Microsoft Global Secure Access, a VPN Killer

Microsoft Global Secure Access, a VPN Killer

This blog is designed with executives in mind, breaking down how Microsoft Global Secure Access and its most interesting component, Entra Private Access (PA), replace legacy VPNs and adapt to modern security needs. We’ll explain, in an easily digestible way, how security has evolved from the old perimeter-based model to today’s dynamic, identity-focused approach, helping leaders see how these tools can provide scalable, robust security that fits the demands of a modern workforce.

Microsoft Global Secure Access has recently reached?General Availability, positioning itself as a cornerstone for implementing Zero Trust Network strategies. With zero trust widely adopted to protect assets in a boundaryless digital landscape, Entra PA goes a step further by offering secure, segmented access that moves beyond the limitations of traditional VPNs.

Development of networks and their access control

First, there were Networks (N) of computers. There were two kinds: public Internet used by anyone and Private Networks (PN) used by companies. As computers became an important part of operations, a need to access them from outside companies emerged. To extend Private Networks to locations outside the physical perimeter of companies, Virtual Private Networks (VPN) emerged. These enabled access to private, trusted networks over the public and untrusted internet. When used, an authorized person could access on-prem and private cloud assets. VPNs enable computer access without physical presence at the office, using VPN gateways to encrypt and decrypt data and send it over a secure tunnel (over an unsecured public internet).

The world is never ready, and gradually, the perimeter has lost its meaning. Applications now encrypt data, so firewalls operate with blindfolds. Assets are increasingly deployed to private clouds like Azure, AWS, and GCP. SaaS like Salesforce, ServiceNow, and Workday take over Enterprise apps. Working from home means more and more people access services from outside the perimeter. Mobile workforces mean people want access everywhere, not just known locations like home. Consumerization of IT means people want access with any device, not just the ones IT provides workers. When users, devices, and services all slip outside the traditional company IT perimeter, VPNs lose their significance. This IT manager’s nightmare has become a cyber criminal’s dream.

What’s broken in the legacy security?

Traditional secure access is perimeter-based, as we’ve established. The perimeter is like a wall that protects the safe inner circle from the bad outside world, much like a castle in the olden days. Once you gain access to the intranet or whatever entity the perimeter protects, you can move about somewhat freely; it’s like an all-access theme park. Security should always have multiple layers. However, if you start from a position of trust, no matter what patches you add the result will be unsecure.??

A typical cyber-attack follows a recognizable chain of events; see the?Cyber Kill Chain. The old-world thinking of a secure perimeter has several weaknesses. 1) Access is typically guarded by passwords, which are guarded by users who are infamously the weakest link. 2) Once criminals have access within the perimeter, they can move relatively freely. They can find valuable content and they can find means to escalate their privileges to access that content. 3) Finally, the criminals can establish a command-and-control center so that they’re no longer dependent on the original passwords or vulnerabilities. The real picture is more complex, but the concept of excessive trust is the common root cause.

Zero Trust

In the perimeter-based approach, once you’re in, you’re trusted. There may be bespoke security measures that detect breaches, but the philosophy is to detect anomalies in behavior that are, by default, assumed to be legit. This follows Ronald Reagan’s logic:?trust, but verify. What sounded cool in the 80’s feels na?ve today.?Hypponen’s law?states that any smart system is vulnerable. Your objective is not to have an impenetrable defense but enough defense to make the criminals attack elsewhere. So, zero trust philosophy assumes you can and will be attacked and breached, and thus, applies the principle of least privilege. Don’t trust anything or anyone unless you know better. As an HR policy, this is unreasonable, but as an IT policy, it’s excellent. We have explained Zero Trust Authentication in a previous?blog post ?and won’t dive into details here.?

How can you implement least privilege? First, you need to verify every user. This is very different from assuming every user within the perimeter is legit. The same goes for devices. Each device should be authenticated. Context can further limit access regarding role, location, time, etc. Finally, the resources, e.g., assets, systems, and services, should be segmented and isolated. Having access to one resource should not mean you have access to another.

Microsoft Global Secure Access

Microsoft Global Secure Access ?is a modern way to implement secure access. It’s a brand-new offering based on Microsoft’s Entra Suite, which focuses on identity and access management. Entra ID (formerly known as Azure Active Directory, AD) is the core identity and access management service within the Entra Suite, used by over 700,000 organizations globally. It handles authentication, authorization, and identity governance for users, devices, and applications. Entra Private Access and Entra Internet Access are two core components of Entra Secure Access.

Entra Private Access

What does Entra PA protect? It secures access to private applications and resources that are typically hosted in on-premises environments or private clouds, i.e., within the perimeter. These resources are not exposed directly to the public internet and are often behind corporate firewalls or within virtual private networks (VPNs).

Legacy VPN opens one thick pipe from the user to the intranet. To simplify things, it’s like an airport. After security, you can snoop around and get to any gate. You don’t even need a boarding pass. Entra PA builds a bespoke pipe for each user and for every resource or segment of resources. It’s like a strictly enforced badge policy. Zero Trust sounds like a solid principle but a lot of work. Is it? For human interaction, it would be exhausting, but Entra PA is designed to orchestrate this complexity behind the scenes. It builds on top of Microsoft’s existing solutions like Entra ID (previously Active Directory), Azure AD Application proxy, VPN gateway, etc. You can start simple and further refine the system as you go.?

Our previous blog post explored Entra Private Access in more detail. We also implemented the world’s first Entra Private Access PoC, which is documented in this?case study.

Entra Internet Access

What does Entra IA protect? IA is mostly used in place of a firewall to connect to external sites. The goal is to prevent machines from connecting to malicious websites, either accidentally or on purpose. For example, this prevents staff from accidentally browsing a phishing page. Data exfiltration is also harder if you can’t connect to a service like Google Docs. So, IA secures applications by providing them with a safe way to access the Internet.

It secures internet-based and SaaS applications that are publicly accessible. These resources include cloud services, web applications, and third-party platforms, such as Microsoft 365, Google Workspace, Salesforce, and other software-as-a-service (SaaS) solutions.?

Implementing Entra IA is very similar to Entra PA. From a user and device perspective, they are nearly identical. While PA protects private cloud content, IA protects internet content. In the IA case, the pipes are implemented through a secure web gateway, and the access is managed through Entra. For most companies, it makes sense to start with Entra PA, and expanding to Entra IA comes with many synergies.

A-CX has been implementing the world’s first Entra PA Proof of Concept before it was GA. We have also built several Zero Trust Network projects on and between AWS, Azure, and private clouds. Please contact us to schedule a demo, build a PoC, or set up a live system.?

Appendix 1, Terminology

Several Microsoft components have Entra in their names. To make things even more complex, Global Secure Access is a common term for Entra PA and Entra IA. Sometimes, this combo is also referred to as Microsoft Security Service Edge. Confusing? You’re not alone. We’ve collected a short summary of key terminology here and provided links to the respective Microsoft documentation.?

Microsoft Entra

Microsoft Entra ?is the umbrella name for a suite of services that protect?any?identity and secure access to?any?resource with a family of multi-cloud identity and network access solutions.

Microsoft Entra ID

Microsoft Entra ID helps you establish Zero Trust access controls, prevent identity attacks, and manage resource access. It was previously known as?Azure Active Directory (AD) and is among the most widely recognized Microsoft products.

Microsoft Entra Suite

Microsoft Entra Suite ?provides secure workforce access. It consists of various modular elements.

Global Secure Access

Global Secure Access is the unifying term used for both Microsoft Entra IA and Microsoft Entra PA. These two modules are unified under Global Secure Access in the Microsoft Entra admin center. You install the?Global Secure Access client ?on a device, such as a computer or phone, and then use Global Secure Access settings in the Microsoft Entra admin center to secure the device.

Security Service Edge?

Security Service Edge (SSE) ?is a term coined by Gartner in 2021. It secures access to the web, cloud services, and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration

Microsoft Security Service Edge ?solution consists of Entra IA, Entra PA, and the SaaS security-focused CASB?Microsoft Defender for Cloud apps .

What do you think? Please get in touch with us and leave your thoughts.

Originally published at https://www.a-cx.com on October 31, 2024.

Mikko Peltola

Co-Founder and COO @ A-CX | AI, Digital Innovation

5 天前

Yesterday, we had a successful Entra Private Access PoC webinar with Microsoft. Watch the recorded case study for more exclusive insights, expert guidance, best practices, and forward-thinking knowledge. https://www.a-cx.com/event/entra-pa-poc

回复
Philip Griffiths

Open source zero trust networking

5 天前

I like GSA, but I also think the future is born from open source zero trust networking solution OpenZiti - https://openziti.io/. Why? Because its a platform that does far more than most ZTNA solutions, across IT, OT, and even IoT. It even includes the ability for zero trust networking to be embedded into the app as part of the software development lifecycle so that apps are 'born' secure by default and are thus unattackable via conventional IP-based tooling; all conventional network threats are immediately useless as you have no listening ports on the host OS network, LAN, WAN. This, IMHO, is DevSecOps, where secure networking is part of the dev/SDLC, rather than done externally as apps move to production via firewalls, bastions, VPNs, etc.

Mikko Peltola

Co-Founder and COO @ A-CX | AI, Digital Innovation

3 周

Thanks for your comments, reposts, and likes! To hear more, please join our webinar on Entra Private Access hosted by Microsoft. https://www.dhirubhai.net/events/entraprivateaccessproofofconcep7258124326644654082/

Kashif Hasnain

Cybersecurity | Network and Infra Security | OT/IoT | MDM, MAM,Endpoint Security | AIP | MIP | DLP | SIEM | Multi-Cloud Security |Microsoft Entra IGA | DevSecOps | Container Security

3 周

Well explained

要查看或添加评论,请登录

社区洞察

其他会员也浏览了