Q&A

Microsoft's Security Service Edge Aims To Bridge Network and Identity Security

Microsoft Identity VP Alex Simons answered questions about Security Service Edge and the new Entra products.

Microsoft's Entra product announcements on Tuesday elicited some questions, which were answered today by Alex Simons, corporate vice president of product management at the Microsoft Identity and Network Access Division.

In essence, Microsoft introduced previews of two new Microsoft Entra products (Entra Internet Access and Microsoft Entra Private Access) and renamed Entra Azure Active Directory as "Entra ID," but it also introduced its Security Service Edge (SSE) solution.

In a July 11 "Reimagine Secure Access with Microsoft Entra" event (available on demand), Simons explained that SSE aims to address identity and network security issues together, better enabling zero-trust scenarios for organizations:

Most networking services have no idea about what an application actually is. And that's a very strong concept that we understand in identity. We can identify specific applications. But in the identity world, it's very hard to do things like, for instance, session termination. But that's really easy in the networking world. So, by combining the strengths of networking and the strengths of identity together in one kind of integrated solution, we're able to bring a much more complete, kind of like multiple levels of protection, to our customers as they move into a zero trust world.

SSE and the new products will help organizations enforce Conditional Access policies for network access and apps use, per Microsoft's descriptions, and it'll work with existing network and security solutions.

Below are Simons' answers to my perhaps naïve questions (edited for brevity).

Redmond: Does Microsoft consider the Security Service Edge (SSE) to be the architecture encompassing Microsoft Defender for Cloud Apps, plus the newly announced Microsoft Entra Internet Access and Private Access products, or is SSE a product that Microsoft will be selling?
Simons: Yesterday we announced our first SSE offerings, Entra Private Access and Entra Internet Access. Our primary focus for those services right now is to learn from our customers, rapidly iterate to improve them and get them into General Availability as quickly as possible. As we approach the GA date, we will be sharing more about our go-forward plans and some of the exciting integrations we have planned internally and with a set of strategic partners.

"[Microsoft is] combining the strengths of networking and the strengths of identity together in one kind of integrated solution" ... [for] "a zero trust world."

Alex Simons, corporate vice president of product management at the Microsoft Identity and Network Access Division.

Is Microsoft Entra Private Access going to be the replacement for Azure Active Directory Application Proxy? Can it be used instead of a VPN (virtual private network)?
Microsoft Entra Private Access is a premium version of Azure AD Application Proxy and builds on top of/expands both the cloud and on-premises components of that solution. It is a Zero Trust-based identity aware network security service that provides employees anywhere access to any on-premises application or resource, giving companies a scalable, highly secure alternative to traditional VPN solutions.

How does Microsoft characterize the new Entra Internet Access product? How does it differ from Microsoft Defender for Cloud Apps?
Entra Internet Access is logically similar to a traditional Internet firewall. It enables security professionals to prevent employees from visiting risky or noncompliant Websites and SaaS services and protects them from downloading potentially dangerous/malicious content or applications. For instance, an admin might use Entra Internet Access to block access to gambling and sports betting sites from company-provided PC’s and smart phones.

Defender for Cloud is a CASB [cloud access security broker] service which protects the content and usage of business-related SaaS apps. So, for instance, an admin might use it to block the download of sensitive customer records from Salesforce.com or to prevent employees from uploading confidential documents to DropBox.

Do the Microsoft Entra products all get their own dashboards within the new Microsoft Entra Admin Center portal that was introduced last year?
All of the Microsoft Entra family of products have their admin consoles in the Entra Admin center.

With the current Entra product push, how does Microsoft conceive of its venerable Active Directory solution?
Windows Server Active Directory continues to be a critical component of many enterprises on-premises infrastructure and while it is not an area of major new investment, we plan to continue to support and patch it for many years to come.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

comments powered by Disqus

Subscribe on YouTube

Upcoming Training Events