Microsoft is jumping into the competitive Secure Service Edge (SSE) arena with a software package aimed at protecting its Windows and Azure customers as well as other cloud-based enterprise resources.
The new software is part of Microsoft’s Entra identity and network access suite, and it features two new elements – Entra Internet Access and Entra Private Access – that will control and secure access to cloud-based resources. Those two new pieces, coupled with Microsoft’s existing SaaS-focused cloud-access security broker (CASB), called Microsoft Defender for Cloud apps, comprise Microsoft's SSE package.
SSE packages, according to Gartner, include access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service, and it may include on-premises or agent-based components, the research firm says.
As for the new components, Microsoft Entra Internet Access is a secure web gateway (SWG) for SaaS apps and internet traffic that protects against malicious internet traffic, unsafe or non-compliant content, and other threats from the open internet.
“For example, you can block access to all external destinations for your high-risk users or non-compliant devices except self-service password reset pages,” according to a blog by Sinead O'Donovan, vice president of product management with Microsoft’s identity and network access division. “It also extends the conditions of conditional access with network conditions and would prevent, for example, a stolen access session token from being replayed by requiring a user to be on a ‘compliant network’ to access resources.”
Entra Private Access implements zero trust network access (ZTNA) technology for controlling access to private applications, no matter where the user is – in the office or remote - and regardless of where the application is hosted – a local on-premises data center or in any public cloud, according to O’Donovan.
“Customers don’t need to make any changes to applications or resources to add another layer of security controls such as multifactor authentication (MFA), device compliance check, identity protection, identity governance, and single sign-on to any TCP/UDP-based application, including SSH, RDP, SAP, and SMB file shares and other private resources,” O’Donovan stated.
Using attribute-based conditional access policies, customers can create simple policies to more effectively target groups of applications based on the sensitivity of the application for the enterprise. Examples of such policies include requiring MFA, device compliance, low user risk, compliant network for highly sensitive applications, or even specific per application conditional access policies, O’Donovan wrote.
“With deep integration with conditional access and continuous access [security features in Azure] evaluation, you can enable secure, seamless access with modern authentication in front of legacy auth protocols such as Kerberos or [Microsoft Windows New Technology LAN Manager] without changing legacy apps,” O’Donovan stated.
Internet Access and Private Access share the same agent, which works across operating systems and provides consistent connectivity across devices and networks. Customers can enforce unified conditional access policies that consider identity, device, application, and now network conditions with any application or website, regardless of which IdP the application uses and without changing those applications, O’Donovan stated.
The SSE market includes players such as Palo Alto, Zscaler, Netskope and others. Most recently, Cisco announced its SSE offering that aims to help enterprises securely connect growing edge resources, including cloud, private and SAAS applications.
Cisco’s SSE package, called Cisco Secure Access, features ZTNA, SWG, CASB, firewall as a service (FWaaS), DNS security, remote browser isolation (RBI) and other security capabilities. It’s designed to secure any application via any port or protocol, with optimised performance and continuous verification and granting of trust—all from a single, cloud-managed dashboard, Cisco said.
Analysts say Microsoft, while a late to the market, will be a welcome player in the SSE arena given its large customer base.
“Cisco, Palo Alto Networks, Symantec, and Zscaler have a multi-year start over Microsoft. Gaining momentum in a crowded market will take work,” wrote Dell ‘Oro Group research director, Mauricio Sanchez in a blog about the SSE announcement.
“Everyone knows who Microsoft is and generally enjoys substantial goodwill among its customer base. A large salesforce and partner ecosystem will open many doors,” Sanchez stated. “Large enterprises that are strong Microsoft shops and take advantage of Microsoft’s Enterprise Licensing Agreement benefits could lead to significant uptake of Microsoft SSE solution.”
Also, no other SSE vendor has the same identity vendor chops that Microsoft brings. SSE is identity-heavy, which Microsoft can exploit by owning the identity use cases end-to-end, Sanchez stated.
Microsoft Windows and Office 365 clients can preview the SSE software, and it will be generally available for other operating systems later this year.