Microsoft enters the Security Service Edge (SSE) market.  Balancing the options: Integrated or Independent Zero Trust Architectures?

Microsoft enters the Security Service Edge (SSE) market. Balancing the options: Integrated or Independent Zero Trust Architectures?

Summary

If you are enjoying your summer ?? and have a few minutes only, here is the short version: Microsoft has released a Security Service Edge (SSE) solution, a cloud based network security service. Its maturity level is low compared to market leaders in the SSE field, but this first release addresses basic use cases. Limitations exist when considering the scope of services, integration options or granularity of policies.

From a strategic point of view, IT and security leaders will need to decide if they look for a single vendor, all integrated Cloud/Identity/Network/Data Security approach or a multi vendors, best of breed.

From a commercial side, clients can purchase the service as an add-on to M365, at around 80% of the price of leading SSE solutions. No doubt the SSE market will continue to evolve rapidly, and the competition will intensify, particularly in the SME space!

Setting the scene - Security Service Edge (SSE) solutions are at the heart of cyber infrastructure transformations.

With more an more employees working in an hybrid mode, enabling secure working from anywhere and any device, with a consistent user experience, is an IT and security priority for many organisations. Some other priority use cases are enabling secure collaboration with 3rd parties and secure access to cloud applications. They need to do all this while addressing major security risks in their legacy network security and VPN solutions... ????

Cyber transformations with a Zero Trust Architecture enable organisations to deliver on those multiple use cases. Security Service Edge solutions (SSE) are one of the key components of those architectures. It is no surprise that the SSE market is expected to grow at around 30% CAGR for the next 5 years.

As a recap, the SSE market encompasses cloud-delivered security platforms, aligned with the Zero Trust Architecture principles. They include (see diagram below) services such as Secure Web Gateway ('proxy'), Virtual Firewall, Zero trust Network Access ('VPN replacement'), Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP). Some platforms extend also in micro-segmentation and OT security.


Introduction to the concept of Security Service Edge (SSE)


??What's new ? Microsoft enters the SSE market

The SSE market has three clear leaders in Zscaler, Palo Alto and Netskope (see Gartner 2024 Magic Quadrant). Many other major security and network providers have an offering which they continue to develop actively (Cisco, Fortinet, Cloudflare, Akamai, CheckPoint, Forcepoint...).

This week, Microsoft announced the availability of Entra Private Access and Internet access as part of its Entra Suite. This acts Microsoft entering the SSE arena with a solution integrated in its M365 service. It marks a further development on Microsoft’s roadmap towards a fully integrated, identity centric, cybersecurity platform.

Microsoft Entra Suite General Availability

Entra Internet Access is a Secure Web Gateway ('proxy') and Private Access is a Zero Trust Network Access solution.

This development, announced a year ago, follows a series of expansions by Microsoft in security domains such as Endpoint Protection (Defender), Mobile Device Management (Intune) or Data Loss Prevention (Purview). Those solutions had various levels of impact in the market. Intune has, on one side, profoundly reshaped the MDM market over the past 10 years. whereas solutions such as Defender or Purview continue to compete alongside security market leaders.

What to expect with Microsoft Security Service Edge? Reshape or coexist?

Our point of view at Cybersherpa is that there are 3 key factors to take into account:

  1. Clients' strategic decision towards an "all-integrated Microsoft Zero Trust" or a "Best of Breed" Architecture.
  2. The level of maturity of Microsoft SSE solution compared to the continued innovation from leading security providers.
  3. The cost / benefits or value gap.

The way clients will weigh these 3 factors is likely depend on their sector, size and overall risk appetite.


1. Two Paradigms for Zero Trust Architecture

With this Microsoft development, clients will consider two potential paradigms:

(1) An all-integrated Microsoft Zero Trust Architecture, or

(2) Best of breed components for Zero Trust Architecture.

To put this in context, the diagram below maps the key components of a Zero Trust Architecture to the NIST Zero Trust Pillars.

With the introduction of Entra Suite, Microsoft can provide all four key components. Most clients are likely to already have Entra ID/Azure AD as a component for Identity and Access Management (a). If Entra Suite is the selected component for SSE (b) clients will need to consider risks associated with a single vendor architecture.

Key components of a Zero Trust Architecture


? Pros and cons of an Integrated Microsoft SSE Architecture

? Seamless Integration: Microsoft's tools aim to work cohesively, reducing complexity and improving user experience.

? Simplified Management: A single platform for security and productivity tools streamlines administration.

? Cost-Effective: Bundled services may be more economical. Note at the time of wrting this article, Entra Suite services are only offered as add-ons, not bundled with E3 or E5 licences.

? Lack of separation between security and IT platforms: A vulnerability in one provider could expose both. Secure connectivity and M365 services are delivered from one platform.

? Vendor Lock-In: Dependence on one provider limits flexibility and bargaining power.

? Limited features availability: While Microsoft is an established cloud and security provider, specialised vendors have improved their products for the last 10 years and continue to innovate.

Pros and cons of an Independent SSE Architecture

?Mitigating the Availability Risk: Using separate vendors for SSE and Cloud infra reduces the risk of a single point of failure.

?Security Risk Mitigation: Ensures separation of the “control plane” with the “data plane”.

?Best-of-Breed Solutions: Different vendors offer specialized, top-tier capabilities in various security areas such as advanced threat detection and granular policy enforcement. For the pioneer solutions these have been refined over the last 10 years.

?Flexibility and Control: Independence from a single vendor enhances adaptability and negotiation leverage.

?Integration and management: Managing and integrating multiple solutions can be complex and resource-intensive.

? Higher Costs: Independent solutions may result in higher overall costs compared to bundled offerings.


2. Microsoft SSE solution maturity level compared to market leaders

Microsoft is entering the SSE market and no doubt will continue to improve their service. There is a significant gap to close with leading SSE vendors.

Here are some of the areas to watch for updates:

  • OS availability: Currently Windows and Android are the clients supported. No dates indicated for release of MAC OS, iOS or Linux clients. This may in particular be a challenge to protect execs' devices as well as developers.
  • Firewall as a Service: Microsoft Entra Internet and Private Access are protecting the TCP traffic and do not protect the rest of IP traffic. This leaves important gaps for data loss or compromise through other protocols.
  • Unauthenticated traffic protection (protection without an agent on the device): No indication that Entra Suite will cover internet traffic initiated by, for example, servers or IoT devices.
  • Core SD-WAN capabilities: Most leading SSE vendors provide appliances for SD-WAN with an integrated offering.
  • Points of Presence (PoP) and scalability: At time of writing Microsoft indicated 40 PoP for Entra Suite worldwide. SSE leaders have over 150 PoP. It is an important factor for the user experience, depending on your users' locations.
  • Granularity of Web Policies and Applications control: A key development and investment in SSE solutions in recent years has been the the granular control of web sites filtering and application control. A detailed comparison based on on each client use case is needed to understand if teh solution is fit for purpose.
  • Multi Cloud or Workload to Workload Security: Leading security vendors in SSE provide not just security for device to workload traffic, but also workload to workload traffic. In particular accross multi cloud.
  • Advanced Threat Protection: SSE vendors often have develppped advanced threat detection capabilities with diverse threat intelligence feeds. They have the capability to respond very quickly to emerging security threats. No specific comparison of this capability was done the preparation of this article.
  • Specialised Professional Services: Implementing an SSE solution requires deep understanding by professional services teams of clients existing network infrastructure beyond the SSE product itself. Leading SSE vendors have developped this capability over many years.


3. Pricing and value

Entra Suite is currently offered with the following add-ons (list price per user):

  • Microsoft Entra Internet Access - $60/year, compared to around $70 - 90 for SSE leaders
  • Microsoft Entra Private Access - $60/year, compared to around $70 - 90 for SSE leaders
  • Other bundled offering available such as Entra Suite $144/year

As a very rough indication this pricing is about 80% of the leading SSE providers. Note that this is a list price comparison, before any discounts and specific commercials.

It will be very interesting to watch the evolution of Microsoft pricing strategy and whether some of the features get included in E5 licence for example. As the pressure from Microsoft increases in the SME sector in particular it will also be very interesting to watch if the SSE leaders come with simplified offerings and updated commercials.

For now, even though the cost is lower (by around 20%), the value is also significantly lower as the product is in its first release.


?? Conclusion - What’s the right solution for my organisation?

No surprise here ??, it depends on your use cases, risk & compliance profile, and budget.

At Cybersherpa we have developed accelerators to help you assess your current architecture and provide recommendation based on your specific context and needs.

Here are the key next steps when starting an infrastructure transformation with SSE:

  1. Identify your top use cases and the threat scenarios which you need to mitigate.
  2. Develop a Security Architecture Strategy and Design Principles for your SSE solution.
  3. Prepare for a Proof of Concept with success criteria to understand how the solutions compare for your requirements, including an initial business case.

Get in touch ??

www.cybersherpa.com

Follow our LinkedIn page for more articles: https://www.dhirubhai.net/company/cybersherpa



Matthias Mader

Bridging between Tech and Business | live Mobility??like Innovation ?? perform Security ?? enable secure Business-Transformation ??

4 个月

sound similar to this

  • 该图片无替代文字
回复

Very insightful and even more important to read by company that are still trying to solve external access through rdp or simple vpn. Thanks for sharing your thoughts. PS: I will wait many years before proposing Entra or Private after the mess they did with Purview implementation.

要查看或添加评论,请登录

Jean-Loup Ravinet的更多文章

社区洞察

其他会员也浏览了