business.
Always-on VPNs that require device and user authentication align with the ZTNA model;
however, basic network-access VPNs do not. Factor security requirements into VPN models

Gartner, Inc. | G00386774 Page 9 of 15

and user satisfaction expectations. For third-party, privileged access into enterprise systems, a
privileged access management (PAM) tool can be a useful alternative to a VPN.

■ Exposing web applications through a reverse-proxy-based WAF is another option. With WAF as
a service (i.e., cloud WAF), traffic passes through the provider’s WAF service for inspection
before delivery to its destination. To avoid false positives or potential application malfunctions,
cloud WAFs, like any other WAF, typically require some time for testing and adjusting rules.
Because the protected services are still visible to attackers on the public internet, the isolation
is limited to the strength of the WAF. However, partner- and employee-facing applications are
not normally candidates for WAFs.

■ Choosing to retain existing design patterns and exposing digital business applications in
traditional DMZs remain alternatives. However, DMZs provide limited isolation against modern
attacks (typically a reverse-proxy WAF). Furthermore, DMZs still leave the application
discoverable to all attackers.

■ A remote browser isolation product (see “Innovation Insight for Remote Browser Isolation”)
offers another option, specifically for the isolation of web-enabled application access. Here, the
browser session itself is rendered from the end user’s device and, typically, in a service, from
the enterprise network (e.g., a cloud-based remote browser service), providing isolation on both
sides.

■ CDNs can absorb DDoS attacks, reduce the noise and threats of bot attacks, and guard against
website defacement. However, they offer no application-level protection and no anonymity —
attackers targeting sites can discover the site is protected with a CDN and might attempt to
exploit vulnerabilities present in the CDN. Many CDNs include a basic cloud WAF.

■ Applications that don’t require full, interactive internet connectivity, but instead expose only
APIs to the public internet could be protected by an API gateway, although ZTNA can also work
here. API gateways enforce authentication, validate authorization and mediate the correct use of
application APIs. This is especially useful if the application lacks mechanisms for ensuring API
security. Most API gateways also expose logs of all activity through a native monitoring tool or
integration with popular security information and event management (SIEM) tools. Favor API
gateways that integrate with enterprise directories and single sign-on (SSO) protocols — or use
a ZTNA service instead.

■ It is possible to go full IaaS. When ZTNA or other isolation measures are not good enough,
moving the application off-enterprise completely is the best alternative. Many of the suggested
isolation mechanisms are available to workloads placed in the cloud and are designed more for
primary protection, rather than enterprise isolation. The goal shifts to protecting the application
and data, with less concern for isolation. However, this still leaves systems exposed to attack,
especially if legacy DMZ architectures are replicated in the cloud.

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to
provide more understanding of the market and its offerings.

Page 10 of 15 Gartner, Inc. | G00386774

Market Introduction

ZTNA products and services are offered by vendors in one of two ways:

■ As a service from the cloud

■ As a stand-alone offering that the customer is responsible for supporting

As-a-service offerings (see Table 1) require less setup and maintenance than stand-alone offerings.
As-a-service offerings typically require provisioning at the end-user or service side and route traffic
through the vendor’s cloud for policy enforcement. Stand-alone offerings (see Table 2) require
customers to deploy and manage all elements of the product. In addition, several of the major IaaS
cloud providers offer ZTNA capabilities for their customers.

Table 1. Representative Vendors of ZTNA as a Service

Vendor Product or Service Name

Akamai Enterprise Application Access

Cato Networks Cato Cloud

Cisco Duo Beyond (acquisition by Cisco)

CloudDeep Technology (China only) DeepCloud SDP

Cloudflare Cloudflare Access

InstaSafe Secure Access

Meta Networks Network as a Service Platform

New Edge Secure Application Network

Okta Okta Identity Cloud (Acquired ScaleFT)

Perimeter 81 Software Defined Perimeter

SAIFE Continuum

Symantec Luminate Secure Access Cloud (acquisition by Symantec)

Verizon Vidder Precision Access (acquisition)

Zscaler Private Access

Source: Gartner (April 2019)

Gartner, Inc. | G00386774 Page 11 of 15

Table 2. Representative Vendors of Stand-Alone ZTNA

Vendor Product or Service Name

BlackRidge Technology Transport Access Control

Certes Networks Zero Trust WAN

Cyxtera AppGate SDP

Google Cloud Platform (GCP) Cloud Identity-Aware Proxy (Cloud IAP)

Microsoft (Windows only) Azure AD Application Proxy

Pulse Secure Pulse SDP

Safe-T Software-Defined Access Suite

Unisys Stealth

Waverley Labs Open Source Software Defined Perimeter

Zentera Systems Cloud-Over-IP (COiP) Access

Source: Gartner (April 2019)

Market Recommendations

Given the significant risk that the public internet represents and the attractiveness of compromising
internet-exposed systems to gain a foothold in enterprise systems, enterprises need to consider
isolating digital business services from visibility by the public internet. Don’t mistake Gartner’s
recommendation for the tried, yet true “security by obscurity is no security at all” axiom. Although
ZTNA cloaks services from discovery and reconnaissance, it erects true barriers that are proving to
be more challenging for attackers to circumvent than older notions of simple obfuscation.

For legacy VPN access, look for scenarios in which targeted sets of users performing their work
through a ZTNA service can provide immediate value in improving the overall security posture of the
organization. In most cases, this could be a partner- or employee-facing application. A ZTNA project
is a step toward a more widespread zero trust networking (default deny) security posture.
Specifically, nothing can communicate (or even see) an application resource until sufficient trust is
established, given the risk and current context to extend network connectivity.

For DMZ-based applications, evaluate what sets of users require access. For those applications
with a defined set of users, plan to migrate them to a ZTNA service during the next several years.
Use the migration of these applications to public cloud IaaS as a catalyst for this architectural shift.

Specific Recommendations

■ Budget and pilot a ZTNA project to demonstrate the benefits of ZTNA to the organization.

Page 12 of 15 Gartner, Inc. | G00386774

■ Plan for user-to-application mapping. Role-based access control (RBAC) can help with this.
Avoid allowing all users to access all applications.

■ Identify which applications and workflows are not candidates for ZTNA, and exclude them from
the scope. This includes access to and download of unstructured data not protected by
application- and consumer-facing applications.

■ The ZTNA market is emerging, so sign only short-term contracts for no more than 12 to 24
months to retain greater vendor selection flexibility as the market grows and matures.

■ For most digital business scenarios, favor vendors that offer ZTNA as a service for easier
deployment, higher availability and protection against DDoS attacks. Favor vendors that require
no openings in firewalls for listening services (inbound connections), which is typical for most
as-a-service flavors of ZTNA.

■ When security requirements demand an on-premises installation of a ZTNA product, favor
vendors that can reduce the number of firewall openings as much as possible.

■ If unmanaged devices will be used by named users, plan to deploy a reverse-proxy-based
ZTNA product or service to avoid the need for agent installation.

■ Ensure that the vendor supports the authentication protocols the organization and partners use
now, including the enterprise’s standard identity store, as well as any it expects to use in the
future. The wider the available range, the better, including cloud SSO providers and SaaS-
delivered access management providers.

■ Don’t expect partners to use your identity store. Require support for SAML, OAuth, OIDC and
similar identity federation capabilities.

■ Evaluate the effectiveness of a vendor’s ability to query other kinds of device agents, such as
UEM, endpoint detection and response (EDR) and MTD, to gain additional context for improved
adaptive access decisions.

■ Attackers will target ZTNA trust brokers. For on-premises ZTNA products, harden the host OSs
using a cloud workload protection platform (CWPP) tool that supports on-premises
deployments (see “Market Guide for Cloud Workload Protection Platforms”). Rely primarily on
default deny allow-listing to explicitly define the code allowed to execute on the system. Don’t
rely solely on patching to keep the system hardened.

■ If you choose a smaller provider, plan for potential acquisitions by placing appropriate clauses
in contracts and having a list of alternative providers lined up, if needed.

Gartner Recommended Reading

Some documents may not be available as part of your current Gartner subscription.

“Zero Trust Is an Initial Step on the Roadmap to CARTA”

Gartner, Inc. | G00386774 Page 13 of 15

“Hype Cycle for Enterprise Networking and Communications, 2018”

“Hype Cycle for Cloud Security, 2018”

“Fact or Fiction: Are Software-Defined Perimeters Really the Next-Generation VPNs?”

Note 1 Representative Vendor Selection

The vendors named in this guide were selected to represent two types of ZTNA offerings: as-a-
service and stand-alone. For these categories, we list the vendors known to Gartner as of April
2019.

Note 2 Gartner’s Initial Market Coverage

This Market Guide provides Gartner’s initial coverage of the market and focuses on the market
definition, rationale for the market and market dynamics.

Page 14 of 15 Gartner, Inc. | G00386774

GARTNER HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Regional Headquarters
AUSTRALIA
BRAZIL
JAPAN
UNITED KINGDOM

For a complete list of worldwide locations,
visit http://www.gartner.com/technology/about.jsp

© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This
publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of
Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication
has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice
and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner Usage Policy.
Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research
organization without input or influence from any third party. For further information, see “Guiding Principles on Independence and
Objectivity.”

Gartner, Inc. | G00386774 Page 15 of 15

http://www.gartner.com/technology/about.jsp

https://www.gartner.com/technology/about/policies/usage_policy.jsp

http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp

http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp

Strategic Planning Assumptions
Market Definition
Market Description
Market Direction
Client-Initiated ZTNA
Service-Initiated ZTNA
Market Analysis
Benefits and Uses
Risks
Evaluation Factors
ZTNA Alternatives
Representative Vendors
Market Introduction
Market Recommendations
Specific Recommendations
Gartner Recommended Reading
• List of Tables

Table 1. Representative Vendors of ZTNA as a Service
Table 2. Representative Vendors of Stand-Alone ZTNA

• List of Figures

Figure 1. Conceptual Model of Client-Initiated ZTNA
Figure 2. Conceptual Model of Service-Initiated ZTNA