Zero Trust architecture, SASE, and SSE technologies have been hot topics for a few years now. Microsoft is now also bringing its own SSE solution to the market. But what is it all about?
SASE (Secure Access Service Edge)
SASE (Secure Access Service Edge) is a comprehensive cloud-managed security model solution that securely connects users, systems, endpoints, and remote networks to an organization’s applications and resources in a Zero Trust architectural manner. Employee devices and connections to services are protected and restricted only to the services they need, regardless of where they work. Technically, SASE enables a Zero Trust architecture where no network is considered trusted, not even the company’s own internal network, as has been customary in traditional network architectures.
In traditional organizational network architectures, it is very typical for access control to be implemented with a VPN solution, which allows users to access services within the organization’s internal network. Often, in these solutions, organizations have not implemented any segmentation for the internal network. A VPN connection provides access to the entire internal network. Security is threatened if a criminal actor manages to breach the VPN solution or if a compromised device unknowingly connects to it. Furthermore, the security of VPN solutions often no longer meets today’s requirements.
SASE solutions can also generate savings. Software-defined SD-WAN solutions, which are included in SASE, can replace, for example, MPLS network connections offered by network operators. MPLS technology has traditionally been used to connect different branch offices of organizations for data communication. SD-WAN solutions are typically significantly more cost-effective than MPLS solutions, also opening up the operator market to better competition.
SASE in a nutshell
User and device-based access control: Users have access, based on their permissions and network configuration, only to the services they need, in a Zero Trust architectural manner.
Cloud-based centralized management: All network components of the organization are protected under the same “umbrella”.
Users are protected according to a unified model, regardless of the employee’s location.
SSE (Security Service Edge): SSE (Security Service Edge) is one component of SASE, which can be used to implement secure connections from endpoints to an organization’s internal services, whether they are located in cloud services or on-premises infrastructure. However, it is not intended for connecting secure networks between different branch offices.
Microsoft SSE (Security Service Edge)
Microsoft’s SSE (Security Service Edge) service is called Global Secure Access. In this service, network traffic from workstations for specifically defined services is directed to Microsoft’s Secure Edge service, from which the traffic is then routed and authorized to specified services using conditional access control. Using the service practically requires the installation of the Global Secure Access client application on workstations. The service can also be deployed at the network level, but without the client application, it is not possible to authorize, for example, access control to the organization’s internal network services.
Currently, the service is still in Public Preview, and pricing information is not yet available. The service can be used for piloting with an Entra ID Plan 1 license, which is included, for example, with the Microsoft365 Business Premium license package. Supported operating systems for the Global Secure Access client application are Windows 10/11 and Android. Support for macOS and iOS operating systems is currently in Private Preview, meaning it is not yet publicly available.
The Microsoft Global Secure Access service consists of the following components:
- Limiting access control to Microsoft365 services based on user, network, and device information
- Secure access control to internal network services, whether they are located in the organization’s on-premises infrastructure or on cloud platforms, without opening communication ports from the firewall from the external network towards the internal network
- Internet traffic filtering features
- Access blocks based on content or network address
Summary
Global Secure Access, together with conditional access control, enables granular access control to Microsoft365 services, services within internal networks, and, if necessary, content and Internet traffic, in a Zero Trust architectural manner. This provides significant additional protection to prevent malicious actors from accessing organizational services, for example, in situations where user credentials have been compromised.
It should be noted, however, that the Global Secure Access service still has shortcomings, as can be expected from a service in Public Preview, but the service already appears very promising at this stage. However, it is not a comprehensive SASE solution, so in this case, attention should be directed to, for example, Cisco’s Meraki product family, which is also found in our service portfolio.
Are you interested in learning more and finding out the best way for your organization to implement a more secure and functional work environment? Contact us, and let’s discuss further!