MS Entra SSE, MS Entra Internet Access and Private Access

 Microsoft Entra Security Service Edge (SSE) is a new identity-centric security solution designed to provide secure, seamless access to applications and resources, regardless of whether they are cloud-based or on-premises. It is composed of two key products: Microsoft Entra Internet Access and Microsoft Entra Private Access. Together, these products aim to unify identity and network security, which were traditionally handled separately, creating a holistic approach to protecting digital environments.

What is MS Entra SSE?

MS Entra SSE brings together network and identity access controls under one umbrella, addressing the need for secure access in increasingly complex environments. With the rise of hybrid work, cloud adoption, and sophisticated cyberattacks, traditional network security measures like VPNs have become insufficient, leading to security gaps and poor user experience. The SSE solution leverages Zero Trust principles, identity governance, and granular Conditional Access policies to protect access to resources from any location, device, or network(


Why Use MS Entra SSE?

Microsoft Entra SSE offers several benefits:

  • Enhanced Security: It replaces legacy VPNs with modern, identity-based Zero Trust Network Access (ZTNA), which reduces the risk of lateral movement in case of a breach​.

  • Improved User Experience: It provides seamless, fast access to private and public applications without requiring cumbersome VPN connections, ensuring a consistent experience whether users are on-premises or remote​.

  • Unified Policy Enforcement: SSE enables you to enforce consistent Conditional Access policies across all apps and resources, unifying identity and network security for a more comprehensive defense​.


What Problem Does it Solve?

Before Entra SSE, organizations had to manage network security and identity security separately. Traditional solutions like VPNs created implicit trust within networks, which exposed organizations to greater risks, especially when malicious actors gained access. Moreover, managing separate identity and network security tools resulted in fragmented policies and blind spots that attackers could exploit​.


SSE addresses these challenges by:

  1. Eliminating the Need for VPNs: Legacy VPNs granted broad network access, whereas SSE grants precise access to specific applications, minimizing exposure to threats.
  2. Unifying Identity and Network Security: SSE ensures that network access is governed by identity-based policies, allowing for greater control and reducing the likelihood of breaches due to unprotected access points​.
  1. Providing Zero Trust Security: With ZTNA at its core, SSE continuously verifies identities and access permissions, closing security gaps that might exist in traditional models.


How Were Things Before?

Prior to the introduction of SSE, organizations relied on a combination of siloed network security tools (like firewalls, VPNs, and SWGs) and separate identity management solutions. This disjointed approach led to increased complexity, inconsistent security policies, and difficulty in adapting to modern threats such as phishing, token theft, and lateral movement of attacks within networks​.


MS Entra SSE solves these problems by offering an integrated, identity-centric model for securing access to resources, improving security posture, and enhancing the user experience, especially in remote and hybrid work scenarios.


**********************************************************************************************************************************************************************


Microsoft Entra Internet Access is a part of Microsoft's Security Service Edge (SSE) solution, designed as an identity-centric Secure Web Gateway (SWG). It provides secure access to all internet-based resources, including SaaS applications and Microsoft 365, while enhancing network security by integrating identity policies with network traffic management. The service introduces advanced threat protection mechanisms, such as web content filtering, TLS inspection, and adaptive access controls, which are based on Conditional Access policies.

Key Capabilities:

  1. Context-Aware SWG: Protects users and devices from malicious internet traffic by implementing web content filtering based on the context of the user’s identity, device, and location.
  1. Universal Conditional Access: Extends Conditional Access policies to any network destination, allowing organizations to apply consistent, adaptive access controls across all internet traffic​.


  1. Compliant Network: Prevents users from bypassing network security, offering protection against token theft and ensuring that all traffic passes through a secure network edge​.


  1. Universal Tenant Restrictions: Provides robust data exfiltration controls by restricting access to external identities and tenants that are not compliant with organizational policies​.


  1. Source IP Restoration: Maintains the user’s original source IP address, ensuring compatibility with trusted location policies and improving the accuracy of security logging and risk detections(


Why Use It?

Microsoft Entra Internet Access helps secure internet-facing applications and endpoints by converging network and identity security policies. It reduces security gaps that were traditionally caused by disparate network and identity management tools, which led to inconsistencies in policy enforcement and exposed organizations to more significant threats​.


Microsoft Entra Private Access

Microsoft Entra Private Access offers Zero Trust Network Access (ZTNA) for private applications across on-premises, hybrid, and cloud environments. It replaces traditional VPNs with a more secure, identity-based solution that enforces least-privilege access. The service ensures users can securely access private resources without the risk associated with VPNs, such as excessive lateral movement and implicit trust​.


Key Capabilities:

  1. Per-App Conditional Access: Enables fine-grained, least-privilege access controls for each application based on the user’s identity, device compliance, and location.
  1. Fast VPN Replacement: Quick Access simplifies the transition from legacy VPNs to ZTNA by allowing organizations to onboard private apps quickly, without changing the underlying infrastructure​.
  1. Enhanced Security for Legacy Apps: Allows modern security controls like multi-factor authentication (MFA) and device compliance checks even for legacy applications like RDP, SSH, and SMB, which traditionally had weaker security measures​.
  1. Automatic Application Onboarding: Discovers and secures private applications hosted across various environments, enabling organizations to apply consistent security policies to all apps, regardless of where they are hosted​.
  1. Intelligent Local Access: Ensures users maintain a consistent security posture whether they are on the corporate network or accessing applications remotely, aligning with the principles of Zero Trust​.

Why Use It?

Microsoft Entra Private Access modernizes access to private applications by eliminating the security risks associated with VPNs, such as implicit trust and unrestricted network access. It offers a more granular, identity-based control that aligns with the Zero Trust security model, improving both security and user experience, especially in hybrid and remote work environments​.


**********************************************************************************************************************************************************************


Let’s break this down with a simple example involving a company that has both employees working remotely and some on-site, with everyone needing access to various applications—some are internet-based, while others are internal private applications.

Before MS Entra Internet and Private Access:

  1. Internet Access: Employees accessing SaaS apps like Microsoft 365 or cloud applications had to use traditional VPNs or corporate firewalls to route all their internet traffic through the company’s network. This caused bottlenecks and slowed down access because all traffic had to be checked at a few central points before reaching the internet. Even worse, users could potentially bypass security checks by directly accessing SaaS apps, exposing the organization to threats like phishing, malware, or data breaches.
  2. Private Application Access: Employees working remotely needed to access internal applications like file servers or databases hosted within the company’s data center. They would rely on VPNs to connect to the corporate network, which granted them access to the entire network, not just the specific app they needed. This led to excessive access, where if a malicious actor compromised one user’s VPN, they could potentially move through the network and access other sensitive resources (called lateral movement).

With MS Entra Internet and Private Access:

  1. MS Entra Internet Access: Now, instead of routing all internet traffic through a traditional VPN or firewall, Microsoft Entra Internet Access provides a Secure Web Gateway (SWG) that is identity-centric. This means:
    • When employees access SaaS apps or browse the web, their identity is checked first. Access to these apps is governed by policies, ensuring that only compliant, authenticated users can reach the internet resources safely.
    • The system applies Conditional Access policies based on who the user is, where they are accessing from, and the device they are using. So, if an employee is trying to access Microsoft 365 from an unfamiliar location, additional security checks like multi-factor authentication (MFA) are applied to ensure they are legitimate.
    • This approach optimizes traffic, meaning faster access to internet apps like Microsoft 365, without the bottlenecks of traditional VPNs, while maintaining security by blocking access to dangerous or non-compliant content.

How it’s better: Employees now get faster, more secure internet access. Instead of routing all traffic through a VPN, the system applies security checks directly based on their identity and device, ensuring protection while improving performance.

  1. MS Entra Private Access: Instead of using a VPN that grants access to the entire network, Microsoft Entra Private Access applies Zero Trust principles. Here’s how it works:
    • Employees remotely accessing internal apps no longer need broad VPN access. They are granted specific access to only the apps they need, such as an internal HR system or a finance database.
    • The system uses Conditional Access and Zero Trust policies to ensure that the employee’s device is secure, the connection is verified, and access is only granted on a per-app basis.
    • Even legacy apps that don’t support modern security features can now be protected with multi-factor authentication and other security checks, without modifying the applications themselves.

How it’s better: Employees get secure, direct access to only the apps they need, whether they are working from home or on the road. There’s no longer a need to expose the whole network, reducing the risk of lateral movement if one user is compromised. This makes remote access more secure and streamlined.

Summary in Simple Terms:

  • Before: Everyone used VPNs for everything—whether accessing SaaS apps or internal apps—leading to slower performance, excessive access, and security gaps.
  • After MS Entra: SaaS apps are accessed securely and quickly through identity-based internet controls (Entra Internet Access), and internal apps are accessed with granular, app-specific security without needing broad VPNs (Entra Private Access).

This new approach boosts security, improves performance, and reduces risks compared to traditional methods.

**********************************************************************************************************************************************************************


Implementing Microsoft Entra Internet Access and Microsoft Entra Private Access involves a few key steps that ensure your environment is ready for identity-centric security. Here's a high-level guide to get you started:

Step 1: Assess Your Current Environment

Before implementing these solutions, it's important to understand your existing network and security setup:

  • Identify which applications (SaaS or internal) your employees need to access (e.g., Microsoft 365, other SaaS apps, internal HR or finance apps).
  • Evaluate your current network security model, including VPN usage, firewalls, and existing identity management solutions like Azure Active Directory (AAD).
  • Assess the devices used by your employees (laptops, mobile devices, etc.) and ensure they are compliant with security policies.

Step 2: Plan for Conditional Access Policies

Microsoft Entra heavily relies on Conditional Access policies to govern access to applications based on user identity, location, device compliance, and risk level.

  • Define Conditional Access policies: Decide on the conditions that should trigger different levels of security, such as requiring multi-factor authentication (MFA) for access from unfamiliar locations or blocking non-compliant devices.
  • For Internet Access, you will configure policies that apply to SaaS applications and general internet usage. For example, enforce web filtering and TLS inspection for secure browsing.
  • For Private Access, create policies that limit access to specific internal applications, ensuring users only get what they need and are verified before accessing these apps.

Step 3: Set Up Microsoft Entra Internet Access

  1. Navigate to Microsoft Entra Admin Center:
    • Go to the Microsoft Entra section of the Azure portal or Microsoft Entra Admin Center.
  2. Configure Internet Access:
    • Use the built-in templates to create Secure Web Gateway (SWG) policies. These will control user access to SaaS applications and internet destinations based on the Conditional Access policies you’ve defined.
    • Enable Universal Conditional Access: This allows you to apply security checks to any internet traffic, including external websites and SaaS applications(
  1. Implement Web Filtering:
    • Set up web content filtering to block unsafe or non-compliant content. This can include filtering by URL categories or restricting specific websites based on security policies.

Step 4: Set Up Microsoft Entra Private Access

  1. Enable Zero Trust Network Access (ZTNA):
    • In the Microsoft Entra Admin Center, start by enabling Private Access for your organization.
    • Configure Quick Access to onboard your private applications (e.g., internal HR systems, databases) that employees need to access remotely(
  1. Define Application-Specific Access:
    • Set up per-application Conditional Access policies to enforce least-privilege access. This means users only get access to the apps they need, rather than the entire network.
    • For legacy applications, configure multi-factor authentication (MFA) and other security measures without needing to modify the app itself​.
  1. Deploy the Global Secure Access Client:
    • Install the Global Secure Access client on users’ devices. This client ensures secure, seamless access to internal apps without needing a VPN.
    • You can deploy the client through Microsoft Intune or other mobile device management (MDM) platforms​.

Step 5: Monitor and Adjust

  1. Review Security Reports and Logs:
    • Microsoft Entra provides detailed insights and analytics through its admin dashboard. Monitor these to understand how policies are being enforced and to identify any security gaps or anomalies.
  2. Refine Conditional Access Policies:
    • Based on usage patterns and security reports, you can fine-tune Conditional Access policies to strengthen security or improve the user experience.

Step 6: Rollout and Educate Users

  1. Pilot the Solution:
    • Start with a small group of users or a single department to test Microsoft Entra Internet and Private Access. Monitor their experience and troubleshoot any issues before a full-scale rollout.
  2. Train Employees:
    • Educate users on the new processes, such as no longer needing a VPN for internal app access or understanding why additional authentication might be required in some cases.

Step 7: Scale and Maintain

  • Expand rollout to the broader organization, ensuring that all devices are compliant, and all applications (both internet-facing and private) are properly configured.
  • Regularly update policies as new security threats arise or organizational needs change. Microsoft will continue to release updates and features to enhance these services, so keeping the system updated is crucial.

By following these steps, you’ll successfully implement Microsoft Entra Internet and Private Access, moving towards a Zero Trust security model that is more secure, scalable, and efficient for modern hybrid work environments

**********************************************************************************************************************************************************************


Let's walk through an example using a scenario of a remote employee, Alice, who needs to access two different types of applications: an internet-based SaaS app (e.g., Microsoft 365) and an internal finance application hosted within the company's private data center.

We’ll compare the traffic flow before and after implementing Microsoft Entra Internet Access and Microsoft Entra Private Access.

Scenario 1: Before Implementing Microsoft Entra

Alice Accessing SaaS Application (Microsoft 365) via VPN:

  1. Alice connects to a VPN: Alice, working from home, connects to the corporate VPN to access Microsoft 365. All her internet traffic is now routed through the company's VPN concentrator/firewall.
  2. Traffic passes through the corporate network: Even though Microsoft 365 is a SaaS application that doesn't reside on the corporate network, Alice’s traffic is still directed through the company's internal network for security checks. This "hairpinning" increases latency and slows down her access to the app.
  3. VPN exposes the corporate network: While Alice only needs access to Microsoft 365, her VPN connection potentially exposes the entire corporate network, increasing the risk of lateral movement if her device is compromised.
  4. Alice accesses Microsoft 365: After passing through the VPN and corporate firewall, Alice’s request finally reaches Microsoft 365, and she can start using the app.

Alice Accessing the Internal Finance Application via VPN:

  1. Alice connects to a VPN: Just as with the SaaS app, Alice connects to the corporate VPN to access the internal finance application hosted in the company's data center.
  2. Full network access is granted: Once connected, Alice has access to the entire internal network, even though she only needs to use one specific application.
  3. Application request is routed through the network: Alice’s request is routed through the corporate network to the data center, where the finance application is hosted. If Alice’s VPN session is compromised, an attacker could potentially move laterally across the network and gain access to other systems.
  4. Alice accesses the finance app: After navigating through the network, Alice can finally access the finance app.

Scenario 2: After Implementing Microsoft Entra

Alice Accessing SaaS Application (Microsoft 365) via Microsoft Entra Internet Access:

  1. Alice requests access to Microsoft 365: Working remotely, Alice opens her browser and requests access to Microsoft 365. Instead of using a VPN, her request is intercepted by Microsoft Entra Internet Access.
  2. Conditional Access policies are applied: Microsoft Entra checks Alice’s identity, device compliance, and location. For instance, if Alice is using a trusted device in a familiar location, she might be granted immediate access. If she’s using a new device from an unfamiliar location, she may be prompted for multi-factor authentication (MFA).
  3. Request flows through the Secure Web Gateway (SWG): After passing Conditional Access checks, her request is routed securely through the SWG. This SWG inspects traffic, filters web content, and ensures that her connection is compliant with corporate security policies.
  4. Direct access to Microsoft 365: Alice’s request is sent directly to Microsoft 365 without the need to pass through the corporate network. This reduces latency and improves performance since there’s no unnecessary detour through the company’s internal network.
  5. Alice accesses Microsoft 365: She can now work efficiently, with her traffic protected by the SWG, and her identity and device verified securely.

Alice Accessing the Internal Finance Application via Microsoft Entra Private Access:

  1. Alice requests access to the finance app: Instead of connecting through a VPN, Alice’s request to access the internal finance app is intercepted by Microsoft Entra Private Access.
  2. Conditional Access and Zero Trust policies are applied: Microsoft Entra verifies Alice’s identity and checks her device compliance. It also enforces least privilege access, ensuring Alice only gets access to the finance app and nothing else on the network.
  3. Direct connection to the finance app: Since the finance app is hosted internally, Microsoft Entra establishes a secure, encrypted connection between Alice’s device and the specific app. Unlike VPNs, which expose the entire network, Microsoft Entra Private Access limits the connection strictly to the requested application.
  4. No lateral movement: Even if Alice’s device were compromised, an attacker wouldn’t be able to move laterally across the corporate network because Alice’s access is limited to just the finance app.
  5. Alice accesses the finance app: After successfully passing all security checks, Alice is securely connected to the finance app, and her traffic never touches the broader corporate network.

Summary of Traffic Flow Changes

Before Microsoft Entra:

  • All traffic (internet and internal apps) is routed through a VPN, creating bottlenecks, latency, and exposing the entire corporate network to potential risks.
  • For SaaS apps, traffic unnecessarily hairpins through the corporate network, slowing access and increasing the attack surface.

After Microsoft Entra:

  • Internet Traffic: Traffic to SaaS apps like Microsoft 365 is routed directly through an identity-centric Secure Web Gateway (SWG), reducing latency and improving performance, with Conditional Access applied to ensure secure access.
  • Private App Traffic: Traffic to internal apps is routed directly through a secure connection established by Microsoft Entra Private Access. Alice only has access to the specific app she needs, reducing the risk of lateral movement and eliminating the need for a VPN.

This new approach enhances security, simplifies management, and improves user experience, all while adhering to Zero Trust principles.

**********************************************************************************************************************************************************************


To understand how Microsoft Entra Internet Access and Microsoft Entra Private Access enforce policies on remote devices like Alice’s laptop, we need to dive deeper into how Conditional Access, client software, and Zero Trust mechanisms work together to manage the traffic.

How Traffic Knows About Microsoft Entra Internet Access Policies on a Remote Laptop

1. Entra Client Software on Remote Devices

When Alice is working remotely, her laptop will have a Global Secure Access Client installed. This client is a small piece of software that connects Alice's device to Microsoft's Security Service Edge (SSE) solution. This client ensures that all the traffic generated by her device is appropriately routed and controlled by Microsoft Entra’s policies.

  • Client Installation: The IT team installs this client software on all remote devices, either manually or via Microsoft Intune or another mobile device management (MDM) platform. The Global Secure Access Client ensures that the traffic from Alice's device is inspected and controlled in compliance with company policies.
  • Identity Binding: The Global Secure Access Client binds Alice's device to her identity (via Microsoft Entra ID), so when she tries to access any internet resource or internal app, Microsoft Entra recognizes who she is, what device she’s using, and her device’s security posture (e.g., whether it’s compliant with security policies).

2. Traffic Interception via Microsoft Entra Internet Access

Once Alice starts using her laptop:

  • SaaS/Internet Traffic: Whenever Alice tries to access a SaaS application (e.g., Microsoft 365) or any other internet resource, the Global Secure Access Client routes her traffic through Microsoft Entra Internet Access. This is a Secure Web Gateway (SWG) that applies Conditional Access policies.
  • Conditional Access Enforcement: For every internet request, Microsoft Entra Internet Access checks Alice’s identity, device compliance, and location. For example, if she’s accessing a cloud service from a recognized device and location, she might pass through seamlessly. However, if Alice’s request comes from an unfamiliar place or an unsecured device, the system could enforce additional authentication steps or block access altogether.
  • Continuous Monitoring: Even after Alice is granted access, Microsoft Entra Internet Access continuously evaluates her session for any anomalies (e.g., unusual behaviors like token theft or risky network conditions), ensuring that security is upheld throughout the session.

How Traffic Knows About Microsoft Entra Private Access for Private Apps

1. Client-Driven App Access (Global Secure Access Client)

For accessing private applications, the Global Secure Access Client on Alice’s laptop also plays a critical role in establishing secure, app-specific connections based on Zero Trust principles.

  • Triggering the Private Access: When Alice tries to access an internal private app (e.g., a finance application hosted in the corporate data center), her request doesn’t go through a traditional VPN. Instead, the Global Secure Access Client routes the traffic to Microsoft Entra Private Access, which applies Zero Trust policies.
  • App-Specific Access: Unlike a VPN that grants broad network access, Microsoft Entra Private Access enforces per-app access. This means Alice’s device is only granted access to the specific application she needs, and not the entire internal network.

2. Zero Trust Policy Enforcement

  • Identity Verification: Before granting Alice access to the internal finance app, Microsoft Entra Private Access checks her identity via Conditional Access policies (e.g., confirming that she is indeed Alice, and not an attacker using her credentials).
  • Device Compliance Check: The Global Secure Access Client continuously monitors the health of Alice’s laptop to ensure it meets corporate security policies (e.g., encryption, antivirus, and OS patch levels). If her device fails these checks, access to the private app is denied, and remediation steps might be suggested.
  • Secure Connection: Once verified, Alice’s connection to the finance app is secured via encrypted tunnels established by Microsoft Entra Private Access. These tunnels connect her device directly to the application she needs without exposing other parts of the network.
  • Ongoing Monitoring: Similar to internet access, the connection to the internal app is monitored continuously. If any unusual activity is detected (e.g., Alice suddenly tries to connect from a different geographic location), the session can be terminated, or Alice may be prompted for further authentication.

Flow Summary for SaaS (Internet) and Private App Access

  1. SaaS App Access (Internet Access):
    • Alice opens her browser to access Microsoft 365.
    • Global Secure Access Client routes the traffic to Microsoft Entra Internet Access.
    • Conditional Access policies check her identity, device, and location.
    • If compliant, she gets secure, optimized access to Microsoft 365 without using a VPN, with ongoing session monitoring.
    • If non-compliant, additional authentication or denial of access occurs.
  2. Private App Access (Private Access):
    • Alice tries to access a finance application hosted on the corporate network.
    • Global Secure Access Client routes this request to Microsoft Entra Private Access.
    • Conditional Access policies verify her identity and device security.
    • A secure, encrypted connection is established, granting her access only to the finance app without exposing the rest of the network.
    • The session is continuously monitored for any signs of compromise, and access can be revoked if needed.

How It’s Better Than Before

  • No VPN Required: In both cases, the need for a broad network VPN is eliminated. Instead, traffic is routed based on identity and device compliance, directly to the specific resource (whether SaaS or private).
  • Granular Control: Microsoft Entra applies Conditional Access and Zero Trust policies on a per-application basis, limiting exposure and enhancing security.
  • Better Performance: SaaS traffic flows directly to the cloud apps through optimized paths, improving performance and reducing latency, while private app access is secured at the application level without broad network exposure.

This approach aligns with Zero Trust principles, ensuring every request is authenticated, authorized, and monitored continuously, whether for internet apps or internal resources.

 


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

MS Defenders

 Microsoft Defender offers a wide range of security solutions, similar to the ones we've discussed (Defender for Containers, Defender fo...

  • Define Budget & Configure Cost center quotas - Azure
    There are several types of quotas that are applicable to subscriptions, including resource quotas and spending quotas. We can easily see al...
  • Azure VM Disk Caching
    Azure VM Disk types : there are 3 types of disk used with Azure VM's OS Disk - azure automatically attaches a vhd for the OS when...
  • Terraform - random_id
    This is a great resource type which you can utilize for the resources names which require unique name or strings for .e.g Storage account o...