Microsoft’s SSE solution Global Secure Access was released last July. The product has generated a lot of interest, and it’s no wonder, as Zero Trust architecture, SASE, and SSE technologies have been attracting attention in organizations for quite some time. The ever-evolving security threats have also prompted IT administrations to seek solutions to improve their security.
I wrote about Global Secure Access for the first time last spring on our blog. It can be read
What is Global Secure Access?
Global Secure Access is Microsoft’s SSE solution (Security Service Edge). In the service, network traffic from workstations (and/or networks) is routed through Microsoft’s Secure Edge service for specifically defined services, from which the traffic is then directed and authorized to defined services using conditional access management. The benefits come from the ability to define, for example, all traffic to be routed through Microsoft’s SSE edge network and block access from other networks. In addition, conditional access management can be used to implement strong authentication and set different requirements for connecting devices. These provide significant additional protection for identities and practically almost automatically protect against security attacks where a user’s Microsoft 365 credentials have been phished.
Global Secure Access utilizes Zero Trust principles such as least privilege access, explicit verification, and assumed breach. The service management and configuration are done in the Microsoft Entra management portal. Global Secure Access requires an application to be installed on the endpoint device to function. Service features can also be implemented at the network level, in which case the installable application may not be necessary for endpoint devices. The client software is available for Windows
Microsoft Entra Private & Internet Access
Global Secure Access consists of Microsoft Entra Private and Internet Access functionalities. Entra Private Access manages access control to internal networks, while Entra Internet Access handles the organization’s publicly available services, such as various SaaS services, for example, the Microsoft 365 service.
Microsoft Entra Private Access allows users to connect to applications in the organization’s internal networks from devices and networks. The service can replace traditional VPN solutions with conditional access management, single sign-on, and Microsoft’s SSE edge network. Access control configurations can be implemented in a highly segmented manner down to the IP and protocol level.
Microsoft Entra Internet Access is a service that secures access control to various internet and SaaS applications and resources of the organization through a Secure Web Gateway (SWG) solution. The service combines conditional access management, web content filtering, threat protection, and network security management in a centralized Microsoft Entra management portal. The service also allows for context-based web content filtering to block inappropriate, harmful, or unsafe sites from users.
Microsoft Entra Internet Access for Microsoft 365 Service can secure access control to Microsoft 365 service. Microsoft has made this feature available without separate license purchases. However, Entra ID P1 is required as a base to enable the use of the service.
Licensing
Global Secure Access functionalities require Microsoft Entra ID P1 as a base, which is included in Microsoft Business Premium and E3 licenses, for example.
Microsoft Entra Suite covers all Global Secure features. Its list price is ~11.20 euros per user/month. Special pricing is available for Entra ID P2/Microsoft 365 E5 customers.
The list price for Microsoft Entra Private Access license is ~5.70 euros per user/month.
The list price for Microsoft Entra Internet Access license is ~5.70 euros per user/month.
Microsoft Entra Internet Access for Microsoft 365 Services is available without separate license purchases, provided that the organization has Microsoft Entra ID P1 in use.
Summary
The Microsoft Entra Private Access feature of Global Secure Access is an excellent choice for organizations when considering a replacement for current VPN solutions. It allows for highly segmented access control to internal network services, which helps significantly reduce the attack surface. Typically, in a traditional VPN solution, the internal network is opened too broadly and, at worst, combined with weak authentication settings, poses significant security threats.
In our test use, the Global Secure Access features have generally worked flawlessly, and configuring the services is not very complicated. In my opinion, the Microsoft Entra Internet Access side still needs functionalities and improvements to certain functions, but the Private Access service is already quite suitable for production use. I warmly recommend trying it out!
Interested in hearing more about what would be the best way for your organization to start implementing a more secure and functional work environment in the best possible way? Contact us below and let’s talk more!