Microsoft enters the Security Service Edge (SSE) market. Balancing the options: Integrated or Independent Zero Trust Architectures?
Summary
If you are enjoying your summer ?? and have a few minutes only, here is the short version: Microsoft has released a Security Service Edge (SSE) solution, a cloud based network security service. Its maturity level is low compared to market leaders in the SSE field, but this first release addresses basic use cases. Limitations exist when considering the scope of services, integration options or granularity of policies.
From a strategic point of view, IT and security leaders will need to decide if they look for a single vendor, all integrated Cloud/Identity/Network/Data Security approach or a multi vendors, best of breed.
From a commercial side, clients can purchase the service as an add-on to M365, at around 80% of the price of leading SSE solutions. No doubt the SSE market will continue to evolve rapidly, and the competition will intensify, particularly in the SME space!
Setting the scene - Security Service Edge (SSE) solutions are at the heart of cyber infrastructure transformations.
With more an more employees working in an hybrid mode, enabling secure working from anywhere and any device, with a consistent user experience, is an IT and security priority for many organisations. Some other priority use cases are enabling secure collaboration with 3rd parties and secure access to cloud applications. They need to do all this while addressing major security risks in their legacy network security and VPN solutions... ????
Cyber transformations with a Zero Trust Architecture enable organisations to deliver on those multiple use cases. Security Service Edge solutions (SSE) are one of the key components of those architectures. It is no surprise that the SSE market is expected to grow at around 30% CAGR for the next 5 years.
As a recap, the SSE market encompasses cloud-delivered security platforms, aligned with the Zero Trust Architecture principles. They include (see diagram below) services such as Secure Web Gateway ('proxy'), Virtual Firewall, Zero trust Network Access ('VPN replacement'), Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP). Some platforms extend also in micro-segmentation and OT security.
??What's new ? Microsoft enters the SSE market
The SSE market has three clear leaders in Zscaler, Palo Alto and Netskope (see Gartner 2024 Magic Quadrant). Many other major security and network providers have an offering which they continue to develop actively (Cisco, Fortinet, Cloudflare, Akamai, CheckPoint, Forcepoint...).
This week, Microsoft announced the availability of Entra Private Access and Internet access as part of its Entra Suite. This acts Microsoft entering the SSE arena with a solution integrated in its M365 service. It marks a further development on Microsoft’s roadmap towards a fully integrated, identity centric, cybersecurity platform.
Entra Internet Access is a Secure Web Gateway ('proxy') and Private Access is a Zero Trust Network Access solution.
This development, announced a year ago, follows a series of expansions by Microsoft in security domains such as Endpoint Protection (Defender), Mobile Device Management (Intune) or Data Loss Prevention (Purview). Those solutions had various levels of impact in the market. Intune has, on one side, profoundly reshaped the MDM market over the past 10 years. whereas solutions such as Defender or Purview continue to compete alongside security market leaders.
What to expect with Microsoft Security Service Edge? Reshape or coexist?
Our point of view at Cybersherpa is that there are 3 key factors to take into account:
The way clients will weigh these 3 factors is likely depend on their sector, size and overall risk appetite.
1. Two Paradigms for Zero Trust Architecture
With this Microsoft development, clients will consider two potential paradigms:
(1) An all-integrated Microsoft Zero Trust Architecture, or
(2) Best of breed components for Zero Trust Architecture.
To put this in context, the diagram below maps the key components of a Zero Trust Architecture to the NIST Zero Trust Pillars.
With the introduction of Entra Suite, Microsoft can provide all four key components. Most clients are likely to already have Entra ID/Azure AD as a component for Identity and Access Management (a). If Entra Suite is the selected component for SSE (b) clients will need to consider risks associated with a single vendor architecture.
? Pros and cons of an Integrated Microsoft SSE Architecture
? Seamless Integration: Microsoft's tools aim to work cohesively, reducing complexity and improving user experience.
? Simplified Management: A single platform for security and productivity tools streamlines administration.
? Cost-Effective: Bundled services may be more economical. Note at the time of wrting this article, Entra Suite services are only offered as add-ons, not bundled with E3 or E5 licences.
领英推荐
? Lack of separation between security and IT platforms: A vulnerability in one provider could expose both. Secure connectivity and M365 services are delivered from one platform.
? Vendor Lock-In: Dependence on one provider limits flexibility and bargaining power.
? Limited features availability: While Microsoft is an established cloud and security provider, specialised vendors have improved their products for the last 10 years and continue to innovate.
Pros and cons of an Independent SSE Architecture
?Mitigating the Availability Risk: Using separate vendors for SSE and Cloud infra reduces the risk of a single point of failure.
?Security Risk Mitigation: Ensures separation of the “control plane” with the “data plane”.
?Best-of-Breed Solutions: Different vendors offer specialized, top-tier capabilities in various security areas such as advanced threat detection and granular policy enforcement. For the pioneer solutions these have been refined over the last 10 years.
?Flexibility and Control: Independence from a single vendor enhances adaptability and negotiation leverage.
?Integration and management: Managing and integrating multiple solutions can be complex and resource-intensive.
? Higher Costs: Independent solutions may result in higher overall costs compared to bundled offerings.
2. Microsoft SSE solution maturity level compared to market leaders
Microsoft is entering the SSE market and no doubt will continue to improve their service. There is a significant gap to close with leading SSE vendors.
Here are some of the areas to watch for updates:
3. Pricing and value
Entra Suite is currently offered with the following add-ons (list price per user):
As a very rough indication this pricing is about 80% of the leading SSE providers. Note that this is a list price comparison, before any discounts and specific commercials.
It will be very interesting to watch the evolution of Microsoft pricing strategy and whether some of the features get included in E5 licence for example. As the pressure from Microsoft increases in the SME sector in particular it will also be very interesting to watch if the SSE leaders come with simplified offerings and updated commercials.
For now, even though the cost is lower (by around 20%), the value is also significantly lower as the product is in its first release.
?? Conclusion - What’s the right solution for my organisation?
No surprise here ??, it depends on your use cases, risk & compliance profile, and budget.
At Cybersherpa we have developed accelerators to help you assess your current architecture and provide recommendation based on your specific context and needs.
Here are the key next steps when starting an infrastructure transformation with SSE:
Get in touch ??
Follow our LinkedIn page for more articles: https://www.dhirubhai.net/company/cybersherpa
Bridging between Tech and Business | live Mobility??like Innovation ?? perform Security ?? enable secure Business-Transformation ??
4 个月sound similar to this
Very insightful and even more important to read by company that are still trying to solve external access through rdp or simple vpn. Thanks for sharing your thoughts. PS: I will wait many years before proposing Entra or Private after the mess they did with Purview implementation.