Introduction to Microsoft Global Secure Access (GSA)
Introduction
A new star is on the horizon: Global Secure Access. As part of the identity security portfolio of Microsoft Entra, GSA is the new network security component to provide holistic security.
Global Secure Access in Microsoft Entra combines Internet Access and Private Access based on Zero Trust principles. It provides secure access to SaaS apps, the Internet, and private resources, protects users and data through various security components, and enables location-independent access to internal resources. Delivered via Microsoft's global network, it optimizes both security and performance and integrates into Microsoft Entra Security.
Why I like GSA
- Everything is integrated in the Microsoft ecosystem for a holistic security architecture
- Provide access to on-premises apps without additional 3rd party software and secure web traffic
- The setup and configuration is very easy
- No maintenance tasks and continuous improvements made by Microsoft đ
Identity-centric SSE solution
SSE đ
Microsoft's Network Security Service Edge enforces security policies like threat protection and access control directly at the edge, near the user, without requiring traditional networking security tools. It runs on Microsoft's global network with 190+ edge sites, providing low-latency, high-performance connections and secure access to apps and resources anywhere in the world.
Objectives đŻ
- Strengthen security by identity-driven access
- Networking, but cloud-native, aiming to rise security by:
- Applying policy profiles / routing traffic
- Set web filtering policies
- Connect with Conditional Access policies to apply access controls
- Cross over boundaries from corporate/private networks and public
- Leverage Microsoft's global network backbone for optimized connectivity
- Provide a seamless user experience
Use Cases
The following use cases are widespread across customers and their GSA usage:
- VPN > RDP with Conditional Access + modern authentication to on-premises servers
- Restrict common web content categories
- Require compliant device to access network resources (Signal in CA)
- Limit Internet network access on specialized endpoints
- Monitor network traffic and apply restrictions
Security đ
- The whole new product is part of Entra and seamlessly integrates into ID protection and Conditional Access to provide secure authentication, apply tenant restrictions or to detect (risk) signals and correlate activity data, based on the principles of Zero Trust
- The Global Secure Access client for Windows, macOS, Android and iOS/iPadOS is an agent that can monitor and route network traffic over the Microsoft backbone and apply controls
- Or configure a remote network where your network customer premises equipment (CPE) connects to the Global Secure Access service through an IPSec tunnel (with this no client installation is needed but dependent on the network)
- Defender for Cloud Apps gives further insights as cloud security access broker (CASB) between the communication of your identities and cloud apps and allows for policies regarding app governance
Access Channels đŚ
The traffic from three app/resource channels can be differently treated:
- Microsoft 365 - all traffic to Microsoft network endpoints
- Private access - traffic to on-premises hosted apps
- Internet access - traffic to any other network/the Internet
Components
| Term | Description | Microsoft solution |
|---|---|---|
| Software-defined wide area network (SD-WAN) | Technology that optimizes and manages multiple sources of network connectivity to enhance the performance, efficiency, managebility and security of wide area networks | Entra SSE |
| Secure web gateway (SWG) | Network perimeter protection that filters traffic for particular networks | Micrsooft Entra Internet Access |
| Cloud access security broker (CASB) | Security solution that provides visibility and control over data and applications as they move between an organization's on-premises infrastructure and cloud environments | Microsoft Defender for Cloud Apps |
| Firewall as a service (FWaaS) | Cloud-based security solution that delivers firewall functionality, such as traffic filtering and network protection and policies | Microsoft Entra Internet Access |
| Zero Trust Network Access (ZTNA) | Security framework that requires zero trust, least privileged, all identities must be authenticated, authorized, and continuously validated before being granted access to company private applications and data | Microsoft Entra Private Access |
Prerequisites
| Prerequisite | Description |
|---|---|
| Licensing | - Entra Suite - Or standalone: - Entra Private Access - Entra Internet Access â Additional license required, not included in E5 or Entra ID P2. |
| Network Endpoints | Microsoft 365 endpoints |
| Devices | - Entra joined or registered - Latest versions of: - Windows 10/11 (incl. Windows 365, no AVD multi-session) - macOS - Android - iOS/iPadOS |
| Roles | - Global Secure Access Admin or Global Admin |
| Browser Support | - Microsoft Edge or Google Chrome recommended |
| Client Software | - Global Secure Access client installed |
| Conditional Access | - Optional, but recommended |
Conditional Access Integration
Conditional Access is used to activate and enforce GSA channel profiles. It controls the enforcement of Private Access and Internet Access, allowing familiar policies to be applied.
- Different Conditional Access policies can be created to target specific user groups and apply varying security standards
- Private Access is handled in Conditional Access as a target app (GSA-enabled)
- Internet Access is handled as a traffic profile and enforced through session control
Read more about Conditional Access:
Niklas Tinner
Internet Access
With Internet Access from Global Secure Access, access to internet resources and apps can be secured, similar to using a proxy. The following can be achieved:
- Allow or block website access using security policies and Conditional Access
- Apply web content filtering policies based on categories
- Monitor traffic
Demo đ´
Niklas Tinner
Private Access
With Private Access from Global Secure Access, access to internal resources and apps is enabledâsimilar to VPN access, but app-based and fully integrated into Entra ID.
- Enables app-specific access from any network to on-premises resources
- Modernizes and secures authentication and access for legacy apps using Conditional Access
Demo đ´
Niklas Tinner
Conclusion
From my perspective, Microsoft is expanding their identity portfolio with network tech to rise security and provide new features, which were until now reserved for other vendors.
For an organization with a single vendor and cloud strategy, this is a really welcome addition in their technology stack. Network traffic can now be a more than ever relevant source to controlling Internet Access to external resources with Entra ID, Enterprise app management and Conditional Access (and more). And for Private Access, this enables a whole new set of capabilities by integrating on-premises apps, resources and protocols to endpoints.
Microsoft Global Secure Access is a powerful addition in the Microsoft Cloud Security ecosystem.
powered by Oceanleaf
Niklas Tinner