adminVPN, SASE, IAM, and Endpoint Protection Compared
Remote work has permanently reshaped enterprise cybersecurity. In 2026, companies operate across distributed cloud environments, hybrid offices, personal devices, third-party SaaS applications, and globally connected teams. That flexibility has dramatically expanded the attack surface. A single compromised credential, unmanaged endpoint, cloud misconfiguration, or phishing link can expose sensitive business systems, customer data, and financial records.
Traditional perimeter-based security and legacy VPNs cannot keep up with that reality. Once a user was inside the network, older models granted broad access and assumed trust. Modern attack environments dismantled that assumption completely.
That is what zero trust architecture solves. Instead of automatically trusting users and devices on the network, zero trust continuously verifies identity, device health, location, permissions, and behavior before granting access to any application or data. Every access request is evaluated in real time. Nothing is trusted by default.
The result is explosive demand for enterprise VPN solutions, SASE platforms, IAM software, endpoint protection for remote teams, and zero trust network access providers. For IT managers, CTOs, CISOs, startup founders, and enterprise buyers, selecting the right zero trust stack has become one of the most consequential technology decisions of 2026.
This guide compares the leading platforms across VPN, SASE, IAM, and endpoint protection, provides a phased deployment framework, covers compliance alignment, and includes concrete ROI analysis to support procurement decisions.
Section 1: What Is Zero Trust Security?
Zero trust security operates on one core principle: never trust, always verify. Instead of granting access after a single login event, zero trust evaluates every request continuously based on multiple real-time risk factors.
Core Principles
Identity as the New Perimeter
Authentication and authorization decisions are based on verified user identity, device health, context, and behavior rather than network location. Every session is evaluated individually. Being on the corporate network grants no inherent trust.
Least Privilege and Just-in-Time Access
Users and workloads receive only the minimum permissions needed for a specific task, for the shortest time possible. This directly limits the damage a compromised credential can cause by restricting what an attacker can reach once inside.
Micro-Segmentation
Networks and applications are divided into small, isolated zones. Even if an attacker breaches one segment, lateral movement to other systems is blocked. This is one of the most effective controls against ransomware spread.
Continuous Verification and Analytics
Real-time monitoring of login behavior, device health, geographic location, threat signals, and privilege escalation attempts replaces static trust assumptions. Anomalies trigger immediate re-verification or access revocation.
Why Traditional VPN-Only Security Falls Short
Traditional VPNs were designed for a different era. Once connected, users typically gained broad network access. Modern remote environments expose healthcare providers, financial firms, ecommerce platforms, and SaaS companies to cloud application risks, BYOD device vulnerabilities, SaaS misconfigurations, identity-based attacks, session hijacking, and API-level threats that a VPN tunnel alone cannot address.
Zero trust architecture for both startups and enterprises addresses these gaps by enforcing identity-first controls and limiting access to specific applications rather than entire network segments.
Section 2: Best VPN Solutions for Remote Teams
Modern enterprise VPN solutions serve as a foundational or transitional layer within broader zero trust frameworks. The strongest options in 2026 integrate tightly with identity management, endpoint security, and policy enforcement systems rather than operating as standalone tunnels.
NordLayer
NordLayer delivers a cloud-native, modular zero trust solution built specifically for distributed teams. It supports identity-based access, dedicated gateways, MFA, business-grade encryption, and SSO integrations. Deployment is fast, pricing is competitive at $8 to $14 per user per month, and performance is strong for SMB-to-mid-market workforces that need secure remote access without heavy infrastructure changes. The main limitation is less enterprise-level customization compared to larger vendors.
Best for: Remote startups, SMBs, distributed teams needing quick rollout.
Perimeter 81
Perimeter 81 focuses on zero trust network access and SASE integrations with an intuitive management console, granular policy controls, and strong cloud integration support. It replaces legacy VPNs effectively for organizations moving toward full zero trust architecture. Pricing runs $8 to $12 per user per month with more advanced segmentation and enterprise policy management than NordLayer. Costs increase more steeply at larger scales.
Best for: Mid-sized companies and remote-first organizations transitioning to zero trust.
Cisco Secure
Cisco Secure, including AnyConnect and Secure Client, provides enterprise-grade VPN with deep integration into Cisco networking ecosystems, advanced threat intelligence, and SD-WAN convergence. It offers proven scalability and strong compliance features but comes with higher deployment complexity and enterprise-oriented pricing.
Best for: Large enterprises already invested in Cisco infrastructure.
Proton VPN Business
Proton VPN Business emphasizes privacy-first enterprise connectivity with Swiss jurisdiction, a verified no-logs policy, strong encryption, and dedicated servers. It aligns well with regulated industries seeking transparent, open-source-aligned tooling. Enterprise integrations are more limited than larger carriers.
Best for: Privacy-conscious organizations and regulated industries.
NordLayer vs Perimeter 81: Direct Comparison
NordLayer edges ahead on pricing flexibility, faster onboarding, and ease of deployment for smaller distributed teams. Perimeter 81 provides more advanced segmentation, stronger SASE integrations, and better enterprise policy management for growing zero trust programs. Both support zero trust principles, but NordLayer deploys faster for startups while Perimeter 81 scales more effectively into mid-market operations.
Enterprise VPN Comparison Table
| Platform | Pricing (per user/mo) | Scalability | Zero Trust Features | Deployment Ease | Best For |
|---|---|---|---|---|---|
| NordLayer | $8-$14 | Moderate | Strong | Easy | SMBs, remote startups |
| Perimeter 81 | $8-$12 | High | Advanced | Moderate | Mid-sized remote teams |
| Cisco Secure | Enterprise pricing | Very High | Enterprise-grade | Complex | Large enterprises |
| Proton VPN Business | Mid-range | Moderate | Good | Easy | Privacy-focused teams |
Section 3: Best SASE Platforms in 2026
Secure Access Service Edge (SASE) converges networking and security into a single cloud-delivered architecture. It delivers ZTNA, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and firewall-as-a-service from unified platforms. SASE has become foundational for remote and hybrid workforce security in 2026.
Zscaler
Zscaler Zero Trust Exchange leads the enterprise SASE market in scale and web security, with one of the largest global point-of-presence networks and strong ZTNA 2.0 capabilities. It excels at securing remote access without backhauling traffic through corporate data centers, which meaningfully improves performance and reduces attack surface. Custom enterprise pricing and more complex onboarding make it better suited for large organizations with mature security teams.
Best for: Large enterprises prioritizing cloud-native performance and comprehensive threat prevention.
Palo Alto Networks Prisma Access
Prisma Access delivers unified SASE with deep threat intelligence through WildFire, seamless integration with Palo Alto firewalls, and strong data protection capabilities. It is particularly well-suited for regulated industries that need granular access controls and compliance documentation. Deployment complexity is higher but the security depth justifies it for healthcare, financial services, and government use cases.
Best for: Regulated industries requiring granular control and compliance depth.
Netskope
Netskope One is data-centric, with advanced CASB capabilities and deep visibility into cloud application usage and user behavior. It delivers excellent DLP controls and is particularly effective for organizations where sensitive data flows across many SaaS platforms. Healthcare, finance, and SaaS companies with complex data governance requirements benefit most.
Best for: Data-sensitive remote teams with heavy SaaS usage.
Cloudflare One
Cloudflare One continues growing rapidly because of its global edge infrastructure, deployment speed, and cost efficiency. It combines ZTNA, SWG, and network services with simpler rollout than Zscaler or Prisma. Tiered pricing starts at $7 per user per month, making it accessible for mid-market organizations. Enterprise customization depth is still maturing compared to Zscaler.
Best for: Cloud-native businesses and performance-focused remote teams.
Zscaler vs Cloudflare One: Direct Comparison
Zscaler wins on enterprise-scale threat intelligence, completeness of vision for large security programs, and advanced policy management. Cloudflare One delivers faster performance, broader entry-level accessibility, and lower total cost for growing remote teams. Zscaler is the right choice for organizations running mature enterprise security programs. Cloudflare One is the right choice for agile, cloud-native organizations scaling fast.
SASE Platform Comparison Table
| Platform | Cloud Security | Zero Trust Depth | CASB / DLP | Deployment Complexity | Best For |
|---|---|---|---|---|---|
| Zscaler | Excellent | Advanced | Strong | High | Large enterprises |
| Prisma Access | Excellent | Advanced | Strong | High | Regulated industries |
| Netskope | Excellent | Strong | Excellent | Moderate | SaaS-heavy companies |
| Cloudflare One | Strong | Strong | Moderate | Moderate | Cloud-native businesses |
Section 4: Best IAM and Identity Security Platforms
Identity is the cornerstone of zero trust. IAM software for enterprises enforces adaptive access, manages authentication across distributed teams, and controls what each user can reach, for how long, and under what conditions. These platforms are the most critical layer in any zero trust stack.
Okta
Okta Workforce Identity provides extensive SSO with over 7,000 app integrations, adaptive MFA, passwordless authentication, and lifecycle automation. It is the most integration-rich identity platform on the market, making it the default choice for cloud-first enterprises running heterogeneous SaaS stacks. Pricing scales from $6 to $17 per user per month depending on features. Costs increase quickly at scale.
Best for: Cloud-first enterprises with diverse SaaS environments.
Microsoft Entra ID
Microsoft Entra ID (formerly Azure Active Directory) integrates natively with Microsoft 365, Intune, and the broader Microsoft security ecosystem. It offers conditional access policies, Privileged Identity Management (PIM), and device compliance enforcement at a cost that is often already bundled into existing M365 licensing. Licensing structure can be complex but total cost of ownership is frequently lower than Okta for Microsoft-centric organizations.
Best for: Microsoft-first organizations seeking seamless hybrid identity management.
Duo Security
Duo (now part of Cisco) specializes in strong MFA and adaptive authentication with a straightforward user experience and fast onboarding. It provides quick, practical wins for phishing-resistant access and device trust verification, typically deployed as a layer on top of existing identity directories rather than as a full replacement.
Best for: Organizations that need fast MFA deployment without replacing their existing directory.
JumpCloud
JumpCloud delivers a cloud directory platform combining device management across Mac, Windows, and Linux with identity management and SSO. It is particularly strong for organizations moving away from legacy on-premise Active Directory in remote or multi-platform environments. SMB-friendly pricing and unified controls make it practical for smaller teams that need both identity and device management from one platform.
Best for: SMBs replacing legacy Active Directory in remote multi-platform environments.
Okta vs Microsoft Entra ID: Direct Comparison
Okta leads on SaaS integration breadth, user experience in heterogeneous environments, and vendor-neutral flexibility. Entra ID dominates within Microsoft ecosystems with deeper native tooling, stronger conditional access out of the box, and lower total cost when bundled with existing M365 licensing. The decision depends almost entirely on your primary cloud platform and application portfolio.
IAM Platform Comparison Table
| Platform | SSO | Adaptive MFA | Integrations | Enterprise Scale | Best For |
|---|---|---|---|---|---|
| Okta | Excellent | Excellent | 7,000+ apps | Very High | SaaS-heavy enterprises |
| Microsoft Entra ID | Excellent | Excellent | Microsoft ecosystem | Very High | Microsoft-first orgs |
| Duo Security | Strong | Excellent | Broad | High | Fast MFA deployment |
| JumpCloud | Strong | Strong | Moderate | Moderate | SMBs replacing AD |
Section 5: Best Endpoint Protection Platforms
Remote endpoints are one of the most targeted attack vectors in distributed work environments. Modern EDR (Endpoint Detection and Response) and MDR (Managed Detection and Response) solutions provide real-time detection, automated response, and recovery capabilities that go far beyond legacy antivirus. The platforms below represent the strongest options for remote workforce endpoint protection in 2026.
CrowdStrike
CrowdStrike Falcon uses an AI-driven Threat Graph for real-time endpoint protection, managed threat hunting, and global telemetry across millions of endpoints. It excels in large enterprises needing advanced analytics, deep incident visibility, and managed security services. Enterprise pricing runs $50 to $100 or more per device per year. The managed services layer makes it a complete solution for organizations without a fully staffed SOC.
Best for: Large enterprises needing advanced threat hunting and a managed detection layer.
SentinelOne
SentinelOne Singularity uses Storyline technology to visualize attack sequences and offers autonomous response with self-healing capabilities that reduce manual intervention significantly. It is consistently rated alongside CrowdStrike as a top EDR platform but differentiates on speed of autonomous remediation and reduced analyst workload.
Best for: Automation-focused remote teams that want fast AI-driven remediation.
Microsoft Defender for Endpoint
Microsoft Defender integrates deeply with Microsoft 365 and Intune, delivering automated investigation, endpoint compliance, and strong detection capabilities. For Microsoft-centric organizations, it provides strong value when already part of broader M365 licensing. It is the most practical starting point for businesses fully committed to the Microsoft stack.
Best for: Microsoft ecosystems seeking integrated endpoint and cloud security.
Sophos Intercept X
Sophos delivers synchronized security, ransomware rollback, and excellent price-performance for mid-market teams. It integrates with the Sophos firewall ecosystem for a unified view of network and endpoint threats. Management is straightforward, making it a strong choice for SMBs and managed service providers.
Best for: SMBs and MSPs needing strong protection at competitive price points.
CrowdStrike vs SentinelOne: Direct Comparison
CrowdStrike provides deeper threat intelligence, a more mature managed services ecosystem, and enterprise-scale visibility. SentinelOne emphasizes autonomous AI-driven remediation, faster recovery workflows, and reduced analyst dependency. Both rank among the strongest EDR platforms in the market. Choose CrowdStrike for SOC depth and managed services; choose SentinelOne for automation-first environments where speed of remediation is the priority.
Endpoint Protection Comparison Table
| Platform | AI Detection | MDR Support | Autonomous Response | Deployment | Best For |
|---|---|---|---|---|---|
| CrowdStrike | Excellent | Strong | Moderate | Moderate | Enterprise SOC programs |
| SentinelOne | Excellent | Strong | Excellent | Moderate | Automation-focused teams |
| Microsoft Defender | Strong | Moderate | Moderate | Easy | Microsoft ecosystems |
| Sophos Intercept X | Good | Moderate | Good | Easy | SMBs and MSPs |
Section 6: Vendor Comparison and Buyer Decision Matrix
No single vendor covers every zero trust requirement. The strongest security programs combine platforms across VPN or ZTNA, SASE, IAM, and endpoint protection into a cohesive stack. The matrix below matches recommended stacks to common business profiles.
| Business Profile | Recommended Zero Trust Stack |
|---|---|
| High-scale enterprise with complex compliance | Zscaler + Okta + CrowdStrike |
| Microsoft-centric remote team | Prisma Access + Microsoft Entra ID + Defender |
| Cost-conscious startup | Cloudflare One + JumpCloud + Sophos |
| Data-heavy SaaS or remote company | Netskope + Okta + SentinelOne |
| Healthcare organization | Prisma Access + Entra ID + CrowdStrike |
| Financial services firm | Zscaler + Okta + SentinelOne |
| Remote SMB | NordLayer + JumpCloud + Sophos or Defender |
Master Vendor Comparison Table (Approximate 2026 Enterprise Pricing)
| Category / Vendor | Pricing (per user/mo) | Scalability | Integration Support | Deployment | Best Use Case |
|---|---|---|---|---|---|
| VPN: NordLayer | $8-$14 | Mid-Market+ | High (SSO, directories) | Low | Fast remote access rollout |
| VPN: Perimeter 81 | $8-$12 | Mid-Market | High | Low | Zero trust segmentation |
| SASE: Zscaler | Custom enterprise | Enterprise | Very High | Medium | Large-scale cloud-native security |
| SASE: Cloudflare One | $7+ tiered | Mid to Enterprise | High | Low | Performance-focused remote teams |
| IAM: Okta | $6-$17+ | Enterprise | Excellent (7k+ apps) | Low | Diverse SaaS environments |
| IAM: Microsoft Entra ID | Bundled M365 | Enterprise | Microsoft ecosystem | Low-Medium | Microsoft-first organizations |
| Endpoint: CrowdStrike | $50-$100+/device/yr | Enterprise | High | Medium | Advanced threat hunting |
| Endpoint: SentinelOne | Competitive enterprise | Mid-Enterprise | High | Low | Autonomous AI response |
Section 7: Zero Trust Deployment Framework for Remote Companies
Successful zero trust implementation follows a layered, phased approach. Trying to deploy every component simultaneously creates integration risk and user friction. The framework below sequences rollout by impact and dependency.
Phase 1: Identity Layer
Start here because identity is the foundation every other layer depends on. Deploy MFA, SSO, and adaptive access policies before touching network or endpoint controls. Recommended platforms: Okta, Microsoft Entra ID, or JumpCloud based on your environment.
Phase 2: Endpoint Layer
Once identity is secured, deploy EDR with device posture checks to ensure only healthy, managed devices can authenticate. Recommended platforms: CrowdStrike or SentinelOne for enterprise; Sophos or Microsoft Defender for SMBs.
Phase 3: Network Layer
Migrate from legacy VPN to ZTNA or a full SASE platform for secure remote access that enforces application-level access rather than broad network access. Recommended platforms: Zscaler or Cloudflare One for SASE; Perimeter 81 or NordLayer for ZTNA-first approaches.
Phase 4: Monitoring and Analytics Layer
Integrate SIEM, continuous behavioral analytics, and automated response workflows across all layers. This layer turns your security stack from a set of controls into a coordinated detection and response program.
Real-World Deployment Example
A mid-sized SaaS company with 200 remote employees reduced their breach surface by 70% within six months by layering Perimeter 81 as a VPN replacement, Okta for IAM, and SentinelOne for endpoint protection. The phased rollout across one department at a time let their small IT team manage change without disrupting operations. Mean time to detect dropped by 60% within the first quarter of full deployment.
Pilot Metrics to Track
- Mean time to detect (MTTD) security incidents
- Mean time to remediate (MTTR) confirmed threats
- Number of unauthorized access attempts blocked
- Percentage of devices with verified posture compliance
- Reduction in VPN-related support tickets
Section 8: Compliance and Regulatory Alignment
Zero trust platforms help organizations meet key regulatory standards. Matching your platform choices to your compliance requirements from the start reduces both audit burden and remediation costs.
SOC 2 / ISO 27001
Most listed vendors offer built-in audit-ready logging, access controls, and reporting. SOC 2 Type II audits are significantly easier when your IAM, SASE, and EDR platforms generate automated evidence of control effectiveness. Okta, CrowdStrike, and Cloudflare One all offer SOC 2-aligned configurations.
HIPAA
Healthcare organizations need strict access controls, audit logging, and data protection across all endpoints and cloud applications. Prisma Access, Zscaler, and CrowdStrike provide validated healthcare configurations. Pair with Okta or Entra ID for identity governance that satisfies minimum necessary access requirements.
GDPR and NIST
European privacy regulations and NIST cybersecurity framework alignment require strong identity-centric access controls, data classification, and incident response capabilities. Netskope, Okta, and SentinelOne provide features that directly support GDPR data protection and NIST framework implementation.
FedRAMP
Organizations serving U.S. federal agencies should prioritize platforms with FedRAMP authorization. Zscaler, Microsoft Defender, and CrowdStrike offer FedRAMP-authorized options for government-adjacent remote workforces.
Section 9: Zero Trust ROI Calculator
Zero trust investments consistently deliver strong financial returns through breach prevention, reduced downtime, faster incident response, and cyber insurance premium reductions. The example below is based on a 500-user remote company using a stacked zero trust platform at approximately $45,000 annually (combined licensing across VPN, SASE, IAM, and EDR).
| Scenario | Estimated Breach Cost Without Zero Trust | Annual Zero Trust Investment | Net Savings | ROI Multiple |
|---|---|---|---|---|
| Minor credential compromise | $150,000 | $45,000 | $105,000 | 3.3x |
| Ransomware with downtime | $1,200,000 | $45,000 | $1,155,000 | 26x |
| Major regulatory incident | $4,000,000+ | $45,000 | $3,955,000+ | 88x |
Additional financial benefits include 20 to 40 percent cyber insurance premium reductions for organizations demonstrating mature zero trust controls, 50 to 70 percent faster incident response through automated detection and remediation, and reduced IT support costs from eliminating legacy VPN infrastructure. Payback periods typically fall under 12 months for deployments that reach full operational maturity.
Section 10: Future Trends in Zero Trust Security Through 2030
AI-Driven Threat Detection
Real-time behavioral analysis powered by AI will become the standard detection method across SASE and endpoint platforms. Systems will increasingly correlate signals across identity, network, and endpoint layers simultaneously, reducing false positives and dramatically shortening detection windows. CrowdStrike, SentinelOne, and Zscaler are already investing heavily in this direction.
Passwordless Authentication
FIDO2 passkeys and biometric authentication will achieve widespread adoption across enterprise IAM platforms by 2027. Okta and Microsoft Entra ID are already moving aggressively in this direction. Passwords as the primary authentication method will become the exception rather than the rule for enterprise remote access.
Secure Service Edge Maturation
SASE platforms will deepen the convergence of networking and security, with SSE (Secure Service Edge) maturing as the dominant architecture for cloud-delivered security controls. Organizations that invest in Zscaler, Cloudflare One, or Netskope now will be positioned to leverage these advances without platform migrations.
Cloud-Native and Workload Identity
Full workload identity and ephemeral credentials will replace static API keys and service account passwords across cloud environments. DevSecOps pipelines will integrate identity verification at every deployment step. Organizations running modern CI/CD with tools like Palo Alto Prisma Access or Cloudflare One will adapt most naturally to this shift.
Zero Trust as an Underwriting Standard
Cyber insurers are already rewarding businesses with mature zero trust architectures through lower premiums and faster approvals. By 2028, documented zero trust implementation will likely be a standard underwriting requirement rather than a differentiating factor. Organizations building these controls now gain both security benefits and insurance pricing advantages.
Frequently Asked Questions
What is the best zero trust security platform for remote teams in 2026?
There is no single best platform because zero trust requires a stack, not a product. For most mid-sized remote teams, Cloudflare One or Perimeter 81 for network access, Okta or Microsoft Entra ID for identity, and SentinelOne or CrowdStrike for endpoints covers the core requirements. Large enterprises typically add Zscaler for full SASE.
How do SASE platforms compare for remote access?
Zscaler leads in enterprise-scale threat intelligence and policy depth. Cloudflare One leads in performance and cost efficiency for growing teams. Prisma Access is strongest for regulated industries. Netskope is best for data-heavy SaaS environments. Your industry, compliance requirements, and existing infrastructure are the deciding factors.
Which enterprise VPN solutions support zero trust?
NordLayer and Perimeter 81 both support zero trust network access natively. Cisco Secure offers enterprise-grade integration with zero trust principles. All three can serve as transitional or foundational layers while organizations build out a full SASE deployment.
What is the difference between Okta and Microsoft Entra ID?
Okta offers broader SaaS integrations (7,000+ applications) and vendor-neutral flexibility. Microsoft Entra ID offers deeper integration with Microsoft 365 and is often more cost-effective when already bundled into M365 licensing. Choose based on your primary cloud platform and application portfolio.
How do CrowdStrike and SentinelOne compare for endpoint protection?
CrowdStrike provides deeper threat intelligence, a more mature managed services ecosystem, and enterprise-scale visibility. SentinelOne emphasizes autonomous AI-driven remediation and faster recovery workflows. Both are top-tier EDR platforms. The choice comes down to whether you prioritize analyst depth or automation speed.
What is the ROI of implementing zero trust for remote workforces?
For a 500-user company spending approximately $45,000 per year on a full zero trust stack, a single ransomware incident prevented generates a 26x ROI. A major regulatory incident prevented generates an 88x ROI. Additional benefits include 20 to 40 percent cyber insurance premium reductions and 50 to 70 percent faster incident response.
How does zero trust help with compliance?
Zero trust platforms generate the audit trails, access logs, and control evidence that compliance frameworks require. Okta and Entra ID cover identity governance. CrowdStrike and SentinelOne cover endpoint compliance. Zscaler and Netskope cover data protection and cloud access controls. Most major vendors offer compliance-ready configurations for SOC 2, HIPAA, ISO 27001, and GDPR.
Which SASE platform is best for startups?
Cloudflare One is the strongest choice for most startups. It deploys quickly, tiered pricing starts at $7 per user per month, the global edge network delivers strong performance, and it supports zero trust network access without the complexity of enterprise-focused platforms like Zscaler.
Final Takeaway
Zero trust security is no longer optional for organizations running remote workforces in 2026. Cloud adoption, SaaS sprawl, identity-based attacks, and distributed endpoints have made perimeter-based security inadequate as a standalone strategy.
Start with a comprehensive assessment of your identity, network, and endpoint needs. Deploy in phases beginning with identity and MFA, then add endpoint protection, then migrate to SASE. Pilot with one department, measure mean time to detect and remediate, then scale. Organizations that build these controls now will reduce breach risk, lower cyber insurance costs, and face the next generation of threats from a significantly stronger position.
admin