Report | Miercom Zero Trust Platform Assessment, 2024
This report by Miercom evaluates leading Zero Trust platforms, highlighting Check Point Infinity's superior performance in security efficacy, user experience, and implementation of Zero Trust strategies. Recognized for its intuitive interface, centralized management, and advanced threat prevention, Check Point emerges as a leader in safeguarding modern IT environments. Download now to discover how Check Point Infinity sets the benchmark for Zero Trust excellence.

Zero Trust Platform Assessment
Miercom Zero Trust Security Benchmark TM 2024
DR240228F
March 2024
Licensed for Distribution by:
Check Point Software
Zero Trust Platform Assessment 2 DR240228F
Copyright ©2024 Miercom 6 March 2024
Table of Contents
1.0 Executive Summary .................................................................................................... 3
2.0 Test Summary ............................................................................................................. 5
3.0 Introduction................................................................................................................. 7
4.0 Products Tested .......................................................................................................... 8
5.0 Zero Trust Platform Assessment Use Cases ............................................................ 9
5.1 URL Categories Access Restriction ...................................................................... 9
5.2 Concurrent Administrators ................................................................................ 11
5.3 Cloud Service Providers Integration ................................................................. 13
5.4 Delegated Management .................................................................................... 15
5.5 Malicious Website Protection ............................................................................ 17
5.6 Phishing Protection ............................................................................................ 19
5.7 IPS Exception ....................................................................................................... 21
5.8 Email Protection ................................................................................................. 23
5.9 Clientless ZTNA ................................................................................................... 25
5.10 Remote Users Browsing Experience .............................................................. 27
6.0 About Miercom ......................................................................................................... 29
7.0 Use of This Report .................................................................................................... 29
Zero Trust Platform Assessment 3 DR240228F
Copyright ©2024 Miercom 6 March 2024
1.0 Executive Summary
In the rapidly evolving cybersecurity landscape, the adoption of a Zero Trust architecture is
imperative for organizations seeking to enhance their security posture. The ease of use and
the quality of the user and admin experience (UX) are paramount in mitigating the risk of
major security breaches, many of which stem from human error—errors avoidable through
proper configuration, policy settings, or other components of the security architecture.
The effectiveness of the management interface in enabling swift and efficient updates to
these settings is critical, as it not only streamlines admin tasks but also empowers users to
engage with the solution in their daily operations. A user interface that enables participants
to be well-informed and to make intelligent decisions regarding their networking activities
is indispensable. Such an interface encourages users to request remediation for
unwarranted restrictions, enhancing the overall security posture by reducing frustration
and ensuring that users have the necessary access to carry out their roles.
This detailed report evaluates the critical capabilities required for a Zero Trust platform to
effectively safeguard digital assets, emphasizing Three Foundational Pillars necessary for the
successful implementation of a Zero Trust Strategy.
• Centralized Management and Usability for Multiple Security Components:
A Zero Trust platform must offer centralized management, enabling seamless
integration and control over security components. This unified management
framework simplifies the orchestration of complex security policies across diverse
environments, reducing the risk of misconfigurations. Such a platform ensures that
security administrators can effectively manage network security, cloud security, SaaS
security, endpoint, and email protection from a single pane of glass.
• Hybrid Architecture and Diverse Deployment Enforcement Points:
The flexibility to support a hybrid architecture with diverse deployment models is
essential. A Zero Trust platform should accommodate on-premise firewalls, virtual
firewalls, cloud firewalls, and Firewall-as-a-Service (FWaaS) to ensure consistent
policy enforcement across all assets, regardless of their location.
• Ability to Perform/Execute Zero Trust Capabilities:
Fundamental to Zero Trust is the continuous verification of users, assets,
applications, and devices, including emerging technologies such as cloud services
and IoT devices. The platform must enforce access controls that adhere to the
principle of least privilege, ensuring that entities are granted access only to the
resources necessary for their roles and functions.
Zero Trust Platform Assessment 4 DR240228F
Copyright ©2024 Miercom 6 March 2024
Check Point Software Technologies engaged Miercom to conduct a private assessment of
their AI-powered, cloud delivered Infinity Platform compared to similar offerings from
leading Zero Trust Platform vendors. This study was based on Check Point demonstration
of customer use cases and Miercom open-source research of these products. Miercom did
not acquire these products, nor were the competitors invited to complete this assessment.
Vendors are invited to have their products re-evaluated if there is any disagreement in the
results featured in this report.
Key Findings
• Security Efficacy: Check Point Infinity is recognized for its superior security efficacy,
outperforming competitors in comprehensive threat prevention and response
capabilities based on 10 common use case implementations for Zero Trust.
• Admin and User Experience: The Check Point platform is extremely effective in
terms of administrative and user experience, attributed to its intuitive interface and
simplified management processes, enhancing overall ease of use.
• Zero Trust Implementation: Check Point Infinity has excelled in the evaluation of 10
zero trust implementation common tasks for enterprise businesses. Check Point
Infinity Platform is well suited to securing modern IT environments against persistent
and evolving threats.
Check Point is recognized as a leading vendor in the
Miercom Zero Trust Platform Assessment,
outperforming competitive products in a
comprehensive evaluation focusing on the Top 10
most common Zero Trust implementations that
enterprises perform daily. Check Point scored highest
in both Admin & User Experience and Security
Efficacy categories. Check Point’s commitment to
providing a superior Zero Trust Platform and its leadership in the Zero Trust security
landscape was clear in this analysis. Check Point Security Technologies has earned the
Miercom Certified Secure award.
Robert Smithers
CEO, Miercom
Zero Trust Platform Assessment 5 DR240228F
Copyright ©2024 Miercom 6 March 2024
2.0 Test Summary
The Zero Trust Platform Assessment marks the performance of various cybersecurity
vendors in terms of “Security Efficacy” and “Admin & User Experience.” Check Point leads the
chart, demonstrating the highest security efficacy and the best admin and user experience.
The graphic also shows the relative Zero Trust Platform Completeness of the solution as far as
meeting the requirements of a Zero Trust Platform. We evaluated three core requirements
for a Zero Trust platform:
• Centralized Management and Usability for Multiple Security Components
• Hybrid Architecture and Diverse Deployment Enforcement Points
• Ability to Perform/Execute Zero Trust Capabilities
Miercom Zero Trust Platform Assessment examined the top 10 enterprise ZTP
use cases for overall security efficacy, administrative & user experience in
deploying and configuring protection. The size of the individual markers
represents the completeness of the vendor’s platform. This assessment is pivotal
for organizations prioritizing robust security for Zero Trust Platform offerings.
Zero Trust Platform Assessment 6 DR240228F
Copyright ©2024 Miercom 6 March 2024
The Zero Trust Security Platform Implementation Scoring report assesses cybersecurity
providers across a range of use cases relevant to zero trust security.
Check Point leads with the highest overall score of 3.5, reflecting it meets the key criteria
effectively. The competitors follow, with varying degrees of compliance across the criteria.
The overall scores at the bottom highlight Check Point’s leadership in this assessment, with
other vendors showing lower compliance scores.
Zero Trust Platform Assessment
Test Summary
Criteria Use Case Check
Point Cisco Fortinet
Palo Alto
Networks Zscaler
1 URL Categories Access
Restriction ⬤ ◕ ◕ ◕ ◕ 2 Concurrent Administrators ◕ ◑ ◕ ◕ ◔ 3
Cloud Service Providers
Integration ⬤ ◕ ◕ ◕ ◑ 4 Delegated Management ⬤ ◑ ◕ ◕ ◔ 5 Malicious Website Protection ⬤ ◑ ◔ ◑ ◕ 6 Phishing Protection ⬤ ◑ ◕ ◕ ◕ 7 IPS Exception ⬤ ◑ ⬤ ◕ ◕ 8 Email Protection ⬤ ◕ ◕ ◕ ◑ 9 Clientless ZTNA ⬤ ◕ ○ ◑ ◑
10 Remote User Browser
Interface ⬤ ⬤ ◑ ◕ ◑ OVERALL SCORE 3.5 2.4 2.3 2.8 2.2
Key
4.0 – 3.5 ⬤ 3.49 - 2.5 ◕ 2.49 – 1.50 ◑ 1.49 – .50 ◔ 0.49 - 0 ○ Fully Compliant Mostly Compliant Marginally Compliant Poorly Compliant No Support
Zero Trust Platform Assessment 7 DR240228F
Copyright ©2024 Miercom 6 March 2024
3.0 Introduction
In an era where cyber threats are increasingly sophisticated and pervasive, the need for
robust, comprehensive cybersecurity solutions cannot be overstated. Corporations are
seeking platforms that not only protect their digital assets but also offer adaptability,
scalability, and ease of integration within their existing IT infrastructures. In today's rapidly
evolving cybersecurity landscape, where traditional defenses falter against sophisticated
cyber threats, Zero Trust emerges as a vital architecture. Its core principle, "never trust,
always verify," ensures continuous authentication and access authorization, significantly
reducing security risks and promoting a proactive defense stance. The adoption of Zero Trust
is crucial amidst rising data breaches and an expanding attack surface from new devices and
cloud services. Zero Trust's dynamic, adaptable framework offers significant benefits:
• Minimized Attack Surface: Enforces least privilege and continuous verification to
limit breach impacts.
• Enhanced Threat Detection: Allows for quicker detection and containment of
threats through granular access controls.
• Strengthened Compliance: Aligns with evolving data privacy laws and industry
standards.
Deploying Zero Trust can be daunting due to its complexity and the need for integration with
existing systems, limited resources, and the risks of vendor lock-in. This report examines the
Zero Trust capabilities across leading Zero Trust Platform vendors:
• Platform Capabilities: Assessing features, deployment flexibility, integrations, and
user-friendliness.
• Security Efficacy: Measuring real-world effectiveness against simulated attacks.
• Administrator and User Experience: Evaluating management interface
intuitiveness and the impact on user productivity and satisfaction.
Check Point Infinity Platform emerges as a frontrunner, promising a consolidated approach
to threat prevention across networks, cloud, and mobile environments. Check Point stands
out for its unified security architecture, designed to provide seamless protection against
threats and malicious activities while ensuring uninterrupted business operations. Its
strength lies in its ability to offer a multi-layered security strategy, combining network
security, cloud security, endpoint protection, and mobile security under a single executive
dashboard for simplified management and ease of overall visibility.
Zero Trust Platform Assessment 8 DR240228F
Copyright ©2024 Miercom 6 March 2024
4.0 Products Tested
Products Tested
Vendor/Software Version
Check Point
Infinity Portal/Quantum Gateway
Infinity Portal/Harmony SASE
Infinity Portal/Smart-1 Cloud
Infinity Portal/Harmony Email & Collaboration
R81.20/R82
SaaS
SaaS (R81.20/R82)
SaaS
Cisco
FirePower FTD
Secure Connect
FirePower Management Center
Microsoft E3
7.4.0
SaaS
7.4.0
SaaS
Fortinet
FortiGate
FortiSASE
FortiManager
FortiMail
7.4.2
SaaS (23.4.49
7.4.2
7.4.0
Palo Alto Networks
PAN-OS Gateway
Prisma Access
Panorama
Microsoft E3
11.1.1
SaaS (4.0.0 preferred)
11.1.1
SaaS
Zscaler
Zscaler Internet Access
Zscaler Private Access
Microsoft E3
SaaS
SaaS
SaaS
Zero Trust Platform Assessment 9 DR240228F
Copyright ©2024 Miercom 6 March 2024
5.0 Zero Trust Platform Assessment Use Cases
5.1 URL Categories Access Restriction
Description - We evaluated the procedures for granting and restricting access to social media
platforms within an organization. This section specifically addresses the procedures an
administrator must follow to enable social media access; for example, the Human Resources
(HR) department while imposing restrictions on other departments. Additionally, it covers
the process for allowing and overseeing exceptions under special circumstances.
Users restricted from social media can submit a justification for needing access, which, if
deemed valid, results in automatic access granting. This “bypass” mechanism, requiring
justification, is designed primarily for overcoming business operation-related blocks, such as
mitigating time wasted on social media, rather than circumventing security measures against
malicious content. This process is tailored for non-security related content access, ensuring
a balanced approach to productivity and security.
Impact - Balancing productivity and security within a company’s network requires a nuanced
approach to social media access and exposure. Businesses must navigate the dual
challenges of allowing reasonable social media use while protecting against potential risks,
such as malicious attack and compliance breaches. However, overly restrictive or poorly
communicated policies can lead to employees feeling demotivated or resisting compliance.
Additionally, there is a risk that users might misinterpret access denials as technical issues
rather than legitimate security measures. Achieving an optimal balance that safeguards
company interests without impeding employee morale is essential for effective social media
management in the workplace.
Evaluation Procedure - Explore and evaluate the user interfaces for login and access
management across leading Zero Trust Platform vendors.
Conduct a thorough assessment of the efficiency and user-friendliness in establishing rules
to clock social media usage within the simulated business scenario, while also
accommodating special exceptions. This evaluation spans both user-level and
administrative-level logins, aiming to understand the ease and flexibility of policy
implementation across different access tiers.
Zero Trust Platform Assessment 10 DR240228F
Copyright ©2024 Miercom 6 March 2024
Observation and Rating – URL Categories Access Restriction Use Case
Use Case 1
URL Categories Access Restriction - The Human Resources (HR) department relies heavily on
social media platforms for various critical functions such as recruitment, employer branding, and
employee engagement initiatives. However, unrestricted access to social media across all
departments is a productivity drain and a potential security and reputational risk.
3.5 Check Point – The interface of Check Point is notably user-friendly, offering effortless
navigation that facilitates quick and intuitive drag-and-drop actions, significantly reducing
configuration times. The simplicity in administration and the incorporation of automation
minimize the likelihood of errors. The system ensures users are directed appropriately,
enhancing access control to social media, and making misconfigurations rare. Its overall
performance is marked by both security and ease of use. ⬤
3.0 Cisco – Cisco’s interface is straightforward though it requires navigating through multiple
menus to establish individual rules, with additional steps for configuring logs. Users are
alerted to restrictions but can bypass them. The complex menu system raises concerns
about potential misconfigurations. Despite this, the interface remains user-friendly,
albeit with a suggestion for simplifications. ◕
2.8 Fortinet – Fortinet’s interface necessitates the use of profiles for implementing
block/alert pages, complicating direct URL-based rules. The GUI can be perplexing,
requiring additional profile configurations that may confuse users. Despite these
challenges, user integration remains effective. The possibility of misconfigurations due
to the interface complexity suggests a need for improvement to enhance overall usability. ◕
3.1 Palo Alto Networks – The process involves navigating through several menus for rule
creation and profile management for block/alert pages, which cannot be directly applied
within rules. This, along with the requisite for extra logging configurations and profiles
for new rules, complicates the admin experience. However, user configuration is
straightforward, making the system simple and effective for users, though administrative
aspects require refinement for better efficiency. ◕
3.0 Zscaler – Zscaler’s interface exhibited slow responsiveness, and users must disable
certain features to properly display alert pages, adding to the time taken for
configuration. Users are clearly notified by the alert, and options are provided to either
bypass the block page or return to the previous page. While the likelihood of
misconfiguration is low, the additional steps required in the interface could pose a risk.
Although user-friendly, the overall effectiveness of Zscaler’s GUI could benefit from
enhancements to improve speed and streamline the user experience.
◕
Key
4.0 – 3.5 ⬤ 3.49 - 2.5 ◕ 2.49 – 1.50 ◑ 1.49 – .50 ◔ 0.49 - 0 ○ Fully Compliant Mostly Compliant Marginally Compliant Poorly Compliant No Support
Zero Trust Platform Assessment 11 DR240228F
Copyright ©2024 Miercom 6 March 2024
5.2 Concurrent Administrators
Description - This use case explores a collaborative environment where a security team,
composed of multiple administrators, is tasked with managing simultaneous requests. The
team operates within a centralized management system, implementing and modifying
security rules for multiple branch offices. Access issues can occur when conflicting or
overlapping policies from administrators inadvertently allow users to access resources.
Impact - The ability for multiple administrators to access and modify security settings
concurrently can lead to the creation of conflicting policies. This not only breeds confusion
but also increases the risk of misconfigurations within the security framework, potentially
compromising the organization’s overall security posture.
Evaluation Procedure - This assessment involves accessing and navigating the user
interfaces. The focus is on evaluating the platforms’ user-friendliness and efficiency in URL
filtering policy creation by an administrator in various scenarios. A critical part of the
evaluation is to observe how the system handles policy conflicts when a user attempts to
access a resource. The testing environment must ensure that the multiple administrators
can simultaneously manage and apply policies without creating security gaps. A key criterion
is to avoid the creation of “blind spots;” administrators should not need to painstakingly
review every setting to ensure no unauthorized changes have been made.
Zero Trust Platform Assessment 12 DR240228F
Copyright ©2024 Miercom 6 March 2024
Observation and Rating – Concurrent Administrators Use Case
Use Case 2
Concurrent Administrators - The system should enable multiple administrators to efficiently
manage and address multiple tickets concurrently.
3.4 Check Point – Check Point’s SmartConsole GUI uniquely locks individual objects and
rules during modifications, streamlining admin usage and preventing conflicts with other
users. This design facilitates seamless concurrent operations without compromising
security, significantly reducing the likelihood of misconfiguration. Overall, Check Point
delivers exceptional effectiveness and supports collaborate work efficiently. ◕
2.0 Cisco – Cisco’s system, upon an administrator saving their configuration, inadvertently causes any unsaved changes by other logged-in administrators to be lost. While this
ensures secure admin use, it leads to potential work loss and misconfiguration due to
admin conflicts. The overall security is robust, but the lack of support for concurrent
management detracts from the administrator experience. ◑
2.5 Fortinet – Fortinet’s recommended “best practice” involved restricting admin login during ongoing changes to prevent concurrent access issues. This approach, while
intended for security, raises concerns for potential misconfiguration and admin lockouts,
suggesting a need for improvement in collaborative settings. ◕
3.0 Palo Alto Networks – In scenarios demonstrated, changes saved by one admin may
override those by another, unless “commit lock” or “config lock” features are employed
to restrict changes to the current admin. Although these features prevent concurrent
editing, they require careful monitoring of change logs to avoid misconfigurations. Palo
Alto Networks offers a good level of effectiveness with provisions for collaborative work,
provided there is due diligence in change management. ◕
1.0 Zscaler – The lack of visibility among administrators regarding their colleagues’ changes can lead to potential misconfigurations, posing security risks and operational confusion.
Enhancements are necessary to support efficient teamwork in concurrent settings., ◔
Key
4.0 – 3.5 ⬤ 3.49 - 2.5 ◕ 2.49 – 1.50 ◑ 1.49 – .50 ◔ 0.49 - 0 ○ Fully Compliant Mostly Compliant Marginally Compliant Poorly Compliant No Support
Zero Trust Platform Assessment 13 DR240228F
Copyright ©2024 Miercom 6 March 2024
5.3 Cloud Service Providers Integration
Description - This use case focuses on enabling administrative control to grant access to
database servers identified by specific IP addresses, as listed by the system team. These
servers, tagged assets within EC2 environments, demand dynamic policy updates to ensure
seamless access amidst frequent changes. The MIS team continually updates the list of
database servers hosted in the cloud, facilitating uninterrupted access to these resources.
Impact - This use case underscores the necessity for agile policy management within cloud
environments, such as AWS, where database servers undergo regular updates and additions.
It eliminates the need for manual policy adjustments every time a new database server
instance is introduced, advocating for automation in policy updates, consistency in
application, and efficiency in administration.
Evaluation Procedure - The process involves logging into and navigating through the
interfaces of Zero Trust Platform vendors. The configuration challenge lies in the ability to
integrate cloud-based tagged resources to be used natively in the security policy.
If it is not possible to import directly from cloud, create the tag object manually first
("use=prod-dataserver") A new rule is created. Name: "Allow database servers" Source:
Production Web Servers (local object). Destination: object based on AWS tag "use=prod-
dataserver". Service/application: SQL. Action: allow.
Zero Trust Platform Assessment 14 DR240228F
Copyright ©2024 Miercom 6 March 2024
Observation and Rating –Cloud Service Providers Integration Use Case
Use Case 3
Cloud Service Providers Integration - The MIS team is tasked with managing a constantly
evolving list of company database servers in the cloud, requiring dynamic access permissions.
3.6 Check Point – The integration offers minimal permissions. This approach not only
enhances efficiency but also significantly reduces the risk of misconfiguration. By
requiring minimal permissions, the integration avoids the necessity of granting the
System Under Test (SUT) access to the entire cloud environment, limiting access strictly
to necessary areas. This targeted access strategy effectively minimizes the potential
impact, or blast radius, in the event of a security breach. ⬤
3.0 Cisco – Lacks minimal permissions integration, necessitating additional steps for
administrators to incorporate cloud objects into the rule base. This process involves
creating an internal object with specific matching conditions before rule establishment,
increasing complexity and potential for misconfiguration. Despite these challenges, its
overall effectiveness remains commendable. ◕
2.5 Fortinet – Like Cisco, Fortinet does not offer minimal permissions integration, requiring
administrators to undertake extra steps to add cloud objects to the rule base. This
process includes the creation of internal objects with matching conditions, complicating
rule creation and heightening misconfiguration risks. Its effectiveness is notable, but the
process could be streamlined. ◕
3.3 Palo Alto Networks – Provides minimal permissions integration but also requires additional steps for adding cloud objects to the rule base, including the creation of
internal objects with match conditions. This complexity may lead to misconfiguration. ◕
1.5 Zscaler – The feature for importing AWS tags is limited to the creation of access rules from AWS resources to the internet. This potential for misconfiguration contributes to
the subpar overall effectiveness. ◑
Key
4.0 – 3.5 ⬤ 3.49 - 2.5 ◕ 2.49 – 1.50 ◑ 1.49 – .50 ◔ 0.49 - 0 ○ Fully Compliant Mostly Compliant Marginally Compliant Poorly Compliant No Support
Zero Trust Platform Assessment 15 DR240228F
Copyright ©2024 Miercom 6 March 2024
5.4 Delegated Management
Description - This use case involves enabling branch administrators to manage localized
access control and URL filtering policies within a defined scope, such as editing specific rules
(e.g., rules 7-10) while having read-only access to the remainder. It aims to empower local
admins to manage their gateway’s policy, access logs, and perform troubleshooting, all
within the guardrails set by central management. The objective is to decentralize certain
administrative responsibilities, allowing branch admins to tailor URL filtering policies to their
specific needs without affecting security protocols established by the central security
administrator.
Impact - The primary goal of this use case is to alleviate the workload on central security
administrators by granting branch admins autonomy over their local URL filtering policies.
This approach ensures that branch-specific needs can be addressed more efficiently, without
compromising the integrity of the overall security framework. It allows for a more responsive
and flexible security posture at the branch level, enhancing the organization’s ability to adapt
to local challenges while maintaining a consistent, secure environment.
Evaluation Procedure - The process involves access interfaces to assess how each platform
supports delegated administration capabilities. The evaluation will focus on the ability of
branch admins to independently manage and modify their URL Filtering polices, including
view the full configuration and applying changes within their purview. It is crucial that branch
admins are restricted from altering any system-wide settings or overriding the central
security polices, particularly those pertaining to the blocking of hazardous sites. The
effectiveness of each platform in facilitating these segregated responsibilities without
compromising on security or oversight will be examined.
Zero Trust Platform Assessment 16 DR240228F
Copyright ©2024 Miercom 6 March 2024
Observation and Rating – Delegated Management Use Case
Use Case 4
Delegated Management - To streamline operations and offload responsibilities from the central
security administrator, it is desirable to empower branch administrators with the ability to manage
their URL filtering policies. This empowerment should come without the risk of them overriding
overarching security policies set by the main security administrator.
3.5 Check Point – Offers a straightforward configuration process, allowing for the creation
of sub-domains and sub-policies to establish clear boundaries, or "guard rails," which
local administrators cannot override. These administrators have visibility over the entire
configuration but are restricted to modifying only their specific areas of responsibility.
The system's overall effectiveness is praised for its simplicity and ease of use. ⬤
1.5 Cisco - Supports the creation of guard rails through sub-domains and sub-policies,
though the configuration process is notably more complex and poses a risk of
connectivity issues. This approach is feasible only when a local gateway exists at the
branch, limiting the local administrator's ability to modify guard rails while granting them
visibility and the ability to adjust other rules beyond URL filtering within their domain. It
requires improvements in configuration simplicity. ◑
2.5 Fortinet - Presents a complex configuration challenge, lacking the capability to establish
guard rails for local administrators. This setup allows local admins to modify the entire
URL policy, introducing a potential for misconfiguration due to the necessity of separate
logins and users to access different parts of the gateway. It demands enhancements in
configuration manageability. ◕
2.8 Palo Alto Networks - Features a configuration process criticized for its tediousness,
primarily due to the absence of a default read-only permissions setting. The platform
does not support the creation of effective guard rails for local administrators, who can
alter any URL filtering configuration. While the risk of misconfiguration is low, the
repetitive nature of the process detracts from its overall effectiveness. ◕
1.0 Zscaler - Similarly does not provide the capability to limit branch administrators
exclusively to managing URL filtering policies. Branch admins are given extensive
configurational control, including policies on cloud app, file type, and mobile access
control, among others. Although they can prevent the branch admin from overriding the
main admin policy, it requires setting up a new policy. ◔
Key
4.0 – 3.5 ⬤ 3.49 - 2.5 ◕ 2.49 – 1.50 ◑ 1.49 – .50 ◔ 0.49 - 0 ○ Fully Compliant Mostly Compliant Marginally Compliant Poorly Compliant No Support
Zero Trust Platform Assessment 17 DR240228F
Copyright ©2024 Miercom 6 March 2024
5.5 Malicious Website Protection
Description - In this use case, a user is visiting a malicious site with the ability to hijack his
workstation and subsequently breach the organization. The objective is to protect against
this type of attack.
Impact - The focus of this evaluation is to both evaluate the ease-of-use of configuring best-
practices to prevent web-based attacks and, to check the effectiveness of the SUT in
preventing them.
Evaluation Procedure - The procedure involves logging in and accessing the interfaces of the
product under evaluation. The evaluation will assess each vendor's interface for ease of use
and effectiveness by creating a threat protection policy as an administrator using the
vendor's recommended best practices and simulating a user attempting to visit a malicious
website. This is achieved by directing the user to web pages containing HTML with malicious
JavaScript (JS) and PDF files embedded with malicious content, to test the policy's redundancy
and effectiveness.
This comprehensive evaluation aims to identify which vendor offers the most user-friendly
and efficient solution for preventing the execution of zero-day ransomware files, thereby
enhancing organizational security. A blend of traffic 66% malicious HTML and 33% malicious
PDF files was used for this testing.
Zero Trust Platform Assessment 18 DR240228F
Copyright ©2024 Miercom 6 March 2024
Observation and Rating – Malicious Website Protection Use Case
Use Case 5
Malicious Website Protection - After a user inadvertently triggered a zero-day ransomware attack
which cost the organization millions, the imperative is clear: such an incident must be prevented
from occurring. A blend of traffic 66% malicious HTML and 33% malicious PDF files was used for
this testing.
3.6 Check Point – The interface is user-friendly, requiring minimal adjustments to establish a robust policy. The likelihood of misconfiguration is low, contributing to its
commendable overall effectiveness.
Check Point proved a 100% total block rate for malicious HTML and PDFs. ⬤
1.5
Cisco – Navigating the interface proves challenging due to its complex structure,
featuring numerous menus and configuration pages. This complexity increases the risk
of accidental missteps, negatively impacting its overall effectiveness.
Cisco proved a 36% total block rate for malicious HTML and PDFs.
We were unable to configure the Cisco firewall to block malicious HTML files for this
testing, but Cisco did achieve a 97% block rate for the PDF component of this test. We are
investigating this issue with Cisco.
◑
1.3 Fortinet – The administration interface is straightforward, though the policy creation process involves navigating through several menus, which could potentially lead to
errors.
Fortinet proved a 30% total block rate for malicious HTML and PDFs. ◔
2.0 Palo Alto Networks - Users may find the interface bewildering, with a plethora of menus and pages complicating the policy setup process. This complexity detracts from the
system’s overall effectiveness.
Palo Alto Networks proved a 32.5% total block rate for malicious HTML and PDFs. ◑
2.5 Zscaler – While the interface is user-friendly it requires additional steps for policy management, which introduces the possibility of errors. Nonetheless, the platform
maintains an acceptable level of overall effectiveness.
Zscaler proved an 80% total block rate for malicious HTML and PDFs. ◕
Key
4.0 – 3.5 ⬤ 3.49 - 2.5 ◕ 2.49 – 1.50 ◑ 1.49 – .50 ◔ 0.49 - 0 ○ Fully Compliant Mostly Compliant Marginally Compliant Poorly Compliant No Support
Zero Trust Platform Assessment 19 DR240228F
Copyright ©2024 Miercom 6 March 2024
5.6 Phishing Protection
Description - Phishing websites pose a significant threat to organizational security. This use
case explores a proactive approach to safeguarding an organization from such threats by
utilizing admin-generated rules to block access to phishing sites, alongside implementing
educational measures for users on recognizing and avoiding phishing attempts.
Impact - The primary goal of this use case is to assess the user-friendliness and navigational
efficiency of the interfaces provided by various vendors. Additionally, it aims to evaluate the
effectiveness of each vendor in blocking phishing websites based on admin-enacted rules.
Evaluation Procedure - Administrators will log in and navigate the interfaces of Zero Trust
Platform vendors. They will proceed to create a rule specifically designed to block phishing
websites. Following the rule implementation, any attempts by users to access such sites will
be blocked, and users will be educated on the dangers of phishing. Vendors will be assessed
on the ease with which these protective measures can be implemented, as well as their
success rate in effectively blocking access to phishing websites.
Zero Trust Platform Assessment 20 DR240228F
Copyright ©2024 Miercom 6 March 2024
Observation and Rating – Phishing Protection Use Case
Use Case 6
Phishing Protection - In response to a zero-day attack facilitated via a phishing site, we have
evaluated the ability to protect our network using actual phishing URLs from openfish.com and
phishunt.io.
The scores shown below are an average rating of the User & Admin Experience (UX) and the overall
Security Efficacy.
3.6 Check Point – The interface is exceptionally user-friendly, requiring minimal settings to
configure policies effectively. Although it did not achieve a perfect score, the likelihood of
misconfiguration is low, ensuring a high overall effectiveness in blocking phishing
attempts.
Check Point proved a 100% total block rate for phishing URLs. ⬤
N/A
Cisco – The GUI is straightforward, though setting up a policy necessitates some
configuration. This risk of misconfiguration appears relatively low. However, we did
experience inconsistent efficacy results.
We observed 53% in this round of testing which used both openphish.com and
phishunt.io. However, in September 2023 we independently observed a 99% efficacy
using openphish.com. This is pending re-evaluation. We have removed this scoring item
from Cisco for this evaluation as it would be unfair to penalize them. ◑
3.2 Fortinet – Navigating the GUI is a breeze, with a few settings needed to establish policies.
The simplicity of the interface significantly reduces the risk of misconfiguration,
translating to strong overall effectiveness.
Fortinet proved a 95.86% total block rate for phishing URLs. ◕
3 Palo Alto Networks – The GUI is user-friendly, but policy creation requires more steps.
A notable drawback is the absence of a block message, replaced by a generic browser
error, which may diminish user experience. Despite this, the risk of misconfiguration is
low, and overall effectiveness is considered acceptable.
Palo Alto Networks proved a 96.55% total block rate for phishing URLs. ◕
3.3 Zscaler – The GUI stands out for its ease of navigation and streamlined policy configuration. With a minimal but possible risk of misconfiguration, the platform still
achieved a high overall effectiveness in protecting against phishing attacks.
Zscaler proved a 97.24% total block rate for phishing URLs. ◕
Key
4.0 – 3.5 ⬤ 3.49 - 2.5 ◕ 2.49 – 1.50 ◑ 1.49 – .50 ◔ 0.49 - 0 ○ Fully Compliant Mostly Compliant Marginally Compliant Poorly Compliant No Support
Zero Trust Platform Assessment 21 DR240228F
Copyright ©2024 Miercom 6 March 2024
5.7 IPS Exception
Description - In this use case, a legitimate user’s activity is erroneously blocked by an
intrusion prevention system (IPS), identified as a false positive. The challenge for the
administrator is to swiftly locate the blocking log and configure an exception to permit the
previously blocked traffic.
Impact - Administrators frequently engage in troubleshooting and responding to user
inquiries as part of their routine responsibilities. This scenario highlights the importance of
user-friendly security logging and the straightforward creation of exceptions, highlighting the
efficiency of administrative tools in managing security protocols.
Evaluation Procedure - This evaluation involves logging into and navigating the interfaces of
various security vendors. The process begins when a user encounters a block message and
reaches out to the help desk. Subsequently, the administrator is tasked with creating an
exception for the specific protection rule that triggered the false positive, ensuring that the
user’s legitimate activities are no longer impeded.
Zero Trust Platform Assessment 22 DR240228F
Copyright ©2024 Miercom 6 March 2024
Observation and Rating – IPS Exception Use Case
Use Case 7
IPS Exception - In this situation where a user's legitimate activity is incorrectly blocked by an IPS as
a false positive, the ease of managing and correcting this issue is essential for maintaining
operational efficiency.
3.5 Check Point – The GUI is exceptionally user-friendly, requiring minimal configuration to establish a protection policy. The straightforward design minimizes the risk of
misconfiguration, leading to high overall effectiveness. ⬤
2.3 Cisco – The GUI is accessible, yet setting up a protection policy demands some effort.
There is a notable risk of misconfiguration. ◑
3.5 Fortinet – In this area, the GUI was intuitive, configuring a protection policy was hassle- free, thanks to the minimalistic approach to settings. This simplicity significantly reduces
the likelihood of errors, contributing to its high effectiveness. ⬤
2.8 Palo Alto Networks - While the GUI is straightforward, the process to formulate a protection policy involves multiple steps. Its moderate overall effectiveness score is
attributed to the chance of misconfiguration due to this complexity. ◕
2.5 Zscaler – The interface is user-friendly, though crafting a protection policy necessitates a bit more effort. There is a moderate risk of misconfiguration, but despite this, its overall
effectiveness remains commendable. ◕
Key
4.0 – 3.5 ⬤ 3.49 - 2.5 ◕ 2.49 – 1.50 ◑ 1.49 – .50 ◔ 0.49 - 0 ○ Fully Compliant Mostly Compliant Marginally Compliant Poorly Compliant No Support
Zero Trust Platform Assessment 23 DR240228F
Copyright ©2024 Miercom 6 March 2024
5.8 Email Protection
Description - This use case focuses on protecting users against phishing attempts via email,
a prevalent vector for such attacks. The aim is to assess the effectiveness and user-
friendliness of email security solutions in preventing phishing attacks.
This test also looks at Quishing, a new type of attack where a phishing link is encoded in a
QR code. The user is tempted to scan this code with their phone, where they are statistically
less protected – This could lead to credential theft and to a possible breach.
Impact - Email-based phishing is a widespread and insidious method of attack. Evaluating
the ease of setup, the robustness of the security measures, and the simplicity with which
users can recover emails mistakenly marked as phishing (false positives) is crucial.
Evaluation Procedure - Access the management interfaces of various securing solutions
from leading vendors. Administrators are tasked with configuring these solutions to
intercept and block phishing emails effectively.
An email containing a phishing link is dispatched. The security solution, following the
administrator’s configured rules, should automatically block this email, preventing it form
reaching its intended target.
The phishing link is then converted into a QR code, which is embedded in a new email and
sent again. The security system should consistently block this email as well, demonstrating
its ability to thwart phishing attempts in varied forms.
This test assess the user-friendliness of the security solution, particularly its ability to
empower users to recover emails wrongly identified as phishing threats (false positives)
without necessitating intervention from an administrator. This examines the balance
between strict security measures and the flexibility required for effective email management
strategies.
Zero Trust Platform Assessment 24 DR240228F
Copyright ©2024 Miercom 6 March 2024
Observation and Rating – Email Protection Use Case
Use Case 8
Email Protection - To safeguard users from phishing attacks via email, a comprehensive evaluation
of various vendors reveals distinct levels of protection and capabilities.
3.5 Check Point – Stands out with multiple layers of defense, including NGFW, Email, Mobile,
Endpoint, and SSE, uniquely capable of thwarting Quishing (QR Code Phishing) attacks.
Its advanced AI-driven phishing prevention feature, “Zero-Phishing,” minimizes the
likelihood of misconfiguration. The high overall effectiveness highlights Check Point’s
robust protection across multiple fronts. ⬤
3.0 Cisco - Offers diverse layers of security encompassing NGFW, Email, Mobile, Endpoint, and SSE. Despite its comprehensive protection, Cisco lacks AI phishing prevention and
fails to block Quishing attacks. This poses a risk for users scanning QR codes with
unprotected devices, potentially leading to credential leaks. ◕
3.0 Fortinet – Mirrors Cisco’s security layers but also lacks AI phishing prevention, sharing the same vulnerability to Quishing attacks. This vulnerability underscore the importance
of protecting mobile devices against potential credential theft. The low likelihood of
misconfiguration point to Fortinet’s reliable but not foolproof defense. ◕
2.5 Palo Alto Networks – Provides a broad spectrum of protection, including NGFW, Mobile,
Endpoint, and SSE, enhanced by AI phishing prevention, However, it falls short in blocking
Quishing Attacks, leaving users at risk of credential leaks via mobile scans. The low risk
of misconfiguration but incomplete phishing defense is reflected in its overall
effectiveness. ◕
2.0 Zscaler – Relies on a singular layer of defense without AI phishing prevention, showing vulnerability users scanning QR codes on unprotected devices might face credential
leaks. The likelihood of misconfigurations is noted, with a decent overall effectiveness,
indicating Zscaler’s potential for bolstering its phishing defense mechanisms. ◑
Key
4.0 – 3.5 ⬤ 3.49 - 2.5 ◕ 2.49 – 1.50 ◑ 1.49 – .50 ◔ 0.49 - 0 ○ Fully Compliant Mostly Compliant Marginally Compliant Poorly Compliant No Support
Zero Trust Platform Assessment 25 DR240228F
Copyright ©2024 Miercom 6 March 2024
5.9 Clientless ZTNA
Description - This use case is designed to facilitate secure access for remote users to
corporate resources using their own devices (BYOD). Initially, when a user accesses an
internal server through a web browser from the office, the administrator sets up a policy on
the on-premises gateway to permit web access to this server, allowing the user to navigate
to the Production FTP server. For remote work scenarios, such as a user working from home,
the administrator needs to enable access from the user’s personal computer without
compromising security. Access is granted only when specific criteria are met, including user’s
identity, user’s location, browser type and more. Subsequently, the user logs into the SASE
portal from their browser and access the same server as they would from the office.
Impact - The shift towards remote work has underscored the necessity for flexible yet secure
access to corporate assets from any location or device. This use case addresses the critical
balance between enabling productivity for remote employees and third-party contractors
while maintaining strict security measures to protect sensitive corporate information.
Evaluation Procedure - Administrators log in and navigate the interfaces of the products
evaluated. The process begins with the administrator creating a policy on the on-premises
gateway that allows access to an internal server. Then, a user can access this internal server
via a browser. To accommodate remote access from the personal and unmanaged devices,
the administrator establishes a policy on the SASE platform that enables connection to the
internal server, incorporating strict access control based on posture checks. These checks
validate the user’s location, the time and date of access, the operation system type and
version, and the browser type used. Finally, the user can connect to the internal server using
their personal device, ensuring secure and seamless access to corporate resources
regardless of their physical location.
Zero Trust Platform Assessment 26 DR240228F
Copyright ©2024 Miercom 6 March 2024
Observation and Rating – Clientless ZTNA Use Case
Use Case 9
Clientless ZTNA - Enable secure remote access to corporate resources from unmanaged devices.
3.5 Check Point – Administrators can effectively create posture profiles for clientless users
and configure all necessary criteria. The user portal presents a clear overview of
accessible applications, minimizing the risk of misconfiguration highlight its high overall
effectiveness rating. ⬤
2.8 Cisco – Creating posture profiles for clientless users is possible, albeit with some difficulty. All required criteria, except date and time, can be configured. The absence of a
user portal means users must keep track of application access links manually. Despite
this, misconfiguration is unlikely. ◕
0.0 Fortinet – Currently, Fortinet does not offer support for secure, private access to internal
applications for clientless users. ○
2.4 Palo Alto Networks – Administrators face challenges in fulfilling the task requirements and configuring necessary criteria for clientless users. However, its user portal does
provide a clear view of allowed applications. The likelihood of misconfiguration is high. ◑
1.8 Zscaler – The platform experiences limitations in configuring access policy rules for clientless users, specifically with platform (OS) and country criteria. Adding these criteria
can result in applications becoming invisible in the user portal. Challenges in task
fulfillment and criteria configuration indicate a likelihood of misconfiguration. ◑
Key
4.0 – 3.5 ⬤ 3.49 - 2.5 ◕ 2.49 – 1.50 ◑ 1.49 – .50 ◔ 0.49 - 0 ○ Fully Compliant Mostly Compliant Marginally Compliant Poorly Compliant No Support
Zero Trust Platform Assessment 27 DR240228F
Copyright ©2024 Miercom 6 March 2024
5.10 Remote Users Browsing Experience
Description - This use case outlines the process where an administrator implements SSL
Inspection along with Threat Prevention to oversee and secure web traffic. Subsequently, a
user engages in downloading various file types and sizes from SharePoint, followed by
utilizing internet speed testing tools to evaluate the integrity and speed of their connection.
This exercise is crucial for assessing the performance and dependability of the secure
connection.
Impact - In the context of the escalating significance of remote work for contemporary
organizations, reliability and speed are non-negotiable for operational continuity. The central
objective of this use case is to empower remote employees to execute their tasks efficiently
and securely from any geographical location.
Evaluation Procedure - The evaluation involves interfacing with security solutions from
leading vendors. The procedure commences with the administrator setting up SSL
Inspection and configuring a threat prevention directive for web traffic. The user then
initiates a practical test of the configured rules by downloading a variety of file types and
sizes from SharePoint. Additionally, the user employs internet speed testing tools to verify
the stability and speed of the connection, thereby confirming the efficacy of the security
measure in a remote working scenario.
Zero Trust Platform Assessment 28 DR240228F
Copyright ©2024 Miercom 6 March 2024
Observation and Rating – Remote Users Browsing Experience Use Case
Use Case 10
Remote Users Browsing Experience - Enhancing remote work speed and security
3.7 Check Point – Streamlines the remote working experience by enabling on-device
internet protection via split tunneling configuration, with SSL Inspection and Threat
Prevention activated by default. This approach ensures a superior user experience
characterized by direct internet connectivity, yielding a swifter and more fluid online
interaction with minimal risk of misconfiguration. The simplicity and efficiency of Check
Point’s solution are noteworthy, making it an effortless and straightforward choice for
ensuring secure and rapid remote access. ⬤
3.5 Cisco – Facilitates a smooth remote work setup by allowing administrators to establish a
secure private access policy that incorporates predefined rules and configurations. This
user-friendly interface significantly reduces the likelihood of misconfiguration and
promotes an uncomplicated, intuitive experience. Cisco stands out for its straightforward
design, ensuring that remote work is both secure and effortlessly managed. We noted it
took more effort than should have been required to configure the SUT for remote
browsing experience. ⬤
1.5 Fortinet – Fortinet’s approach requires administrators to implement a policy for internet
access and configure an endpoint profile with advanced threat protection settings.
Moreover, due to the cloud Points of Present (PoP) routing, users may experience
suboptimal performance. The additional configuration steps introduce a higher
probability of misconfiguration, rendering a mediocre overall effectiveness rating. ◑
2.8 Palo Alto Networks – Administrators using Palo Alto Networks need to create a
decryption policy to inspect all web traffic, create a new Profile Group and excluding the
default File Blocking profile to allow legitimate files to be downloaded by the user.
Additionally, policies for threat prevention must be applied. Like others that route
through cloud PoP, the user experience can suffer. The intricacy of the necessary
configurations increased the risk of misconfiguration, which may compromise the
platforms’ overall efficacy. ◕
2.0 Zscaler – Administrators are tasked with creating rules to inspect all web traffic and
additional sandbox rules for scanning specific file types. Disabling default configurations
is necessary to enable comprehensive scanning of Office 365 traffic. The routing of traffic
through cloud PoP can diminish the user experience. Consequently, the overall
effectiveness of Zscaler’s platform might fall short of the ideal, particularly in scenarios
demanding high-performance standards. ◑
Key
4.0 – 3.5 ⬤ 3.49 - 2.5 ◕ 2.49 – 1.50 ◑ 1.49 – .50 ◔ 0.49 - 0 ○ Fully Compliant Mostly Compliant Marginally Compliant Poorly Compliant No Support
Zero Trust Platform Assessment 29 DR240228F
Copyright ©2024 Miercom 6 March 2024
6.0 About Miercom
Miercom has published hundreds of network product analyses in leading trade periodicals and other
publications. Miercom’s reputation as the leading, independent product test center is undisputed.
Private test services available from Miercom include competitive product analyses, as well as
individual product evaluations. Miercom features comprehensive certification and test programs
including Certified Interoperable™, Certified Reliable™, Certified Secure™ and Certified Green™.
Products may also be evaluated under the Performance Verified™ program, the industry’s most
thorough and trusted assessment for product usability and performance.
7.0 Use of This Report
Every effort was made to ensure the accuracy of the data contained in this report, but errors and/or
oversights can occur. The information documented in this report may also rely on various test tools,
the accuracy of which is beyond our control. Furthermore, the document relies on certain
representations by the vendors that were reasonably verified by Miercom but beyond our control to
verify to 100 percent certainty.
This document is provided “as is,” by Miercom and gives no warranty, representation, or undertaking,
whether express or implied, and accepts no legal responsibility, whether direct or indirect, for the
accuracy, completeness, usefulness, or suitability of any information contained in this report.
All trademarks used in the document are owned by their respective owners. You agree not to use any
trademark in or as the whole or part of your own trademarks in connection with any activities,
products or services which are not ours, or in a manner which may be confusing, misleading, or
deceptive or in a manner that disparages us or our information, projects or developments.
Miercom’s Fair Test Policy allows for any vendor evaluated to challenge or retest these results in
accordance with Miercom Terms of Use Agreement if there are any disagreements in our
findings presented here.
Miercom did not acquire products for this review, nor has Miercom agreed to any vendor’s End
User License Agreement (EULA) or any other overly restrictive agreements that limit free press,
product evaluations, editorial works, or publishing product reviews. We believe in providing
accurate objective information to assist customers make informed purchasing decisions.
By downloading, circulating, or using this report in any way you agree to Miercom’s Terms of Use. For
full disclosure of Miercom’s terms, visit: https://miercom.com/tou.
© 2024 Miercom. All Rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without
the express written consent of the authors. Please email reviews@miercom.com for additional information.