Every company has employees working remotely. Either logging in from home, a coffee shop, or a business trip at the other end of the world. When this is the case, your firewall never sees it. Either because you allow direct internet access, or maybe because the user disables their VPN because the network connection is too slow. When VPN is needed to access private applications or file shares, the VPN connection stays active regardless of the security state of the device or user. Your perimeter no longer exists in the way it was designed, forcing you to trade-off between productivity and security. But what if we tell you, this no longer has to be the case?
Problems with Legacy VPNs
Typical VPN solutions allow access from a device via a VPN client to a networking router or firewall. Depending on the setup, these VPNs can be used with the primary goal of providing access to private hosted resources, or to tunnel all traffic through that central firewall for network security inspection. While effective in the past, these setups were designed for a world where data and applications lived in one central data center. When used for network security inspections, we quickly see that expensive hardware is needed to cope with the high numbers of users that connect to your organization.
Once users start working around the world, tunneling network connections to that one central datacenter results in connections being routed through long networking paths, introducing latency and friction. In these cases, IT Administrators are often forced to either reduce the security or force a bad user experience. Users find workarounds resulting in reduced visibility and growing Shadow IT.
These typical VPN solutions only grant network access, not specifically application access. Once the user is inside, lateral movement to other applications living in that same network is easy. If the IT Administrator wants to switch to a more segmented approach, insights on which user accesses which application is regularly not transparent. And what if the user or device got compromised via that phishing email while working with the VPN on? Now the attacker can freely use the VPN to attack your company crown jewels.
What is Microsoft Global Secure Access
Microsoft Global Secure Access is Secure Service Edge solutions (SSE), built upon the core principles of Zero Trust to use least privilege, verify explicitly, and assume breach. The product consists of Microsoft Entra Internet Access and Microsoft Entra Private Access to secure connections going the SaaS application on the internet and private hosted applications. It converges network, identity, and endpoint access controls to make sure users connect securely to applications or resources. Delivered from Microsoft’s Wide Are Networks, spanning 70 regions and 190+ network edge locations, it enables organizations to optimally connect users and devices seamlessly and securely.
Source: What is Global Secure Access? – Global Secure Access | Microsoft Learn
With Microsoft Entra Internet Access for Microsoft services, users can access Microsoft applications and services with direct connectivity to improve security, performance, and resilience. Using Entra Conditional Access and the compliant network check, organizations can force phishing-resistant authentication to Microsoft services and third-party SSO integrated applications without the user having to perform additional authentication. For organizations concerned with data exfiltration risks to unauthorized foreign tenants or personal accounts, this Internet Access profile can be used to tag traffic with Tenant Restrictions headers only allowing access to pre-approved tenants. With the source IP restorations feature, Microsoft Entra Sign In logs know the real source IP of the users, increasing accuracy for threat detections.
The Microsoft Entra Internet Access profile protects access to SaaS applications as a Secure Web Gateway (SWG), blocking threats, unsafe applications, and malicious networking traffic. By building an allow or block list for each persona in your organization, you can control who can access specific website categories and make sure that malicious websites are automatically blocked. With TLS Inspection enabled, advanced features such as file policies for blocking data loss and prompt policies to detect malicious prompts in AI applications become available, allowing for next generation protection mechanisms.
Microsoft Entra Private Access provides your users secured access and modern authentication (such as phishing-resistant MFA) even for legacy protocols to your private resources, whether those resources are hosted in one or multiple different data centers. The service offers per-applications access based on conditional access policies, allowing you to use other Microsoft Entra features such as step-up authentication, Privileged Access Management, Entra ID Governance, and many more to automatically allow secure authentication to your users. With the application discovery feature, IT Administrators can get insight into which applications are being accessed by which users, giving them powerful insights to ultimately design application access in a macro-segmented approach. And since everything is enforced using Conditional Access with Continuous Access Evaluation support, users are automatically revoked access when signs of compromise are found.
Why use Global Secure Access now?
Many of the organizations ask themselves: why should we start using Global Secure Access? Honestly, there are multiple good reasons for that. First of all, we as The Collective believe that hybrid work is permanent, and that your security perimeter is far bigger than the networking layer. Identity has become the ultimate gate to the network, making it even more important for an SSE solution to tightly integrate with the identity stack. Together with Microsoft Entra, Global Secure Access is the best solution to secure you networking connections using user and device signals.
A lot of organizations already pay for specific parts of Global Secure Access. If your organization uses Microsoft 365 E3/E5 or Entra ID P1/P2 licenses, Microsoft Entra Internet Access for Microsoft Services is already included in your current licensing pack. That means you can benefit from reduced latency and additional security to all SSO integrated applications and Microsoft services, without any additional cost. All you have to do is deploy the Global Secure Access client to your devices, configure the profile, and off you go.
Specifically for Belgian organizations that are obligated to comply with the NIS2 requirements, Global Secure Access can help you implement logging, monitoring, and strong access control to your SaaS apps and internal resources. It even consolidates tooling, replacing VPN solutions, web proxies, and network monitoring solutions with only one service for your IT Administrator to maintain.
What does deployment look like?
Depending on the goals you want to accomplish for your business, onboarding with Global Secure Access requires different specific steps. But generally, it all comes down to the same simple principles. A deployment of a lightweight agent to your endpoint devices using your existing client management tools, that seamlessly authenticate as the user in the background. To access your internet destinations, no expensive hardware like firewalls and routers are needed. Only some security policy configurations in the Global Secure Access portal and Entra Conditional Access. Even advanced security features like TLS Inspection, Threat Intelligence, and File / Prompt policies are easily enabled due to integrations with other Microsoft technologies. For private resources, users are being tunneled via Virtual Machines installed on your existing infrastructure, eliminating the need for specific hardware again.
Do you have a business case where thin clients or other devices that do not support agent installations need to have secure internet access? With Global Secure Access we can create redundant and high-available IPSec tunnels between your existing networking equipment and the Global Secure Access Points of Presents to tunnel traffic from these devices through the Global Secure Access backbone as well. Allowing you to make sure security policies are also applied on devices without an agent.
Your next steps
If you want to learn more about Global Secure Access or want to experience live demos of the different features, you can rewatch our Global Secure Access webinar here. Eager to learn more from the practical experience we had by deploying the solution with our customers? Then make sure to listen to our podcast.
If you are interested in the product, want more information, or maybe some extra live demos, just reach out to our team.
FAQ
Is Microsoft Global Secure Access included in Microsoft M365?
Depending on which traffic profiles your organization needs, and which licenses your organization already has, some profiles can already be included. The Microsoft Entra Internet Access for Microsoft Services profile is included in E3/E5 licenses and Entra P1/P2. Microsoft Entra Internet Access and Microsoft Entra Private Access both have a standalone license you can buy but is also included in a Microsoft Entra Suite license.
How does Microsoft Global Secure Access work with Entra ID and Conditional Access?
When configuring Internet Access profiles in Global Secure Access, you can assign the profiles to specific users or groups by configuring a Conditional Access policy targeting the related profile. For Microsoft services you can create Conditional Access policies to require ‘compliant network’ (login via GSA client) for your users in order to access a service. Private Access applications can have dynamic or static assignments via Entra groups or Access Packages.
What is the difference between a VPN client and the Global Secure Access client?
A typical VPN client builds a full tunnel between the device and the network router and does not allow for advanced user and client based continuous checks in order to allow or block access. The Global Secure Access client uses dedicated lightweight mTLS tunnels for each connection made, and continuously checks if both the user and device are authorized to allow traffic to the destination resources based on various risk signals.