Microsoft Global Secure Access, a VPN Killer

This blog is designed with executives in mind, breaking down how Microsoft Global Secure Access and its most interesting component, Entra Private Access (PA), replace legacy VPNs and adapt to modern security needs. We’ll explain, in an easily digestible way, how security has evolved from the old perimeter-based model to today’s dynamic, identity-focused approach, helping leaders see how these tools can provide scalable, robust security that fits the demands of a modern workforce.

Microsoft Global Secure Access has recently reached General Availability, positioning itself as a cornerstone for implementing Zero Trust Network strategies. With zero trust widely adopted to protect assets in a boundaryless digital landscape, Entra PA goes a step further by offering secure, segmented access that moves beyond the limitations of traditional VPNs.

Development of networks and their access control

First, there were Networks (N) of computers. There were two kinds: public Internet used by anyone and Private Networks (PN) used by companies. As computers became an important part of operations, a need to access them from outside companies emerged. To extend Private Networks to locations outside the physical perimeter of companies, Virtual Private Networks (VPN) emerged. These enabled access to private, trusted networks over the public and untrusted internet. When used, an authorized person could access on-prem and private cloud assets. VPNs enable computer access without physical presence at the office, using VPN gateways to encrypt and decrypt data and send it over a secure tunnel (over an unsecured public internet).

The world is never ready, and gradually, the perimeter has lost its meaning. Applications now encrypt data, so firewalls operate with blindfolds. Assets are increasingly deployed to private clouds like Azure, AWS, and GCP. SaaS like Salesforce, ServiceNow, and Workday take over Enterprise apps. Working from home means more and more people access services from outside the perimeter. Mobile workforces mean people want access everywhere, not just known locations like home. Consumerization of IT means people want access with any device, not just the ones IT provides workers. When users, devices, and services all slip outside the traditional company IT perimeter, VPNs lose their significance. This IT manager’s nightmare has become a cyber criminal’s dream.

What’s broken in the legacy security?

Traditional secure access is perimeter-based, as we’ve established. The perimeter is like a wall that protects the safe inner circle from the bad outside world, much like a castle in the olden days. Once you gain access to the intranet or whatever entity the perimeter protects, you can move about somewhat freely; it’s like an all-access theme park. Security should always have multiple layers. However, if you start from a position of trust, no matter what patches you add the result will be unsecure.

A typical cyber-attack follows a recognizable chain of events; see the Cyber Kill Chain. The old-world thinking of a secure perimeter has several weaknesses. 1) Access is typically guarded by passwords, which are guarded by users who are infamously the weakest link. 2) Once criminals have access within the perimeter, they can move relatively freely. They can find valuable content and they can find means to escalate their privileges to access that content. 3) Finally, the criminals can establish a command-and-control center so that they’re no longer dependent on the original passwords or vulnerabilities. The real picture is more complex, but the concept of excessive trust is the common root cause.

Zero Trust

In the perimeter-based approach, once you’re in, you’re trusted. There may be bespoke security measures that detect breaches, but the philosophy is to detect anomalies in behavior that are, by default, assumed to be legit. This follows Ronald Reagan’s logic: trust, but verify. What sounded cool in the 80’s feels naïve today. Hypponen’s law states that any smart system is vulnerable. Your objective is not to have an impenetrable defense but enough defense to make the criminals attack elsewhere. So, zero trust philosophy assumes you can and will be attacked and breached, and thus, applies the principle of least privilege. Don’t trust anything or anyone unless you know better. As an HR policy, this is unreasonable, but as an IT policy, it’s excellent. We have explained Zero Trust Authentication in a previous blog post and won’t dive into details here.

How can you implement least privilege? First, you need to verify every user. This is very different from assuming every user within the perimeter is legit. The same goes for devices. Each device should be authenticated. Context can further limit access regarding role, location, time, etc. Finally, the resources, e.g., assets, systems, and services, should be segmented and isolated. Having access to one resource should not mean you have access to another.

Microsoft Global Secure Access

Microsoft Global Secure Access is a modern way to implement secure access. It’s a brand-new offering based on Microsoft’s Entra Suite, which focuses on identity and access management. Entra ID (formerly known as Azure Active Directory, AD) is the core identity and access management service within the Entra Suite, used by over 700,000 organizations globally. It handles authentication, authorization, and identity governance for users, devices, and applications. Entra Private Access and Entra Internet Access are two core components of Entra Secure Access.

Entra Private Access

What does Entra PA protect? It secures access to private applications and resources that are typically hosted in on-premises environments or private clouds, i.e., within the perimeter. These resources are not exposed directly to the public internet and are often behind corporate firewalls or within virtual private networks (VPNs).

Legacy VPN opens one thick pipe from the user to the intranet. To simplify things, it’s like an airport. After security, you can snoop around and get to any gate. You don’t even need a boarding pass. Entra PA builds a bespoke pipe for each user and for every resource or segment of resources. It’s like a strictly enforced badge policy. Zero Trust sounds like a solid principle but a lot of work. Is it? For human interaction, it would be exhausting, but Entra PA is designed to orchestrate this complexity behind the scenes. It builds on top of Microsoft’s existing solutions like Entra ID (previously Active Directory), Azure AD Application proxy, VPN gateway, etc. You can start simple and further refine the system as you go.

Our previous blog post explored Entra Private Access in more detail. We also implemented the world’s first Entra Private Access PoC, which is documented in this case study.

Entra Internet Access

What does Entra IA protect? IA is mostly used in place of a firewall to connect to external sites. The goal is to prevent machines from connecting to malicious websites, either accidentally or on purpose. For example, this prevents staff from accidentally browsing a phishing page. Data exfiltration is also harder if you can’t connect to a service like Google Docs. So, IA secures applications by providing them with a safe way to access the Internet.

It secures internet-based and SaaS applications that are publicly accessible. These resources include cloud services, web applications, and third-party platforms, such as Microsoft 365, Google Workspace, Salesforce, and other software-as-a-service (SaaS) solutions.

Implementing Entra IA is very similar to Entra PA. From a user and device perspective, they are nearly identical. While PA protects private cloud content, IA protects internet content. In the IA case, the pipes are implemented through a secure web gateway, and the access is managed through Entra. For most companies, it makes sense to start with Entra PA, and expanding to Entra IA comes with many synergies.

A-CX has been implementing the world’s first Entra PA Proof of Concept before it was GA. We have also built several Zero Trust Network projects on and between AWS, Azure, and private clouds. Please contact us to schedule a demo, build a PoC, or set up a live system.

Appendix 1, Terminology

Several Microsoft components have Entra in their names. To make things even more complex, Global Secure Access is a common term for Entra PA and Entra IA. Sometimes, this combo is also referred to as Microsoft Security Service Edge. Confusing? You’re not alone. We’ve collected a short summary of key terminology here and provided links to the respective Microsoft documentation.

Microsoft Entra

Microsoft Entra is the umbrella name for a suite of services that protect any identity and secure access to any resource with a family of multi-cloud identity and network access solutions.

Microsoft Entra ID

Microsoft Entra ID helps you establish Zero Trust access controls, prevent identity attacks, and manage resource access. It was previously known as Azure Active Directory (AD) and is among the most widely recognized Microsoft products.

Microsoft Entra Suite

Microsoft Entra Suite provides secure workforce access. It consists of various modular elements.

Microsoft Entra Private Access (PA)
- Zero Trust Network Access
Microsoft Entra Internet Access (IA)
- Secure Web Gateway
Microsoft Entra ID Governance
- Identity Governance and Administration
Microsoft Entra ID Protection
- Identity Protection
Microsoft Entra Verified ID
- Identity Verification

Global Secure Access

Global Secure Access is the unifying term used for both Microsoft Entra IA and Microsoft Entra PA. These two modules are unified under Global Secure Access in the Microsoft Entra admin center. You install the Global Secure Access client on a device, such as a computer or phone, and then use Global Secure Access settings in the Microsoft Entra admin center to secure the device.

Security Service Edge

Security Service Edge (SSE) is a term coined by Gartner in 2021. It secures access to the web, cloud services, and private applications. Capabilities include access control, threat protection, data security, security monitoring, and acceptable-use control enforced by network-based and API-based integration

Microsoft Security Service Edge solution consists of Entra IA, Entra PA, and the SaaS security-focused CASB Microsoft Defender for Cloud apps.

Author

Mikko Peltola

Mikko, co-founder and COO of A-CX, has a background in driving innovation and building award-winning products and services. With extensive experience at Nokia, Microsoft, and F-Secure, Mikko has leveraged technology to create impactful solutions. Mikko’s career exemplifies a deep understanding of business dynamics and a passion for driving growth.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
li_gc	2 years	Used to store consent of guests regarding the use of cookies for non-essential purposes
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
hubspotutk	1 year 24 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-163360610-1	1 minute	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_3BVJ20WL0T	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
ppwp_wp_session	30 minutes	No description
raygun4js-userid	never	Description unavailable.
VISITOR_PRIVACY_METADATA	5 months 27 days	Description is currently not available.
_cfuvid	session	Description is currently not available.
_uuid	never	No description available.

Microsoft Global Secure Access, a VPN Killer

Development of networks and their access control

What’s broken in the legacy security?

Zero Trust

Microsoft Global Secure Access

Entra Private Access

Entra Internet Access

Appendix 1, Terminology

Microsoft Entra

Microsoft Entra ID

Microsoft Entra Suite

Global Secure Access

Security Service Edge

Author

Mikko Peltola

Stay in
the loop

Drop by
and say hi

Development of networks and their access control

What’s broken in the legacy security?

Zero Trust

Microsoft Global Secure Access

Entra Private Access

Entra Internet Access

Appendix 1, Terminology

Microsoft Entra

Microsoft Entra ID

Microsoft Entra Suite

Global Secure Access

Security Service Edge

Author

Mikko Peltola

Stay in the loop

Drop by and say hi

Stay in
the loop

Drop by
and say hi