Security Service Edge (SSE) in a secure access service edge Framework (SSA)

Posted by Harri Jaakkonen Posted on 14/09/2023
Posted in Application Proxy, Azure, Entra, Entra GSA, Identity, Security, Zero trust

In this post I will cover two different providers for SSE and in my opinion these are the top notch ones. Let’s me explain why and then you disagree or agree, just giving my opinion.

But first let’s see what these acronyms mean for us.

SSE and SASE

Security Service Edge (SSE) can be considered a subset of the Secure Access Service Edge (SASE) framework. This is because SASE encompasses a broader range of services and capabilities, of which SSE is one component. Here’s why SSE can be seen as a subset of SASE:

  • SSE as a Component of SASE: SASE is a comprehensive framework that integrates various security and networking services into a single cloud-based platform. SSE represents a specific set of security services within this framework.
  • Focus on Security Services: SSE primarily focuses on delivering network security services from a cloud platform. These services include secure web gateways, firewall as a service, data loss prevention, and similar security functions. These services are integral to the overall security posture of the organization, and they are included within the SASE framework to provide a holistic approach to security.
  • Integration into SASE: In the context of SASE, SSE is integrated with other components like Software-Defined Wide Area Networking (SD-WAN), Zero Trust Network Access (ZTNA), and WAN optimization. This integration allows organizations to not only secure their network edge but also optimize network performance and provide secure access to resources regardless of location.
  • Zero Trust Principles: Both SSE and SASE align with zero trust principles, emphasizing the need for strict authentication, authorization, and continuous monitoring. This common security approach further supports the idea that SSE is a subset of the broader SASE framework.

And Security service edge (SSE) can be defined with the following:

  • Cloud-Centric: SSE focuses on cloud-native security solutions.
  • Convergence: It unifies multiple security services into one platform.
  • Purpose-Built: SSE platforms are designed for efficient security delivery.
  • Edge Focus: Emphasizes securing the network edge.
  • Zero Trust: Adheres to zero trust principles for access control.
  • Scalability: Can adapt to changing security needs.
  • User Experience: Enhances performance while maintaining security.
  • Visibility: Offers robust traffic insights and analytics.
  • Automation: Utilizes automation for real-time threat response.
  • Compliance: Helps meet regulatory requirements.

The contenders or are they?

Maybe you guessed by this point that the other contender is Microsoft and the other one is Zscaler which was positioned as a Leader in the 2023 Gartner Magic Quadrant for Security Service Edge (SSE)

Future will show what happens with the solution during this year.

And yes, for all the Palo Alto fans, I know it what was named as the Quadrant leader in SASE but not covering their solution in my article.

The Only Leader in Single-Vendor SASE. Period.
Palo Alto Networks® was recognized as the only Leader in the inaugural 2023 Gartner® Magic Quadrant™ for Single-Vendor SASE.

Microsoft solutions for SSE

Maybe you heard or maybe you didn’t that Microsoft released their own solutions to the SSE landscape. They are wrapped under one branding name called Global Secure Access and it’s currently in Public preview.

One statement made from Microsoft solutions is that their market presence is late. Microsoft lags behind Cisco, Palo Alto Networks, Symantec, and Zscaler by several years.

And time will show how it will evolve, I personally believe that the pure size of their POPs and the supporting unified eco-system and infrastructure with various different building blocks for networking security coming from Azure could make any difference.

Time will show will Microsoft achieve servicing the full scope of SASE.

See here for the announcement

Microsoft Entra expands into Security Service Edge and Azure AD becomes Microsoft Entra ID | Microsoft Security Blog
Microsoft Entra is unifying identity and network access with a new Security Service Edge solution and more identity innovations.

And yes, if you missed the product re-branding. Azure AD became Entra ID, which makes sense but it’s really annoying to change all the references for it.

Let’s see more on the different parts of Entra Global Secure Access and later the Zscaler ones.

Microsoft Entra Internet Access

Internet access will provide you with the Zero-Trust approach with the following:

  • Mitigate token theft by employing the compliant network check in Conditional Access.
  • Implement tenant-wide restrictions to prevent data leakage to external tenants or personal accounts, including anonymous access.
  • Enhance logs with network and device indicators, currently compatible with SharePoint Online traffic.
  • Enhance the accuracy of risk evaluations for users, locations, and devices.
  • Easily integrate with third-party SSE solutions in a parallel deployment.
  • Capture network traffic either from the desktop client or remotely, such as from a branch location.

Microsoft Entra Private Access

And Private Access with the following:

  • Zero Trust-driven connectivity to a set of IP addresses and/or FQDNs, eliminating the need for traditional VPNs.
  • Granular access control for TCP applications (UDP support currently in progress).
  • Revamp legacy application authentication through robust integration with Conditional Access policies.
  • Ensure a smooth end-user experience by capturing network traffic from the desktop client and implementing it alongside your pre-existing third-party SSE solutions.

How to get started with GSA?

Permissions

First you need to have Global Secure Access Administrator role, yes there is a new role for this suite.

And it will allow you to:

  • Oversee all aspects of Microsoft Entra Internet Access and Microsoft Entra Private Access, including their creation and management.
  • Administer access to both public and private endpoints.

But restricting from the following:

  • Managing enterprise applications, application registrations, Conditional Access policies, or application proxy settings.

For Internet access Enable the following

Enable the Microsoft 365 traffic forwarding profile

Traffic forwarding profiles empower administrators to choose the traffic that should be collected and sent to Global Secure Access. Once chosen, these profiles are automatically applied to all devices in the tenant utilizing the Global Secure Access client. The capability to assign forwarding profiles to specific users and groups will be introduced in upcoming updates.

Install and configure the Global Secure Access Client on end-user devices

To route network traffic from end-user devices to Global Secure Access, it is essential to download and install the Global Secure Access client. The installation process can be carried out interactively or silently. As of now, the client is accessible for Windows users, while versions compatible with Android, iOS, and macOS are set to be launched in the upcoming months.

Enable universal tenant restrictions

Tenant restrictions grant you the ability to manage whether your users can access external applications from your network or devices, including those utilizing external accounts issued by external organizations or self-created accounts within unfamiliar tenants. Below, you can specify which external applications to permit or prohibit. These preset configurations are applicable to all external Azure AD organizations unless they have customized organization-specific settings.

Enable enhanced Global Secure Access signaling and Conditional Access

Adaptive access settings enables administrators to activate functionalities employed by Microsoft Entra Conditional Access and Microsoft Entra Identity Protection.

Global Secure Access signaling facilitates:

  • Client IP restoration
  • Continuous Access Evaluation
  • Identity Protection
  • Microsoft Entra ID sign-in logs
  • And network location data

To Conditional Access, to support administrators to create policies.

See the next steps from Learn

Get started with Global Secure Access (preview)
Configure the main components of Microsoft Entra Internet Access and Microsoft Entra Private Access, which make up Global Secure Access, Microsoft’s Security Service Edge solution.

And for Private Access these

Configure an App Proxy connector and connector group

Application proxy is an excellent feature that enabled you to connect with your on-premises resources. See more previous blog for some examples and preview features.

Azure AD Application proxy and some previews
Azure AD Application proxy is an essential tool for providing access to your on-premises applications. In the past you could use it as a reverse proxy to internal Web-based (accessible with browser…
Configure Quick Access to your private resources

Quick Access is Application Proxy feature called Complex scenarios, read more from my previous blog.

Azure AD Application proxy and some previews
Azure AD Application proxy is an essential tool for providing access to your on-premises applications. In the past you could use it as a reverse proxy to internal Web-based (accessible with browser…

Basically it means that complex app scenarios will aid in effective authentication and avoiding CORS problems, such as those that utilize distinct domain suffixes or different ports or routes in the URL internally.

Only two application segments per complex distributed application are currently supported and only a wildcard application can have application segments specified.

If all application parts are eliminated, a complicated application will function as a wildcard application, allowing access to all valid URLs inside the defined domain.

Enable the Private Access traffic forwarding profile

Using the Private Access profile, you can direct traffic to your confidential resources. To set up this traffic forwarding profile, you need to configure Quick Access, which entails specifying the fully qualified domain names (FQDNs) and IP addresses of the private applications and resources you intend to route to the service.

Install and configure the Global Secure Access Client on end-user devices

In order to channel network traffic from end-user devices to Global Secure Access, you must download and install the Global Secure Access client. The installation process offers flexibility, allowing for either an interactive or silent setup.

Points of Presence

During the preview Entra GSA has limited access and from here you can see the locations and regions in can be used during it.

Global Secure Access points of presence
Global Secure Access points of presence.

Zscaler solutions for SSE

Zscaler has ZIA and ZPA services, which naming context Microsoft follows on their own SSE solutions. Which kind of makes sense, why to invent the wheel again when it already exists.

Zscaler Internet Access (ZIA)

Zscaler Internet Access provides and proxy like surface that will isolate your traffic. In example you can route your Office 365 traffic to Zscaler isolated portal, in this mode Zscaler will change information with Microsoft services but keeping the users sessions inside the sandbox.

For the isolation you can use Native Browser Experience or Browser-in-Browser Experience and there limitations for these modes https://help.zscaler.com/isolation/limits-isolation

If you want to read more on ZIA works, Zscaler has this excellent page just for it https://help.zscaler.com/zia

Zscaler Private access (ZPA)

Private access is working with a light-weight agent or proxy installed from a pre-defined gallery image.

You need to register the small sized server to your Zscaler environment and it’s has to have routes to the resources that you want to get access to.

Then on the client side you can in example allow certain networks, services and ports. Define policies for the endpoint having Zscaler connector client installed.

You can automatically initiate the connection with based on the network or application.

Zscaler has two types of tunnels:

  • A Zscaler Tunnel (Z-Tunnel) is a TLS-encrypted, mutually authenticated connection between Zscaler’s Client Connector or App Connector and a ZPA Service Edge, ensuring secure communication without direct IP data transmission. An additional Z-Tunnel is created for multi-tenancy support in Zscaler Client Connector.
  • A Microtunnel (M-Tunnel) is an on-demand communication channel between Zscaler Client Connector and an internal application via a ZPA Service Edge and an App Connector.
  • The (Microtunnel M-Tunnel) starts at Zscaler Client Connector when client application traffic seeks to connect to an application server with a synthetic IP address. It extends to the ZPA Service Edge with a tag from Zscaler Client Connector, then continues to the relevant App Connector with a different tag of the App Connector’s choice.

And to read more, see this from page from Zscaler https://help.zscaler.com/zpa

Closure

In the media Microsoft has been largely criticized on adopting the commonly used names but does it really matter?

There are acronyms used already used widely that someone invented and some adopted as part their own suite. I think it makes just sense for all, to use defined names and not invent new ones just because they have to.

What about the competing question? I think that specifically the features that I covered have a lot of overlapping and identical functions but so does any other service provider not even limited to technical services.

I think that both will find their own areas of interest and excel on those. The big question is that will Microsoft and Zscaler keep their partnership in the future or will they evolve their own platforms but keep in mind the roadmap that the other has.

Also I hope that they will have full SASE framework capabilities so next year we can see them on those Gartner charts.

Over and out,

Author: Harri Jaakkonen