Traditional VPNs don’t suffice
Point-to-Site VPN solutions have often formed the foundation of connectivity in a world where remote work is more and more prevalent. Mature environments will have their resources shielded from the public internet, making day-to-day operations not as straight forward as before.
Traditional implementations fail to scope network access to specific users. Due to a lack of context-awareness, users have full network-level access to the environment. Furthermore, a static trust model is used, whereby trust is gained upon initial connection, but never re-verified.
With the increasing need for granular insight and strict access control, reevaluating your current VPN setup, could be a major eye-opener which will be sure to lead to some huge security improvements.
In this article we delve deeper into the benefits Global Secure Access (GSA) can offer compared to traditional Point-to-Site setups.
What is Global Secure Access (GSA)?
Global Secure Access is an Identity-Aware network perimeter solution, which allows granular control of user access to both private and public resources. The combination of Zero Trust principles with Network Access Control allow for least-privilege access from anywhere.
Due to its context awareness, well-known security controls such as Conditional Access, Device Compliance or Real-Time Risk Evaluation can be enforced on all connections that are made through it.
A simple distinction can be made between 2 main aspects of GSA:
-
- Microsoft Entra Internet Access: Protects secure user access to internet resources.
- Microsoft Entra Private Access: Provides user access to privatized resources within the environment.
When talking about replacing traditional VPN implementations, we mainly focus on the Private Access part of GSA, as this is the part that will allow users to remotely access the privatized networks within the environment.
Zero Trust in action
GSA is able to enforce Zero Trust in multiple ways. First of all, explicit verification is done for connections to the solution:
-
- Conditional Access is checked using Entra ID. This already provides additional security controls such as MFA or Strong Authentication enforcements.
- Continuous risk evaluation based on identity, location and device posture.
Least-privilege access can be configured, allowing selective access for specific users. There are many ways to scope this access such as:
-
- Specific applications
- Specific target IP ranges
- Specific source users
- Time-based access through PIM or Access Packages
- …
In doing so, not all users will be able to access all resources. A more fine-grained approach can ensure certain groups of users are only allowed access to the network segments or applications that are relevant to them.
When enabled, Defender For Cloud (DfC) can also provide a major increase in security. While we already discussed controlling who gets access to what resources, DfC can help with specifying what actions these users can perform on the scoped resources:
-
- Real-Time Monitoring of actions performed through GSA, flagging risky behaviour such as data exfiltration or access from suspicious locations
- Data Loss Prevention (DLP) will ensure no unauthorized sharing or leaking of sensitive data via GSA
- Risk-Based Access Decisions can be made by a combination of DfC risk analytics and GSA’s Identity and device posture insights, providing dynamic policy enforcement, adapting restrictions based on the current situation
Comparison
An overview of the differences between the traditional VPN setup and GSA equivalent can be found in the table below:
| Feature | Traditional VPN | GSA + EntraID |
| Authentication | Username/Password or Certs | EntraID with MFA, SSO |
| Device Compliance | Limited | Integrated with Intune |
| Least Privilege | Flat Access | App/resource-level Access |
| Monitoring | Limited log insights | Full traffic visibility |
| Risk-Based Access | No | Yes, Real-time risk scoring |
| Conditional Access | No | Full Support |
Considerations & Best Practices
It’s important to note that GSA does not come for free. Compared to traditional VPN setups (which are not cheap either), GSA is billed on a per-user basis, where EntraID P1/P2 and E5 licenses are required for unlocking all features.
On the other hand, maintenance and overhead are almost negligible:
-
- Barely any upfront Infrastructure cost
- Management overhead is lower, main focus on policy management instead of infrastructure maintenance.
- Automatic scaling in the cloud
- Easily integrated security tooling, reducing 3rd party licensing costs
That being said, organisations that are already enrolled into the M365 and Azure ecosystem, and already have the above-mentioned licenses for other purposes, can potentially reduce the monthly running cost for their VPN solution by a significant amount.
Of course, it is also important to note that moving on from a traditional VPN solution towards GSA, will take an effort, due to the number of policies and configurations that are required for setting up a secure GSA instance. Here is where a partner like The Collective can come in handy.
Below are some of the main configurations you cannot forget about:
-
- Combine Identity, Device Compliance and Risk Signals in Conditional Access policies
- Enable Continuous Access Evaluation
- Aim for least-privilege access through segmentation
- Integrate Defender for Cloud for session monitoring and action policies
Conclusion
Azure Entra Global Secure Access fundamentally shifts the paradigm by integrating identity, device compliance, and real-time risk evaluation to enforce a true Zero Trust model for Point-to-Site VPN access. This approach not only minimizes the attack surface but also delivers seamless, least-privilege access tailored to each user’s context.
By replacing traditional VPNs with Global Secure Access, your business can simplify infrastructure, improve security posture, and gain deeper visibility into user activity. Ultimately, GSA empowers organizations to guard their digital resources with confidence, ensuring secure remote access that meets the demands of the current IT landscape.
Ready to strengthen your remote access with a true Zero Trust approach? Explore how Azure Entra Global Secure Access can transform your VPN security with us today.
Join us for a webinar on October 6 where we will discuss the ins and out of Microsoft GSA. Sign up here: Microsoft GSA Webinar.
Listen to our in-depth podcast discussion on the topic of GSA on your favourite podcast channel: Insights – Podcast – The Collective Consulting.
This article was written by our Azure consultant Jorik Van Damme