Exploring secure service edge with Microsoft Entra GSA

Cloud and infrastructure
Article
Posted on April 24, 2024
Estimated read time: 5 minutes
Article by
Share
microsoft-service-edge-1920x1080.jpeg

Virtual private networks (VPNs) play a crucial role in the infrastructure of many organizations. However, VPN technology often falls short of aligning with Zero Trust principles. Even with network segmentation in place, VPN software typically lacks capabilities such as continuously considering user authentication context or Network DLP. Moreover, the underlying infrastructure demands resources, maintenance and monitoring, adding to the workload of already stretched IT departments.

Enter the space of secure service edge (SSE) solutions SSE isn’t a new concept; it offers a well-defined, mature approach that extends beyond VPN capabilities. SSE solutions incorporate additional web gateway functionality, enabling organizations to restrict network and data access effectively. Microsoft recently introduced their SSE functionality through Entra Global Secure Access (GSA), which has been in preview since Summer 2023.

In this blog post, we explore our firsthand experiences, highlight the benefits, and share key insights gained from using Entra GSA. Our aim is to provide valuable perspectives to help you determine whether Entra GSA is the right solution for your organization.

What is Global Secure Access? Global Secure Access is Microsoft’s name for their Secure Service Edge solution encompassing two general capabilities called: Entra Internet Access and Entra Private Access. Administrators can configure these capabilities via the existing Entra Admin Center. GSA introduces network signals into the Entra suite and focuses on providing Zero Trust principles such as use least privilege, verify explicitly, and assume breach scenarios to on-premises and SaaS environments.

By translating these principles into robust security controls, GSA ensures comprehensive protection for Identities, Endpoints, and Remote Networks, including Branch Office locations.

global-secure-access-architecture.jpg

 

 

GSA has two supported options to set up connectivity:

  • Installation of a client on Windows 10, 11 or mobile device

  • Configuration of a remote network, such as a branch office location.

This flexible connectivity enables your organization to allow access, not only to cloud-based but also local resources, from anywhere at any time and from (almost) any device if they use one of these connectivity options, identified as "Compliant Network" as a new location within CA and CAE.

Private access Private Access enables enterprise users to secure direct access to corporate, local resources instead of providing access to (a specific part of) the corporate network like various VPN solutions do.

Private Access ensures secure access to local resources, including not only web applications but any resources accessible via port and protocol. The application proxy only requires outbound traffic over port 80 and 443 to establish sessions with Microsoft Entra.

Furthermore, resources can be registered as an Entra Enterprise Application on a per-resource level, a specific segment or a self-defined group of resources or segments. With the full capabilities of Conditional Access and Conditional Access Evaluation, access to these resources, due to HTTPS/TLS (port 443), allows for full Zero Trust capabilities.

Private Access uses familiar Entra technologies, making it very accessible via the familiar Entra Portal and Entra Enterprise Application interface. This integration brings capabilities such as Modern Authentication, Conditional Access and Conditional Access Evaluation to legacy systems and applications.

Internet access Internet Access lets business users connect to cloud-based corporate software and the internet through a Secure Web Gateway that identifies users and devices. It has two main features: Internet Access and Microsoft 365 Access.

With Microsoft 365 Access, traffic to the Microsoft 365 tenant (including Exchange Online, SharePoint, etc.) is routed to the Secure Service Edge where controls are enforced. Organizations can apply tenant restrictions, where you can allow or block access to other Microsoft 365 environments without the need for any additional networking or infrastructure requirements. as an example, this feature prevents malicious insiders from authenticating to external tenants.

Internet Access controls traffic to the public internet via SWG components, including URL filtering. This allows administrators to control user access to the internet but block data transfer to unauthorized storage providers such as Google Cloud or WeTransfer. The product roadmap includes enhancements such as Threat Protection, Threat Intelligence, Cloud Firewall, Network Traffic logging.

Tips before you start Here are some essential points to consider before diving right into the product:

  1. Conditional access policies: GSA features rely on CA policies for providing access to internet and intranet applications. It’s important to note that by utilizing these features, more CA policies may be required and potentially adding more complexity to your CA configuration and dependencies. If there is a risk of hitting the maximum policy limit or conflicts, consider optimizing or cleaning up existing policies beforehand.
  2. Current state analysis: Analyze the currents state and identify security gaps and opportunities for modernization. Translate these findings to use cases and requirements and engage a Proof-of-concept (POC) to assess if GSA aligns with your organization's goals for a Zero Trust-based modern way of working.
  3. Networking measures: Know what networking measures and tools are in place that could have impact on the deployment, such as captive portals for Network Access Control (NAC), DNS encryption or other forms of network management that might cause conflicts with the solution.
  4. Multi-user setup limitations: Note that GSA is not supported on a multi-user setup, such as an RDP session host or multi-user Windows 10/11 with multiple simultaneous sessions. Additionally, GSA does not support virtualization when installed on both host and guest operating systems.

If you’re interested in a Global Secure Access implementation or exploring a POC, Avanade is here to help. Whether you're seeking to align the product with your organizational ambitions or strategies, we offer expert guidance.

From crafting a strategic vision to providing technical solutions, including design, implementation, and organizational change management, Avanade is the ideal partner to support your journey. Contact us today.

talk-to-expert-form

Subscribe to Avanade Insights

Doing what matters starts here

Tell us more about your challenge or need and we will connect you to the right Avanade expert to help you.

How can we help?

Press Contacts

The Americas

TA-PR@avanade.com

Europe and Middle East (EME)

EME-PR@avanade.com

Asia Pacific (APAC)

APAC-PR@avanade.com

Headquarters

North America
Global Headquarters
1191 Second Avenue
Suite 100
Seattle, WA 98101
Europe

30 Fenchurch Street

London

EC3M 3BD

Growth Markets
Singapore Headquarters
Avanade Asia Pte Ltd
250 North Bridge Road
#30-03 Raffles City Tower
Singapore 179101