NGINX, a versatile open-source web server, pairs well with OAuth2Proxy, which adds authentication via providers like Google and GitHub. Together, NGINX manages routing, while OAuth2Proxy secures access, ensuring only authenticated users reach applications with minimal built-in security.
Boundary is “an identity-aware proxy aimed at simplifying and securing least-privileged access to cloud infrastructure. It provides secure access to hosts and critical systems without distributing and managing credentials, configuring firewalls, or exposing the organization's private network.”
Cloudflare Access is Cloudflare’s Zero Trust Network Access (ZTNA) offering, intended to create a network layer for securing access to your self-hosted, SaaS, or non-web applications. Cloudflare markets Access as a VPN replacement solution.
DNG allows users to access websites, web applications, SSH servers, RDP, and SMB or file server hosts without using a VPN. It also offers inline user enrollment, self-service device management, and support for various authentication methods including passkeys, security keys, and more.
SASE Single Vendors are bundling up products with service chaining to deliver a subpar performance. Pomerium is demonstrably faster, undeniably safer, and categorically easier-to-use.
StrongDM joins the dynamic access management (DAM) category as a control plane to manage and monitor access to databases and servers. Their primary strength is in their ability to provide CCTV-style session recording for TCP-based services.
Tailscale and Pomerium are potentially good complementary solutions, with Tailscale providing reachability and tunneling directly to hard to reach servers and Pomerium providing context-aware access to web applications and services for a true zero trust architecture.
Teleport (also known as Gravitational Teleport) is a certificate authority and an open infrastructure access platform for securing access to the organization’s infrastructure. Organizations use Teleport to secure access to SSH servers and Kubernetes clusters via a centralized authentication method through an authentication proxy. Teleport wants to replace sshd and OpenSSH for servers with their SSH client, remove the need for VPNs and provide a WebUI.
Zscaler Private Access (ZPA) is one of Zscaler’s many products in the Zscaler Zero Trust Exchange. It functions as a NextGen VPN, enabling organizations to give users access to their internal applications and services while maintaining network security. ZPA does so by offering an interconnected private internet connection for tunnels through which it enforces security policies and limiting access to authorized users.
Google’s Identity-Aware Proxy (IAP) realizes part of the premise as set out in their original BeyondCorp paper. Part of the Google Cloud Platform bundle, Google’s IAP aims to improve an organization’s security posture through enforced access-control policies. The service eliminates the need for a VPN by providing access for cloud administrators and remote workers.
Twingate is a NextGen VPN aiming to replace traditional corporate VPNs for a distributed workforce. The platform provides detailed audit logging and is able to detect unusual access patterns with context awareness. By integrating with identity providers to enable easy onboarding and usability, Twingate provides easy network access management for users and DevOps.