Microsoft recently announced the Public Preview of a set of technologies that extend Microsoft’s solutions to encompass everything provided by Security Service Edge (SSE) or Zero Trust Network Access (ZTNA) technologies. In this blog, Advania’s Head of Service Architecture, Tristan Watkins, details what this means and how this leap forward in security infrastructure can benefit your organisation.
Security as a top priority
Global Secure Access arrives at a time when security remains at the top of IT agendas. With offensive AI capabilities still emerging, British support for Ukraine putting British organisations at a heightened cybersecurity risk and many organisations still grappling with the security challenges introduced by hybrid working, this topic has never been more relevant.
Holistic security with Microsoft Entra
By expanding into SSE and ZTNA, Entra now delivers comprehensive identity and access solutions for modern enterprises. This includes Microsoft Azure Active Directory (Azure AD), the leading cloud-based identity and access management platform, as well as Cloud Infrastructure Entitlement Management (CIEM) and decentralised identity.
Global Secure Access now takes this even further, comprising both Microsoft Entra Private Access and Microsoft Entra Internet Access capabilities. Private Access can be thought of as your secure tunnel into Microsoft’s backbone, or in any other locations where you install the Private Access connectors. On the other hand, Internet Access encompasses outbound connectivity from a trusted machine and, importantly, a set of these capabilities for M365 Access are being provided as part of M365 E3 (or higher) licensing.
The M365 capabilities are of the least obvious value since strong controls like Device Compliance in Conditional Access already exist. However, the M365 benefits are compelling and we expect most M365 E3+ licensed organisations to embrace the new approach.
What are the benefits of Global Secure Access in Microsoft?
Microsoft’s announcement highlights specific benefits your organisation can expect, which include:
- Continuous Access Evaluation in Conditional Access enforced at the endpoint and extended to reach all M365 apps – compared to support which is currently more limited.
- Enhanced Logging, taking advantage of the extra insights available at the endpoint. These logging enhancements include additional fields, faster log availability than M365 Audit Logs and more comprehensive coverage than we get from Defender Threat Hunting.
- An enhanced SLA for M365 services, increasing to 99.99% from Global Secure Access clients.
- Source IP addresses restored in logs and for policy evaluation, something which other security solutions in this space cannot offer.
- Ability to work with other SSE solutions, if two should be used side by side.
Private Access is everything we love about the Azure AD Application Proxy, but now extended to any port or protocol. By implication, we get SSO and Conditional Access for apps that historically couldn’t benefit from a technology that requires Modern Authentication.
This extended bridge between legacy apps and modern security capabilities is revolutionary. All current inbound VPN needs can be addressed with Private Access, but since it also supports application discovery, micro-segmentation becomes viable in a way that has historically been too difficult for most organisations to embrace. Private Access provides the visibility necessary to craft accurate, least-privileged access policy.
Another way to view this evolution is that not only do we have a new way to introduce micro-segmentation, but we can also strengthen it with Conditional Access. We can now govern access to a segment or application by inbound network location, user, group, Device State (such as Compliance) and user risk, or any combination of these factors and more.
In other words, the micro-segmented view of the network becomes one factor among many in this expanded access control plane, rather than an end to itself. Identity, networks and security are all brought together under one roof.
Greater capabilities for network technology
Beyond the M365 Access tools, broader Internet Access capabilities will also come to Public Preview in the future. Microsoft has not historically been thought of as a network technology vendor and while it has offered firewalls, VPNs, reverse proxies and more for a very long time, these offerings have never unseated pure network technology vendors from their entrenched positions.
We believe that Global Secure Access will dramatically disrupt the SSE market, just as SSE is set to become more prevalent. Global Secure Access provides the complete set of tools necessary to embrace a Zero Trust posture.
How Global Secure Access builds on your existing infrastructure
For the Microsoft-orientated customer with an alignment to Azure AD Conditional Access and Defender technologies, you will find that Global Secure Access fully respects this existing architecture. Where it excels is building on these strengths to reach the areas where SSE technologies previously had some advantages.
In comparison with other SSE vendors, Microsoft now offers a single, coherent control plane for identity, networks and security. We feel that this unique proposition will transform how organisations approach Identity, Network Security, DLP and more.
We expect that Global Secure Access will completely displace VPNs, forward proxies, reverse proxies and even many firewall deployments. It will provide the foundation for better sophisticated defensive approaches in future and provide the technology stack we have always needed to fully embrace a Zero Trust security posture.
Global Secure Access is now available in Public Preview and it may well transform your infrastructure and security posture for good. If you want to discuss your future security needs, including leveraging the benefits of Microsoft Entra, talk to one of our experts today.