Thrilled to announce our role as ‘Product Launch Partner' for Microsoft's Security Service Edge (SSE) solution, Global Secure Access, which includes Microsoft Entra Internet & Private Access. Our collaboration with Microsoft in several private previews has refined these features to benefit not just our teams but also our customers, integrating their needs into a seamless and secure cloud experience. Discover how our expertise in a 100% cloud-based approach and Zero Trust design is transforming modern workplace and identity-centric security.

glueckkanja is Launch Partner for Microsoft's SSE Solution

glueckkanja has been announced as one of the ‘Product Launch Partners’ for Microsoft’s Security Service Edge (SSE) solution, Global Secure Access, including Microsoft Entra Internet & Private Access.

With many years of experience in a 100% cloud approach, we offer extensive support in implementing a consistent Zero Trust design, and Global Secure Access fits seamlessly into this strategy! It is now a key component of our modern workplace and identity-centric security blueprint, starting from proof of concept to managed services.

We have been working on workplace and security projects for years, successfully separating clients from the data center and deploying highly efficient, secure cloud-managed clients. However, a modern 100% cloud client does not automatically eliminate legacy environments; it still needs to access services within them. In addition, many security teams believe that security capabilities are necessary beyond the client, within the network stack.

Unfortunately, in many projects, we observed our Future Workplace clients being integrated into the data center environments using outdated VPN solutions, and various ‘Zero Trust’ solutions were obstructing traffic between the clients and Microsoft 365.

We are therefore very pleased to be able to use from now on Entra Private Access, a genuine identity-centric Zero Trust Network Access for the most complex data center environments as a replacement for VPN solutions. Additionally, we will also use Entra Internet Access, an identity-centric Secure Web Gateway solution with Conditional Access integration, in our projects.

What is Global Secure Access?

Global Secure Access is designed to deliver security services through the cloud, supporting managed devices across all major platforms. This includes integration with identity providers and security tools such as XDR or SIEM.

GSA Architecture

The architecture of the SSE solution is divided into two main areas, each with different components:

  • Internet Access features an identity-centered Secure Web Gateway (SWG) that functions similarly to a forward proxy. It not only protects against malware and other threats but also performs URL category filtering.
  • Private Access is an identity-centered Zero Trust Network Access (ZTNA) solution that allows granular and consistent access to non-public applications regardless of their location, implementing detailed context-based access control.

What is the difference between Global Secure Access and my VPN gateway / proxy?

Both Entra Internet Access and Entra Private Access feature Conditional Access integration, enabling strong authentication and device compliance enforcement, including Microsoft Defender for Endpoint integration, at the authentication layer. Microsoft is also working on additional enforcement mechanisms at the data layer through Continuous Access Evaluation to address advanced token theft scenarios.

Even newer VPN gateways typically cover the initial authentication of the user via RADIUS or SAML, granting access to the environment – often for an exented period – regardless of whether the user or client is involved in a security incident. This one-time authenticated access generally applies to the entire internal network, with the same set of rules applicable to all users.

Entra Private Access is designed to combine individual network segments into Enterprise Apps, then individually assign, authenticate and restrict users with Conditional Access.

Full Tunnel vs App based Tunnel

In my experience, the primary issue with secure web gateways is the poor integration with identity providers. While the early variants brought ADFS farms to their knees with masses of SAML requests causing massive disruptions, the providers have now moved to one-time authentication and then work with their own long-lived cookies.

The second major issue is the exclusion of Microsoft URLs and IPs from the proxy ruleset. This simply does not need a proxy between the client and trusted services such as M365, and in fact causes various problems and performance loss. I have yet to see a provider where this works without an accident.

Entra Internet Access is part of most enterprise cloud identity providers and has very strong Conditional Access integration.

Would you like to know more about it?

We have extensive experience in the areas of identity, security, workplace and network. With Global Secure Access, we bring all these aspects together. Say goodbye to outdated VPN and web proxy solutions and take full advantage of the possibilities of Microsoft’s SSE solution. We look forward to hearing from you!