Fri. Dec 27th, 2024

As you might have heard or read about it, Microsoft has announced the general availability of the Microsoft Entra Suite which is a unified solution for secure access management, identity verification, and Zero Trust security for cloud and on-premises resources.

The new Microsoft Entra suite integrates five capabilities:

  • Private Access
  • Internet Access
  • ID Protection
  • ID Governance
  • Face Check as part of Verified ID Premium
  • Microsoft Entra Private Access – an identity-centric Zero Trust Network Access that secures access to private apps and resources and reduces operational complexity and cost by replacing legacy VPNs. 
  • Microsoft Entra Internet Access – an identity-centric Secure Web Gateway (SWG) for SaaS apps and internet traffic that protects against malicious internet traffic, unsafe or non-compliant content, and other threats from the open internet. 
  • Microsoft Entra ID Governance – a complete identity governance and administration solution that automates identity and access lifecycle to ensure that the right people have the right access to the right apps and services at the right time. 
  • Microsoft Entra ID Protection – an advanced identity solution that blocks identity compromise in real time using high-assurance authentication methods, automated risk and threat assessment, and adaptive access policies powered by advanced machine learning (also included in Microsoft Entra ID P2).  
  • Microsoft Entra Verified ID – a managed verifiable credentials service based on open standards that enables real-time identity verification in a secure and privacy respecting way. Included in the Microsoft Entra Suite are premium Verified ID capabilities, starting with Face Check.  

Microsoft Entra Suite can help you do the following:

  • Unify Conditional Access policies for identities and networks. 
  • Ensure least privilege access for all users accessing all resources and apps, including AI. 
  • Improve the user experience for both in-office and remote workers
  • Reduce the complexity and cost of managing security tools from multiple vendors. 

Check out the Microsoft Entra Suite introductory video below:

Microsoft’s Security Service Edge Solution!

One of the features announced with Entra Suite is Microsoft’s Security Service Edge (SSE) solution. It converges network, identity, and endpoint access controls so that you can secure access to any app or resource, from any location, device, or identity. It enables and orchestrates access policy management for employees, business partners, and digital workloads. You can continuously monitor and adjust user access in real time if permissions or risk level changes to your private apps, SaaS apps, and Microsoft endpoints.

Microsoft’s Security Service Edge solution features

Microsoft Entra Internet Access

Microsoft Entra Internet Access is a comprehensive security solution designed to secure access to internet, SaaS, and Microsoft applications. Its primary goal is to protect organizations from various internet threats, malicious network traffic, and unsafe or non-compliant content by unifying access controls into a single policy framework. Here are the key features and benefits:

Key Features

  1. Universal Access Controls: Centralizes and unifies access policies across all internet resources and SaaS apps, reducing the complexity and potential security gaps associated with using multiple security solutions.
  2. Token Protection: Secures access tokens to prevent misuse or theft, enhancing the security of user sessions and access credentials.
  3. Web Content Filtering: Monitors and controls the types of content that users can access on the internet, helping to block unsafe or non-compliant content.
  4. Cloud Firewall: Provides advanced firewall capabilities designed to protect cloud-based resources from threats, ensuring secure communication between cloud services and users.
  5. Threat Protection: Offers comprehensive protection against internet threats, including malware, phishing attacks, and other malicious activities, to safeguard the organization’s digital assets.
  6. Transport Layer Security (TLS) Inspection: Inspects encrypted traffic to detect and block threats that might be hidden in encrypted communications, ensuring comprehensive security coverage.

Benefits

  1. Identity-Centric Security: As an identity-centric Secure Web Gateway (SWG), Microsoft Entra Internet Access focuses on securing access based on user identities, making it more effective at addressing modern security challenges.
  2. Elimination of Security Loopholes: By converging all enterprise access controls into one solution, it eliminates the security loopholes that often arise from using multiple disparate security tools.
  3. Simplified Network Security: Modernizes traditional network security approaches by integrating various advanced security features into a single, cohesive platform, simplifying management and deployment.
  4. Comprehensive Threat Protection: Protects against a wide range of internet threats, ensuring that users, applications, and resources are secure from malicious activities.
  5. Seamless Integration: Works alongside Microsoft Entra Private Access and other components of the Microsoft Entra identity stack, providing a unified security solution that simplifies policy management across all access points.

Secure access to all internet and SaaS apps and resources with an identity-centric Secure Web Gateway (SWG).

Protect your organization against internet threats

Microsoft Entra Internet Access provides robust web content filtering options to restrict enterprise users from accessing undesirable online content. With web category filtering, you can easily allow or block a vast range of internet destinations based on pre-populated web categories, which include liability, high bandwidth, productivity loss, general browsing, and security threat (malware, compromised websites, spam sites, etc.) sites. For more granular control, you can use fully qualified domain name (FQDN) filtering to establish policies that allow or block specific endpoints or to override general web category policies effortlessly. 

Extend Conditional Access context richness to internet security

Modern businesses require versatile filtering policies that adjust to different scenarios. Microsoft Entra Internet Access gives you the ability to apply Conditional Access controls to your SWG policies leveraging the user, device, risk, and location signals to allow or block access to relevant internet destinations. Internet Access consolidates network and identity access controls into one policy engine and allows you to extend Conditional Access (and in future Continuous Access Evaluation) to cover all external destinations and cloud services, even those not federated with Microsoft Entra ID. Additionally, our deep integrations with Entra ID include valuable features like token theft protection, source IP restoration, and data exfiltration safeguards through Universal Tenant Restriction.  

Deliver fast and consistent access at global scale

Enhance your users’ productivity by providing swift and smooth access through a global network edge, with POPs located near the user and private WAN. Utilize numerous peering agreements with internet providers to deliver top performance and reliability. Minimize additional hops and streamline traffic routing for all Microsoft services. Implement optimal traffic management for Microsoft applications in conjunction with solutions from third-party SSE providers using side-by-side access models.

In summary, Microsoft Entra Internet Access is a robust solution for securing internet and SaaS application access, leveraging advanced identity-centric security measures to protect against various threats and simplify network security management.

Microsoft Entra Internet Access for Microsoft 365

Microsoft Entra Internet Access for Microsoft traffic features adaptive access, robust data exfiltration controls, and token theft protection. Resiliency through redundant tunnels provides best-in-class security and granular visibility for Microsoft services, the world’s most widely adopted productivity app. Choose what works best for your organization with flexible deployment options: a complete SSE solution by Microsoft or a side-by-side deployment with other SSE solutions. For example, you can deploy Microsoft Entra Internet Access for Microsoft traffic to gain unique security, visibility, and optimized access for Microsoft apps while keeping your existing SSE solution for other resources. Microsoft Entra Internet Access for Microsoft traffic offers scenarios that enhance security and improve your Zero Trust architecture and end user experience.

  • Protect against data exfiltration by deploying tenant restrictions v2 and enforcing compliant network location with Conditional Access (see Sample PoC scenario: protect against data exfiltration).
  • Restore source IP address from original egress IP to enhance security logs, maintain compatibility with configured named locations in Conditional Access, and retain identity protection location-related risk detections (see Sample PoC scenario: source IP address restoration).

Microsoft Entra Private Access

Microsoft Entra Private Access is an identity-centric ZTNA solution that helps you secure access to all private apps and resources for your users—located anywhere. Private Access allows you to replace your legacy VPN with ZTNA to securely connect your users to any private resource and application—without providing full network access to all private resources. This solution embraces Zero Trust principles to protect against cyber threats and to mitigate lateral movement, while enforcing advanced app segmentation and adaptive least-privilege access policies. Using Microsoft’s global private network, you can give your users a fast, seamless access experience that balances security with productivity.

Secure access to all private apps and resources, for users anywhere, with an identity-centric Zero Trust Network Access (ZTNA).

Key use cases of Microsoft Entra Private Access.

Replace legacy VPNs with an identity-centric ZTNA solution

With Microsoft Entra Private Access, easily start retiring your legacy VPN and level up to an identity-centric ZTNA solution that helps you reduce your attack surface, mitigate lateral threat movement, and remove unnecessary operational complexity for your IT teams. Unlike traditional VPNs, Microsoft Entra Private Access protects access by granting least privilege access to your network for all your hybrid users— whether they are remote or local—and, accessing any legacy, custom, modern, or private apps that are on-premises or on any cloud. 

Enforce Conditional Access across all private resources

To enhance your security posture and minimize the attack surface, it’s crucial to implement robust Conditional Access controls—without making any changes to your private applications and resources such as multifactor authentication (MFA). You can also seamlessly enable single sign-on (SSO) across all private resources and applications, including legacy or proprietary applications that may not support modern authorization.  

Deliver fast and easy access at global scale

Enhance your workforce’s productivity by leveraging Microsoft’s vast global edge presence, providing fast and easy access to private apps and resources, whether on-premises or on private data centers, and across any cloud. Users benefit from optimized traffic routing through the closest worldwide points-of-presence (POP), reducing latency for a consistently swift hybrid work experience. 

Conclusion

Organizations need an easier, more agile approach to protect access to all their applications and resources. This action safeguards your critical assets no matter where they are located. Today’s general availability of our Microsoft Entra Internet and Private Access products—our Microsoft’s SSE solution—does just that. It makes it harder for bad actors to gain access to your sensitive data—even if they successfully infiltrate your network—by extending identity security controls and access governance to your network. 

I hope this was informative for you, please let me know your comments.

See you soon

Karim Hamdy

Infrastructure Architect

Leave a Reply

Your email address will not be published. Required fields are marked *