VPNs and Network Gateways are Useless in a Mobile User Environment: Introducing Microsoft Global Secure Access
User, device, and application security worked great when everyone went into a corporate office, had an Active Directory joined laptop filtered through an internet gateway, and on occasion used a VPN when working remote; however, as our users now work from "anywhere" and they're using devices (like mobile phones) that connect straight to the internet, the VPN and gateway approach for access controls is completely ineffective.
Microsoft Global Secure Access Provides Cloud-based Security and Compliance Controls!
After more than a year in private preview, this game changer for enterprise security was just released for general availability! Microsoft Global Secure Access provides all of the security controls we had in the past, but provides it as a global cloud solution tied to existing Microsoft EntraID (Office 365) authentication, policies, and controls.
Microsoft Global Secure Access through the EntraID Suite provides a series of integrated components (that many orgs are already using some of the components):
This new Microsoft Global Secure Cloud restores our ability to control endpoint devices, user access, and the routing of the user's traffic like we used to, without bottlenecks of a corporate VPN, and can handle ALL of our endpoint devices (computers, tablets, and phones)!
Won't going through Microsoft's Global Secure Cloud slow down user access?
Microsoft has a global fiber connected cloud network that in most cases has fewer "hops" than the common route between some Starbucks internet connection, home office, or mobile network route.
And most certainly if you are forcing your users to VPN to your corporate network and then back out from there to the Internet, going from your user's devices, straight to Microsoft, and then out to the user's SaaS apps or to your corporate network will be faster and more efficient in transit for the user.
And Microsoft's global footprint provides more entry and exit points than the "security service edge (SSE)" offerings of other cloud providers just from Microsoft's shear size and scope of cloud connected datacenters and regions.
If Microsoft is down, then our users won't be able to access our business apps, right?
The argument about Microsoft's cloud reliability being a reason to not go down a centralized and simplified path for security and compliance just doesn't hold water anymore... Organizations that use Microsoft MFA and Single Sign-on security to access Salesforce or NetSuite won't be able to logon to their 3rd party cloud apps if Microsoft's authentication is down. But then organizations that used OneLogin to minimize their risk found they couldn't access anything when OneLogin was down, and then found out that OneLogin in Asia runs in the AWS cloud that when AWS has cloud issues, users can't logon to their apps.
And of course we "could go back to our old on-prem Active Directory logons" because of potential "cloud risks," but the reality of on-prem datacenters being more reliable than the multi-billion $$ investment a provider like Microsoft puts into redundancy and security, that an enterprise and their sole I.T. department can't compete in terms of risk mitigation as the big boys.
And if you're trusting Microsoft to be your provider for your emails, files, and web conferencing, you're probably not going to be any worse off if your users now route their traffic and access controls through that same environment.
We're using EntraID joined devices and Intune endpoint management, isn't that enough?
If you're using EntraID joined devices and doing Intune (or some other) endpoint management solution, that's "most" of the way there. However what you're missing, and where Microsoft Global Secure Access ADDS to the common endpoint management setup orgs have is the ability to further control access and centralized access management.
Microsoft Global Secure Access can be configured so that the ONLY WAY a user can logon to a cloud-based app (Salesforce, Dynamics, SAP, NetSuite, etc) is THROUGH the Microsoft Global Secure Access routes. If you're doing endpoint management today, while you can force MFA logons, you haven't created a dedicated and secured connection into your cloud apps.
An endpoint managed device in itself is controlled, but the connection and traffic between that device through and to the end application is not controlled. This provides hackers the ability to connect directly to your applications or intercept the traffic between your device and applications, which the bad guys have seized upon that weakness and gaining access controls to critical business systems.
Does this only help me for Cloud apps and accessing on-prem networks?
There’s more to this Global Secure Access than just Cloud app and On-prem network security access. Microsoft Global Secure Access provides granularity all the way down to IP or Service Principal Name access where you can leverage Private Access Profiles and the Private Access Sensor to intercept communications between your endpoints and your Microsoft Active Directory domain controllers.
This means that you can require your endpoints (or just some) to pass through Global Secure Access to reach the domain controllers to receive their Kerberos tokens for access to legacy Active Directory resources, even if they are on the same network as those domain controllers. This means that you could leverage Microsoft Global Secure Access plus Conditional Access to require that your Domain Administrators only be able to receive a Kerberos token if they are on a device marked as compliant in Intune, coming from an expected office location, and having had performed phishing resistant MFA! This all adds yet another layer of security and modern strong authentication requirements that helps us keep a step or two ahead of bad actors, leveraging strategies we’ve come to know and love in the cloud, now extended back to our legacy Active Directory!
Wrap-up
Bottomline, when we sent users home to work from anywhere, and users have expanded their device usage beyond just their business laptop to their phones and tablets, we lost critical secure measures that helped us protect our systems and information.
We've tried workarounds like forcing our laptop users to VPN back into our networks (but not their mobile phones) and we've enabled security service edge technologies (that have minimal node points for global access), but Microsoft's Global Secure Access gives us the security and compliance controls we had before, and in a manner that leverages Microsoft's high speed global cloud network.
Orgs already using Microsoft for MFA and maybe endpoint management are 70% of the way there, the extension into Entra Internet Access and Entra Private Access gets the org back into a managed secured environment that is so badly needed in this era of cyberthreats.
(This article benefited from the contribution from one of my partners here at Convergent Computing, Andrew Abbate, who has been an industry leader in security, compliance, and data protection for decades - helping enterprises implement technologies like this Microsoft Global Secure Access to strengthen the security of the enterprises he worked with!)
Great post, Rand — super relevant to a project I’m working on where we’re migrating a set of Oracle workloads to Azure and integrating Entra ID for authentication.