Designing a Zero Trust Architecture: 20 open-source tools to secure every layer

According to studies, most catastrophic failures in a complex system aren’t the result of a single disaster. Instead, they happen when many smaller failures pile up, causing a catastrophe.

This is called the Swiss Cheese model. In the picture below, you can see a network security system represented in this Swiss Cheese model. Each layer has its vulnerabilities and possibilities for failure, often associated with implicit trust.

Zero Trust Architecture (ZTA) aims to close many of those vulnerabilities to create blanket coverage, which requires many different tools (slices of Swiss cheese) to properly attain. That’s why we asked our community to share their favorite open-source tools you can use today to make sure your ZTA is complete.

What is Zero Trust?

Trust nothing, verify everything.

At first, the statement above may seem extreme, but the rise of non-human identities, autonomous AI agents, and distributed cloud systems makes Swiss cheese of previously hard network boundaries. In this system of soft, moving boundaries, it’s not wise to grant implicit trust to a user based on their network or physical location.

That’s why ZTA is so rightly paranoid.

First published by NIST (National Institute of Standards and Technology) in 2020, ZTA is a set of security principles that define a design approach focused on eliminating implicit trust. These principles include:

1. Giving the least privileged access to each user and device.
2. Segmenting the network to contain threats and reduce lateral movement.
3. Always verifying through continuous monitoring, authentication, and authorization.
4. Assuming breach as a baseline security posture.
5. Enforcing access through centralized, policy-driven decisions.

These principles lead to systems secured by tools that verify each call or request by users.

How to implement Zero Trust Architecture

Zero Trust Architecture is about closing the gaps caused by implicit trust — the same gaps shown in the Swiss Cheese model. It’s not a product or a one-time setup, but a practical, ongoing approach where every user, device, and service must continuously verify trust to gain access.

In practice, this means using strong identity and access controls across every layer of your system and continuously auditing both human and non-human identities. You should be able to answer: What level of access does each identity or service have? Is that level still appropriate? What’s changed?

Also, Zero Trust systems need to evolve alongside your infrastructure, identity models, and risk landscape. Open-source ZTA tools can support that flexibility:

1. The variety of available OSS tools allows you to create a more comprehensive security solution.
2. Open-source tools are inherently transparent. You get full visibility into the codebase, giving you the ability to verify the functionality of your tools, and even modify each to suit your requirements. This gives you full ownership and control over your end-to-end stack.

So to help you build a well-rounded Zero Trust implementation, we’ve organized the most relevant open-source tools into six key categories:

1. Firewalls
2. Network segregation tools
3. Encryption tools
4. Workload Identity tools
5. Authentication
6. Authorization

Top open-source firewall tools for ZTA

Never trust incoming traffic is safe. Always verify traffic sources.

The road to Zero Trust starts with a good first line of defence: a firewall that only allows permitted traffic sources and requests into the network. While traditional firewalls weren’t designed with Zero Trust in mind, some open-source solutions offer features that can support certain ZTA principles (traffic segmentation, monitoring, or protocol-level filtering). These tools don’t enforce identity-aware, per-request access decisions on their own, but they can still play a role in a broader Zero Trust strategy when combined with other context-aware systems.

pfSense

5.2k stars

Apache-2.0 license

pfSense is an open-source firewall and router operating system based on FreeBSD. It gives strong control over network traffic. It's a good fit for small to medium-sized organizations, as it works well as a perimeter layer in a broader Zero Trust strategy.

Features include:

• Stateful Packet Inspection, a functionality that tracks active connections in your network and filters packets accordingly.
• GeoIP blocking for allowing or blocking traffic based on the geographic locations of origin.
• Network access control based on time schedules or connection rules set by network administrators.
• Inbound and outbound Network Address Translation to help control traffic between private and public networks.
• Anti-spoofing prevents attackers from using fake IP addresses to circumvent firewall security measures set.

Pros

1. Multiple device support allows it to be used on any device running on x86-64 processor architecture.
2. Highly configurable firewall rules.
3. A large package system that allows the addition of features to its built-in firewall capabilities.
4. Threat protection using Snort and Suricata Intrusion detection and prevention systems (IDS/IPS).

Cons

1. pfSense does not evaluate access based on identity or real-time context, which limits its use in dynamic Zero Trust enforcement.
2. No x32 processor architecture support from version 2.4.0 onwards.
3. Performance is limited to the hardware it runs on, affecting features like IDS/IPS.

OPNsense

3.7k stars

BSD-2-Clause license

OPNsense is a community-driven fork of pfSense that adds next-generation firewall capabilities through Zenarmor. It has a high frequency of commits (approximately 35–40 per week compared to pfSense’s ~10) that shows an agile and responsive community that actively maintains its codebase. Like pfSense, OPNsense supports Zero Trust-aligned practices like traffic segmentation and perimeter enforcement, but lacks identity- and context-aware access controls required for full ZTA compliance.

Features include:

• Statefulness for tracking the state of network connections and making filtering decisions based on the states and rules set.
• Grouping IP addresses into aliases simplifies firewall rules management. For country-based filtering, it integrates the GeoLite2 country database.
• Prioritizes traffic for optimal bandwidth allocation.
• Enforces Two-Factor Authentication for accessing the firewall's interface.
• A captive portal for controlling network access by requiring users to enter their credentials on a login page.
• Caching and web filtering capabilities that cache content to improve speed and filter the content based on categories.

Since it is a fork of pfSense, it shares many of the same advantages and disadvantages. However, some are unique to OPNsense.

Pros

1. A more user-friendly interface than pfSense.
2. High availability due to its support for the Common Address Redundancy Protocol that allows you to create automatic-failover firewalls in case of a fault in your firewall.

Cons

1. OPNsense requires x86-64 hardware, like modern versions of pfSense.

ModSecurity

8.8k stars

Apache-2.0 license

ModSecurity is a web application firewall backed by OWASP. It specializes in inspecting and filtering HTTP request and response traffic to detect and mitigate threats like SQL injection and cross-site scripting (XSS) and other OWASP Top 10 vulnerabilities. Unlike network firewalls like pfSense or OPNsense, ModSecurity operates purely at the application layer.

It's particularly crucial for implementing ZTA in web applications as it provides continuous monitoring (which is at the heart of ZTA) along with robust threat detection at the application layer.

Features include:

• The ability to monitor and log your traffic in real-time to help you identify threats, check for anomalies and troubleshoot issues.
• Optional pre-written filtering rulesets like the OWASP ModSecurity Core Rule Set.
• Can block IP addresses with a known reputation for maliciousness.
• Mitigate threats without modifying the web applications that are under protection.

Pros

1. Protects web applications from attacks like SQL injection.
2. Compatible with multiple web servers namely Apache, Nginx and IIS.
3. Can detect malicious traffic and so double as an Intrusion Detection System for alerting you about potential threats.

Cons

1. Firewall rule processing, if not optimized, can slow down the performance of web servers and consequently applications.
2. May require tweaks for normal operations to lower the possibility of false positives blocking safe traffic.
3. Only for web applications, not general network traffic.

It is best suited for companies that want a web firewall with continuous traffic logging and strong application-layer protection. It supports Zero Trust principles but should be paired with identity-aware tools for full coverage.

IPFire

184 stars

GNU General Public License (GPL) license

IPFire is a Linux operating system that is specifically tuned to serve as a firewall. Some of its features include:

• A stateful nature for tracking active connections.
• A demilitarized zone that provides an isolated network zone for public facing services
• Protection against denial-of-service attacks using rate limiting and SYN packet flooding protection.
• Time-based and MAC address-based filtering rules for controlling traffic based on time and specific devices respectively.
• Advanced filtering options with blocklists, MIME type filters, custom allowlists, etc.

Pros

1. The best OS for firewall functionalities.
2. Easier firewall setup due to its smart user interface features like visual aids that help you configure your firewall.
3. Helps track connections and debug network activity in real-time.

Cons

1. Not as widely adopted in enterprise environments compared to ModSecurity, pfSense, and OPNSense.
2. Reduced performance when used on weaker hardware platforms due to its many features.

IPFire is best for companies that would like a dedicated firewall OS, which would include enterprises that are very strict on what they allow inside their network.

Top open-source network segregation tools for Zero Trust

Never trust traffic to stay where it’s allowed. Always verify information traveling between your front and back end.

In a ZTA, even internal traffic is restricted and verified. Often, this is done by micro-segmenting architecture, separating front-end, back-end and database layers so you can ensure traffic only flows where it’s allowed. This limits your exposure if a component is compromised.

Most cloud providers do offer built-in segregation, but the tools below give you more visibility into your cloud infrastructure.

Calico

6.4k stars

Apache-2.0 license

Designed for containers and cloud-native applications, Calico offers micro-segmentation by enforcing policies directly at the workload level. It isolates services to ensure secure, policy-driven traffic management and can seamlessly scale across Kubernetes and OpenShift environments.

Features include:

• Supports namespace-based isolation and identity-based microsegmentation. Namespace-based isolation ensures that workloads in different namespaces remain fully segregated. On the other side, identity-based micro-segmentation allows network policies to be defined based on labels, namespaces or service accounts.
• Ensures traffic segmentation across different network layers and enforcing policies at multiple levels (host, namespace and workload). This helps prevent unauthorized traffic between pods, nodes or services.
• WireGuard encryption provides end-to-end encryption for pod-to-pod communication, preventing unauthorized traffic access between different network segments.

Pros

1. Highly scalable as it is designed using best practices and industry-accepted standards to work in both small and large clusters.
2. Flexible in deployment as it runs on Kubernetes, OpenShift, OpenStack, and bare metal. It also works across on-premises, public and hybrid cloud environments.
3. Uses optimized Linux networking algorithms for minimal CPU and resource overhead resulting in overall increased performance.
4. Supports rich security policies that support layered security from host networking to application policies.

Cons

1. Requires a solid understanding of Kubernetes to configure the network policies.
2. Since some features are Linux-specific, Windows users may miss out on some features.

Calico is best network segregation tool for companies who need a way to secure their Kubernetes clusters in a zero-trust and scalable manner.

Cilium

21.5k stars

Apache-2.0 license

Cilium dynamically filters and monitors traffic between services satisfies Zero Trust’s main principles of continuous verification and segregation. It provides secure service isolation at high performance through micro-segmentation. Additionally, it uses Extended Berkeley Packet Filter (eBPF) for advanced, packet-level filtering and visibility.

Features include:

• Identity-based security i.e., it assigns unique identities to workloads based on labels, enabling network policies that are decoupled from IP addresses. This ensures security policies remain consistent even as workloads are rescheduled or IP addresses change.
• Use of Layer 3 to Layer 7 Network Policies allowing for detailed control over traffic based on various protocols and application-level data.
• Encrypts traffic between workloads to protect against unauthorized interception. This also strengthens network segmentation, ensuring sensitive data remains secure even if a boundary is crossed.

Pros

1. Guaranteed high performance due to the use of eBPF. This allows Cilium to perform network operations with minimal overhead.
2. Cilium's use of eBPF also provides detailed visibility into network traffic and application behaviour, assisting in monitoring and troubleshooting efforts.
3. Scales well with large Kubernetes deployments since it's built for cloud-native environments.

Cons

1. Reliance on eBPF requires a compatible Linux kernel version, which may cause issues in certain environments arising from incompatible Kernel versions.
2. Using Cilium may present a steep learning curve for teams unfamiliar with eBPF or its networking model.
3. Compatibility with other orchestration platforms other than Kubernetes may vary, requiring additional configuration to use it.

Cilium is best for companies that want to secure their Kubernetes clusters in a zero-trust and scalable manner and are using a compatible Linux kernel version.

Flannel

9.1k stars

Apache-2.0 license

Flannel is a Container Network Interface, tool just like Calico and Cilium, focused on smaller loads. It creates a layer 3 IPv4 network between nodes in a cluster, ensuring that each pod receives a unique, routable IP address within the cluster. Unlike Calico and Cilium, Flannel only helps you control how traffic moves in your segregated network and not the network as a whole since it does not support network policies.

Features include:

• Overlay Networks that abstract container traffic, ensuring that an individual node's traffic remains isolated from the rest, supporting effective network segregation.
• Support for various methods of packet transmission, giving administrators the flexibility to choose the most appropriate mechanism to meet their segregation requirements.

Pros

1. Relatively simple to set up and easy to use.
2. Flannel's compatibility with various network backend technologies allows it to be used for diverse network environments and infrastructure needs without too many modifications.

Cons

1. Does not natively support Kubernetes Network Policies, which are crucial for defining and enforcing rules about how pods communicate with each other. So it requires additional tools, such as Calico, to implement network policies for complete segregation.
2. Relatively lower performance compared to Calico or Cilium.

Flannel is a good fit for startups and smaller teams that need a simple, reliable way to connect workloads inside Kubernetes clusters, without the complexity of full network policy enforcement.

Open vSwitch (OVS)

3.7k stars

Apache-2.0 license

While OVS doesn’t directly enforce Zero Trust policies, it does increase the capabilities of Zero Trust-aligned tools and network policies. When properly configured, it helps control and isolate traffic flow in combination with those tools.

Features include:

• Support for the standard 802.1Q VLAN model. This allows for the creation of trunk and access ports, which enable the segmentation of network traffic into isolated broadcast domains.
• Tunnelling protocols, like GRE and VXLAN, that facilitate the creation of overlay networks. These networks aid the separation of network traffic across different physical infrastructures, supporting multi-tenant environments and complex network topologies.
• Allows administrators to define Access Control Lists (ACL), which can be used to permit or deny traffic based on specified criteria.

Pros

1. Designed for programmatic extension and control, allowing for dynamic network configurations and automation.
2. A comprehensive feature set that gives it flexibility to meet a wide range of network needs.

Cons

1. The feature set and programmability increase complexity for those unfamiliar with it.
2. May introduce CPU and memory overhead compared to hardware switches, impacting performance.

OVS is designed for companies that need programmable control over their network traffic so they can harness network management automation features.

NOTE: Network and firewall tools alone are not sufficient for achieving Zero Trust. Without integrating identity-based access controls, they cannot verify users, devices, or workloads before granting access.

Top Zero Trust open-source encryption tools

Never trust that your data is safe. Always encrypt data at all points.

In a Zero Trust environment, data should never be left in a state where it’s easily readable. That means encryption solutions must cover both data at rest and data in transit. Access to encrypted data must be tightly governed by identity and access management to ensure every access attempt is properly verified and authorized.

Of course, everyone uses encryption, but a strong ZTA requires solutions that go beyond basic file encryption.

GNU Privacy Guard (GnuPG)

788 stars

Several licences including GPL-3.0 and GPL-2.0

GnuPG uses symmetric and public key cryptography algorithms to keep data secure. An implementation of the OpenPGP standard, which is designed for encrypting and signing data and communications, GnuPG is widely used to secure email, encrypt files, and verify the authenticity of software packages.

Its features include:

• A hybrid encryption model (it combines asymmetric encryption for key exchange with symmetric encryption for message encryption) that balances security and performance.
• Cryptographic signatures that help verify messages and files.
• Some experimental implementations of GnuPG support post-quantum cryptographic algorithms. This can help users future-proof security.
• A decentralized Web of Trust model requires users to sign each other’s keys in order to establish authenticity instead of relying on traditional centralized certificate authorities.

Pros

1. Fully compatible with other OpenPGP-compliant software.
2. Designed for encrypting files and emails, making it viable for different security needs.
3. There is no reliance on certification authorities as it has a web of trust model for key authenticity.
4. Its Digital Signatures feature ensures that files, emails, and software packages are authentic and untampered.

Cons

1. Managing, sharing, and revoking GPG keys can be complicated, especially for non-technical users.
2. Scaling is difficult as the Web of Trust requires manual verification.
3. Lacks forward secrecy, so if a private key is compromised, all previously encrypted messages using that key can be decrypted.
4. Does not natively support post-quantum cryptography.

GnuPG is best suited for internal operations or encrypting files before being sent into network traffic. It is not ideal for real-time encryption because it is designed for file and message encryption.

VeraCrypt

7.6k stars

Several licenses including Apache-2.0.

VeraCrypt secures data at rest, similar to GnuPG, restricting unauthorized access to sensitive information. It encrypts drives and creates encrypted volumes by creating a virtual disk, moving the target data to the disk, and encrypting the data.

Features include:

• Support for multiple encryption algorithms, including AES, Serpent, Twofish (or combinations of the three).
• Hides encrypted volumes or operating systems inside unencrypted ones to protect against coercion attacks.
• Derives encryption keys from user passwords (using PBKDF2 with SHA-512, SHA-256, or Whirlpool) to protect against brute-force and dictionary attacks.
• Allows users to layer multiple encryption algorithms with cascading encryption to increase security.
• XTS and LRW modes protect against known plaintext and watermarking attacks.

Pros

1. Supports multiple algorithms and cascading encryption to increase encryption strength.
2. Protects entire disks and partitions, making it suitable for securing sensitive data on lost or stolen devices.
3. Prevents forced or accidental disclosure with hidden volumes/OS.
4. Works on Windows, macOS, and Linux.

Cons

1. Lacks a password recovery feature, which means data is permanently lost if a password is lost.
2. Lacks forward secrecy.
3. May be complex for non-technical users, especially setting up encrypted volumes, managing keys and configuring hidden OS features can be challenging.

VeraCrypt secures is perfect for small- to medium-sized enterprises that require cryptographic software adaptable enough to work in a hybrid work setting.

Sealed Secrets

8.2k stars

Apache-2.0 license

Sealed Secrets is a Kubernetes tool developed by Bitnami for secure secret management in DevOps workflows. It's an encryption software that only allows designated Sealed Secrets controllers to decrypt data.

Features include:

• Regenerates encryption keys periodically to curb key compromisation.
• Uses Kubernetes' RBAC model to control access to decrypted secrets based on Kubernetes roles and namespaces.
• Enables secure storage of secrets in Git repositories while ensuring that only authorized Kubernetes clusters can decrypt them.

Pros

1. Controlled secret decryption because only the controller in the Kubernetes cluster can decrypt the secrets.
2. Works natively within Kubernetes, eliminating the need for external secret managers.
3. Secrets can be shared across several clusters, provided they share the same public/private key pair.

Cons

1. Limited to Kubernetes.
2. Controller is a single point of failure. If deleted, encrypted secrets become unrecoverable.
3. If the private key is compromised, stored secrets could be decrypted by unauthorized users.

Top Zero Trust open-source workload identity tools

Never trust the calling service is who it says it is. Verify its identity.

When you follow Zero Trust security model, you must verify the identity of every workload or machine, not just human users. Any service claiming to be “trusted” could be compromised. Workloads need their own strong, verifiable identities to prevent lateral movement and unauthorized access. If you want to dive deeper into the security risks of machine and workload identities, take a look at our article on addressing the OWASP Top 10 workload threats. So, workload IAM tools are designed to solve these challenges by:

• Assigning a unique, cryptographic identity to each process, container, or service.
• Authenticating and authorizing workloads dynamically, without hardcoded secrets.
• Supporting continuous verification across cloud, Kubernetes, VMs, and on-prem systems.

While most workload IAM tools are closed-source, below are some open-source options you can use to secure your workloads.

SPIRE

1.9k stars

Apache-2.0 license

SPIRE (SPIFFE Runtime Environment) is an open-source tool implementing SPIFFE standards to verify workloads dynamically. This ensures only authenticated and authorized workloads can communicate within a system.

Key features of SPIRE

• Assigns unique SPIFFE IDs to workloads, ensuring a secure and verifiable identity.
• Automated workload authentication.
• Several attestation methods, like node and workload attestation, verify machine and process identity, respectively.
• Workload attestation plugins automatically authenticate workloads based on platform-specific parameters, e.g., Kubernetes pods, VM metadata, AWS IAM roles, etc.
• Authenticates workloads using short-lived X.509 certificates which are rotated to minimize credential leaks.
• Allows defining policies for workload identity issuance and access control based on workload attributes.

Pros

1. Automated rotation of cryptographic identities strengthens its security model.
2. Removes the need for hard-coding API keys and passwords.
3. Authenticates workloads across Kubernetes, cloud providers and on-prem infrastructure.
4. Easily integrates with existing service meshes like Istio and identity providers.

Cons

1. Requires configuring multiple components (SPIRE server, agents, attestation plugins) before use.
2. Requires integration with other tools like Cerbos to enforce access control policies.
3. In large deployments, workload attestation and identity rotation can introduce additional computational overhead, especially in large-scale environments.

SPIRE is perfect for companies who need to issue and manage workload identities for cloud-native microservices.

Kubernetes Service Accounts

115k stars

Apache-2.0 license

Kubernetes service accounts is a built-in feature that provides a mechanism for managing workload identities in a Kubernetes cluster. It assigns each pod an identity that can be securely authenticated with both the Kubernetes API and external services without relying on static credentials.

Features of Kubernetes service accounts

• Automatic pod identity assignment ensures each pod in a Kubernetes cluster inherits a service account which determines its identity and access permissions.
• Uses JWT tokens (or projected service account tokens) to authenticate with the Kubernetes API or external systems.
• Supports automatically rotated, short-lived JWT tokens, reducing the risk of compromised tokens.
• In cloud environments, Kubernetes workloads can use Workload Identity federation to authenticate for a secret-free workload identity workflow.

In this context, federation refers to a method that allows different systems to securely share credentials for their functioning.

Pros

1. Kubernetes Role-Based Access Control allows assigning specific permissions to different service accounts, limiting what workloads can access.
2. Automatically rotated tokens reduce the risk arising from compromised credentials.
3. Workloads can authenticate without hardcoded credentials when using service account tokens.

Cons

1. Limited to Kubernetes unless you add additional configurations for other technologies.
2. No built-in policy enforcement.
3. Older Kubernetes versions issue long-lived tokens that don’t expire making them prone to leakage.

Kubernetes service accounts work best for tech teams that are fully reliant on Kubernetes for the functioning of their workflows.

Nomad

15.4k stars

Business Source License 1.1

Nomad by HashiCorp integrates HashiCorp Vault with SPIFFE to create a flexible workload orchestrator that supports secure workload identity management for all types of applications and infrastructure.

Features include:

• Uses SPIFFE IDs.
• Provides short-lived dynamic secrets from HashiCorp Vault, reducing exposure to compromised secrets.
• Automatically injects secrets into workloads.
• Assigns policies and enforces access control with Nomad ACL tokens.

Pros

1. Highly compatible with a variety of applications and environments: containerized or not; monolithic or microservices; cloud or on-premise environments.
2. Simpler to deploy and manage compared to Kubernetes.
3. Dynamically assigns identities, avoiding hard-coded secrets.

Cons

1. Requires SPIRE or Vault for full identity management.
2. Does not directly enforce access policies unless integrated with other tools.
3. Less adoption compared to Kubernetes Service accounts.

Nomad is the answer for companies that need a lightweight alternative to Kubernetes. Its simpler deployment model makes it easier to use while still offering powerful orchestration features.

Top open-source authentication tools for ZTA

Never trust users are who they say they are. Always verify users’s identities.

Previously, users were authenticated at login, then given a token that verified their identity across services and extended throughout their session.

In ZTA, that token is not enough. Zero Trust systems require continuous and dynamic authentication, verifying users before accessing the network and throughout their session. This ensures that even if the user changes before a session ends, the new user must be re-authenticated.

This dynamic authentication system requires tools that go beyond tokens.

Keycloak

26.9k stars

Apache-2.0 license

Keycloak is an identity and access management (IAM) solution with many authentication features which allow you to build a system that follows Zero Trust principles.

Features include:

• Standard form-based login using usernames and passwords.
• Social login and Single Sign-On through OAuth2 and OpenID Connect providers (Google, Facebook, GitHub, etc.).
• Passwordless Authentication via WebAuthn for biometric or hardware key-based authentication.
• Allows users to authenticate via Kerberos tickets.
• Brute force protection.
• Authentication events logging.

Pros

1. Easy code integration with Java, Node.js, PHP, and other platforms via standard protocols.
2. Supports multiple authentication flows, including 2FA and passwordless login.
3. Web-based admin console and REST APIs for automation.

Cons

1. Resource-intensive.
2. Needs a clustered setup for large deployments that require scaling, which adds operational complexity.
3. Updates can cause breaking changes if not managed properly.

Hanko.io

7.9k stars

GNU Affero General Public License

Hanko is a passkey-based authentication tool that uses WebAuthn and biometrics, similar to authentication tools from Google and Apple. It includes a backend for authentication, OAuth, SSO, user management, and JWT issuing.

Features include:

• Decentralized identity for authenticating using personal devices instead of a central password store.
• REST and WebAuthn APIs for easy integration.
• Frontend SDKs for supporting JavaScript and other frameworks.

Pros

1. It reduces attack surfaces by avoiding credential storage.
2. Better user experience because users can authenticate via biometrics or hardware keys.
3. There is no single point of failure or attack as there is no centralized storage.

Cons

1. Legacy systems, such as browsers and hardware, may not support WebAuthn.
2. No traditional login support for fallback options.
3. Fewer enterprise features like RBAC or federation compared to Keycloak.

Hanko.io is an open-source alternative to Clerk and Auth0.

ZITADEL

10.5k stars

AGPL-3.0 license

Zitadel is a ready-to-deploy Identity and Access Management platform that offers the best of both worlds with the simplicity of Auth0 and the open-source commitment of Keycloak.

Features include:

• Developer focused, customizable open-source project.
• Multi-tenancy features that allow managing multiple organizations within a single instance.
• A self-service user portal for managing authentication methods and account settings.
• Social login and Single Sign-On (SSO) features.
• Webhook notifications support.

Pros

1. Multi-tenancy support with fine-grained control for both simple and complex organization structures.
2. Flexible deployment options. Tech teams can choose between Zitadel Cloud for zero-maintenance operations or self-hosting for full infrastructure control.
3. Extensive integrations and extensibility through webhooks, actions, and connectors — enabling deep customization without forking or compromising security.

Cons

1. Limited available integrations at this time.
2. Zitadel’s time in the market is less than their competitors which results in fewer available tutorials from third parties.

It is built for teams and organizations running distributed applications, those with data residency requirements, or looking to get the most out of an Identity and Access Management platform.

Aunthentik

15.9k stars

It is open-sourced under several licenses outlined in the LICENSE file.

Authentik is an identity provider commonly used as a lightweight alternative to Keycloak because both operate in a similar manner with similar features.

Features that differentiate it from Keycloak are:

• Native Docker & Kubernetes Support.
• Can act as a reverse proxy server reverse proxy server for authentication in reverse Proxy Mode.

Pros

1. More lightweight than Keycloak.
2. Supports several authentication options.
3. Can act as an authentication gateway.

Cons

1. May require additional configuration for large-scale deployments.
2. Has a relatively small community and ecosystem.

Authentik is designed for small containerized deployments or for use where a simpler solution for AuthN is required.

Top open-source ZTA authorization tools

Never trust an entity trying to access a resource has sufficient privilege. Always verify every request against your policies.

Once a user is authenticated, they need to be authorized for each aspect of the application they want to access. With Zero Trust model in place, the system needs extremely fine-grained control to authenticate and explicitly verify and authorize every request for access based on the principle of least privilege. It also needs to ensure all access granted is time-bound.

Cerbos PDP

3.8k stars

Apache-2.0 license

Cerbos Policy Decision Point is a scalable, open-source authorization layer for implementing fine-grained roles and permissions. Cerbos PDP supports Zero Trust Architecture by enforcing least-privilege access at runtime, dynamically evaluating every request based on user attributes (be it human or not), resource context, and real-time conditions, and generating detailed audit logs to provide visibility and traceability for all access decisions.

Features include:

• Fine-grained RBAC, ABAC, and PBAC support with simple YAML-based policy definition.
• Scoped policies allow users to tailor security requirements for specific applications or use cases.
• Derived roles allow users to adjust permissions in real time based on contextual parameters.
• Built-in policy testing allows developers to write and validate authorization policies before deployment. These tests can also be integrated into
• CI/CD pipelines to prevent unintended security issues in production.

Pros

1. Fast, real-time authorization decisions optimized for performance-critical systems.
2. Clear, developer-friendly policy model (YAML).
3. Comprehensive audit logging and compliance alignment with HIPAA, PCI DSS, GDPR, ISO 27001.
4. Built-in tools for versioning, policy promotion, and proactive validation.
5. Seamless scaling across cloud-native, hybrid, and edge environments without complex tuning.
6. Highly scalable with enterprise-grade authorization features for Zero Trust enforcement.

Cons

1. Some features like centralized management are only available in the Cerbos Hub which is a paid feature.
2. If not using the managed version by Cerbos Hub, hosting and scaling Cerbos yourself needs additional configuration and maintenance effort.

Cerbos is suited for almost any environment and application due to its rich features and support.

Support us ⭐️
If Cerbos has been helpful for you, we'd love it if you gave us a ⭐️ on GitHub. It means a lot to our dev team and helps the project grow!

---

OpenFGA

3.5k stars

Apache-2.0 license

Inspired by Google Zanzibar, OpenFGA is a high-performance authorization engine that streamlines application permissions by adding fine-grained authorization. It integrates seamlessly with existing code via various SDKs.

Features include:

• Fine-grained authorization modeled on Google Zanzibar principles.
• Integrations with various languages and frameworks via SDKs.
• Support for modeling complex relationships between users, roles, and resources.

Pros:

• Fast and scalable, built for high-throughput environments.
• Strong fit for complex relationship-based access models.
• An active development community and commercial backing (by Auth0/Okta).
• Good documentation and API design make integration straightforward.

Cons:

• Focused only on relationship-based authorization; less flexible for broader policy types like attribute-based access control (ABAC).
• Requires additional components (e.g., external identity providers, context providers) for full Zero Trust enforcement.
• Still evolving compared to longer-established engines; enterprise-ready features like audit logging and multi-tenancy are maturing but not as extensive as purpose-built policy engines.

Open Policy Agent (OPA)

10.2k stars

Apache-2.0 license

Open Policy Agent is a general-purpose, open-source policy engine that can be used for authorization in Zero Trust architectures. OPA policies are written in Rego, a domain-specific language that allows for complex policy definitions.

Features include:

• Supports flexible RBAC and ABAC policies via Rego.
• Can enforce policy decisions across Kubernetes, APIs, service meshes, and CI/CD pipelines.
• Deployable as a sidecar, library, or centralized decision service.

Pros:

• Highly customizable for diverse policy enforcement needs.
• Strong ecosystem integrations with Kubernetes, Envoy, and other cloud-native tools.
• Mature open-source project with CNCF governance.

Cons:

• Steep learning curve due to Rego’s specialized syntax and operational model.
• Requires significant engineering effort to model and maintain fine-grained access control at scale.
• Performance optimization is manual and requires tuning for high-throughput use cases.
• Lacks built-in features for policy versioning, multi-tenant policy management, and easy auditability without substantial customization.

Comparison table of the tools

Use the table below as a quick reference tool to see which tool meets your needs.

NOTE: The number of each tools' GitHub stars is accurate as of the time of writing.

Tool	GitHub Stars	License(s)
Firewalls
pfSense	5.2k	Apache-2.0
OPNSense	3.7k	BSD-2-Clause
ModSecurity	8.8k	Apache-2.0
IPFire	184	GPL
Network segregation
Calico	6.4k	Apache-2.0
Cilium	21.5k	Apache-2.0
Flannel	9.1k	Apache-2.0
Open vSwitch	3.7k	Apache-2.0
Encryption
GNU Privacy Guard	788	GPL-3.0, GPL-2.0
VeraCrypt	7.6k	Apache-2.0, Others
Sealed Secrets	8.2k	Apache-2.0
Workload identity
SPIRE	1.9k	Apache-2.0
Kubernetes Service Accounts	115k	Apache-2.0
Nomad	15.4k	Business Source License 1.1
Authentication
Keycloak	26.9k	Apache-2.0
Hanko.io	7.9k	GNU AGPL
ZITADEL	10.5k	AGPL-3.0 (ZITADEL v3)
Authentik	15.9k	Multiple
Authorization
OpenFGA	3.5k	Apache-2.0
Cerbos PDP	3.8k	Apache-2.0
Open Policy Agent	10.2k	Apache-2.0