August 28, 2025 • 41 mins
Hybrid work, SaaS adoption, and multi-cloud environments have changed the rules. Traditional VPNs and perimeter firewalls are not enough to keep users and data safe. Microsoft’s Global Secure Access (GSA) introduces a new identity first model that ties access directly to who the user is, the device they are on, and the conditions of the request.
In this episode of The Collective Podcast, our experts Robbe Van den Daele and Thor Nicolaï explain:
-
What GSA is and how it fits into Microsoft’s security stack
-
The three traffic profiles: Private Access, Internet Access, and Microsoft 365 Access
-
Real world use cases, from replacing VPNs to micro segmentation
-
How GSA integrates with Entra ID, Microsoft 365, and even third party SSE tools
-
Licensing insights and where to start if you already own part of the stack
🎧 Listen now and learn how identity first security can simplify your infrastructure, reduce risk, and give your SOC the visibility it needs.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jordy Decock (00:00):
Global Secure access is here.
Global Access, tighter control.
Let's break down what it means and why your security team should care.
Welcome to The Collective podcast.
The podcast where we delve into the ever evolving world of corporate security to help businesses stay ahead of the curve.
Whether you're a small startup or a global enterprise.
(00:23):
I'm your host, Jordy Decock.
Working for the collective where we pride ourselves on a hands on approach, working closely with our clients to cut through the noise and deliver the solutions they actually need.
No unnecessary fluff, no overselling.
Each episode I'll be joined by experts, practitioners and thought leaders diving into today's most pressing security challenges.
(00:47):
We're here to provide insights, strategies and actionable advice to keep your organization safe and secure in a digital first world.
Joining me today are Robbe Van den Daele.
Robbe Van den Daele (00:58):
Hi everyone.
Jordy Decock (00:59):
And Thor Nikolai.
Thor Nicolaï (01:01):
Hi everyone.
Jordy Decock (01:02):
Both security consultants at The Collective.
Together we'll dive into the world of gsa.
Get ready for practical insights, best practices and strategies to strengthen your hybrid cloud environment one episode at a time.
Hello guys.
Thank you for joining the podcast to speak about the new kid on the block.
Is it true Microsoft fill one of their missing puzzle pieces in their security offer with this?
Robbe Van den Daele (01:25):
Yeah, that's true.
Microsoft recently came with a pretty new solution called Global Secure Access.
It's basically a secure Service edge solution that fills in the gaps that they still had in their security offering and especially in the network security offering.
And when we look at their current products, they have, they of course already had the Defender for cloud, Stack, Windows Defender, Firewall, Azure network security, etc.
(01:50):
But a secure service edge solution or a networking security solution for the on premise world was missing up until now.
So yeah, pretty excited about that.
Jordy Decock (02:01):
So basically all the other products of Microsoft talk with each other.
They give each other the opportunity to collaborate, let's call it that way.
Is GSA Global Secure Access doing the same for the on premise tech or.
Robbe Van den Daele (02:15):
Yeah, you can see it a bit like that.
But it's bigger than on premise alone.
It's basically network security.
So the traditional way of doing network security with a firewall is basically another concept when you do secure service edge, where you do your network security filtering fully in the cloud, basically.
(02:37):
So in the past you had to tunnel all of your users some way through your corporate firewall, a big Palo Alto system, that kind of stuff, a physical machine that was somewhere sitting in a rack.
But now with the Secure Service Edge principle, you can do all of that in the cloud.
So you just Connect your users to the Secure Service Edge via an agent and then you do all your security network hardening in the cloud, basically.
Thor Nicolaï (03:04):
Okay, yes.
And that's exactly what Secure Service Edge can do for you.
And when we look at Global Secure Access, it's, it doesn't stop there.
It goes further than just that SSE solution.
And that maybe makes it a bit of unique position in the market where it has the integration with Entra ID by default and Microsoft 365 in that security stack.
So it doesn't only support all network protocols for private access, but you can go into web based traffic filtering and Also increase your Microsoft 365 logging, for example, with the enriched logs.
Jordy Decock (03:37):
Basically what you're saying is it's way easier to put up, or is that not the case, than a physical.
Thor Nicolaï (03:44):
Well, if we're comparing it to physical appliances and hardware firewalls and network security solutions, it's far from that.
I think that's a good thing also, considering the costs.
Indeed.
So knowing that it's far from that hardware stack, we already are in the SSE part.
So the Secure Service Edge, which is a cloud delivery framework.
Right.
(04:04):
So using that, we can ensure zero trust.
We can have a unified platform designing and protecting users that are not within our known perimeter behind that firewall.
Because we have remote users, we have external users.
How are we going to provide the same protection that we do on site, on prem?
And that's where GSA is perfectly positioned to do that.
(04:25):
And if you're already running in the Microsoft stack, it only has more benefits to adopt it.
Jordy Decock (04:30):
Okay, so gsa, what's the difference between that and the physical hardware or the SSA that's currently in place with a lot of companies.
Thor Nicolaï (04:40):
Yeah, so with Global Secure Access you have basically traffic profiles and there's three of them currently available.
But what are traffic profiles?
Maybe they're easily referred to as like traffic lanes, smart lanes and digital highways.
So each with their own rules, security profiles, policies and optimizations.
If we go into the first one, which is private access, you can basically replace your legacy VPN solution and provide access for your users directly to on premise resources, but also to cloud resources, multi cloud resources, depending where they live in your environment.
Robbe Van den Daele (05:18):
Then the second solution is the Internet Access Traffic profile.
And with Internet access you can give secure network access to SaaS applications.
So everything that's not owned by you as an organization, you can tunnel your users through the Internet Access profile and then check if they meet certain policies.
(05:40):
Like this user is allowed to go to these Categories of websites and then other users are allowed for other categories and much more.
Thor Nicolaï (05:49):
And for the last traffic profile, we'll have the Microsoft Traffic profile, which is encapsulating all the Microsoft 365 traffic directly to the Microsoft backend.
So what is the benefit there?
That you can obviously enrich your default365 logs that you already have with that extra data that you are receiving from the Global Secure Access client and ensuring that whenever someone is connected to 365 services that they are using what is your compliant network configuration?
Jordy Decock (06:22):
Okay, so for example, me as a company or my company wants to start with gsa.
What are the first things I need to do?
What are the first things I need to find out inside my company?
Robbe Van den Daele (06:32):
So I think the first things you need to ask yourself is what solution do you need?
Do you need private access or do you need Internet access?
Because some companies mainly want to focus on the private access part where they want to give their users access to private resources that you cannot access from the Internet.
If that is what you need as a company, then you should look at Global Secure Access Private Access Profile.
(06:58):
If you need secure access to all Internet resources like a typical firewall does or an SSE solution does, then you can use the Internet Access profile and define policies which users can access which websites and check if they don't access malicious websites, for example, and all that kind of stuff.
Jordy Decock (07:18):
Okay, can it be both?
Can my company need both of them?
I mean, of course my company can need both of them, but is it possible to use both of them?
Robbe Van den Daele (07:28):
Yeah, it's perfectly possible to use both of them.
So they are both licensed with their own license.
So you can license private access separately and Internet access separately.
But if you want to use both solutions, that's perfectly fine.
Then you can define to which private resources some users need to go and also define at the meantime if they go to the Internet, what those policies are.
(07:51):
You also have the M365 access profile.
That's the third profile we just talked about.
That's also something you can use separately or with the other two.
So you can actually have the three profiles next to each other and secure any destination that you want.
Jordy Decock (08:07):
Okay.
To this cloud solution I should call it.
Thor Nicolaï (08:17):
Well, if you're trying to solve private access in this case for firewall related stuff, first let's see how can you copy paste?
Like what are you trying to achieve?
Are you also replacing your VPN solution?
Then you can easily get access to that same subnet that is Currently your VPN subnet and you can give everyone access as they used to have access to everything.
(08:40):
But the benefit of private access here is that you can also go into micro segmentation which is splitting up all those private applications and resources into that specific lane that one user needs specific access to abc, then they will only have access to ABC and not to the complete subnet that's behind your VPN solution at the moment, which is a big benefit because the attack surface reduces significantly.
(09:04):
If we're talking about Internet access.
Yeah, we can basically have the same policies from your firewall integrated into Internet access if you don't want people to serve to specific categories or specific websites.
But you can also flip it around where you don't just give them a block list, you give them an allow list instead, where you know that these categories are business, production, use cases and you have specific website that you allow, but all the rest is blocked natively, which is a huge benefit.
Jordy Decock (09:34):
And this Internet access is also capable to do it user based or is it group based?
Like do I have to place my users inside a group and then decide this group can access this website?
This website?
Robbe Van den Daele (09:45):
Yeah, that's one of the bigger benefits of Global Secure Access.
It's fully based on Android.
And that's mainly the main difference of Global Secure Access in comparison to other SSE solutions is that it's built from an identity point of view.
Most other network solutions start from a network security point of view, but Global Secure Access is really identity based.
(10:08):
So everything that you use in Entra ID can be used to access your or create your policies.
And Global Secure Access, that means if you have a complete onboarding process with for example access packages or dynamic groups or in sync with your on premise ad or maybe your HR system, you can perfectly plug into that and all of your users can get the right profiles at the moment that they onboard basically.
(10:35):
So that's really a big benefit.
That's also why we mainly say to our customers that not only the networking team should be involved in this project because it's really a bridge between networking security and Internet and access management.
Jordy Decock (10:52):
Well, first thing, as well as from a business perspective, when I hear all of this, the first thing I think about is I have to write down which users use which applications.
I have to find out.
So I have to sit down every single person inside my company.
Robbe Van den Daele (11:07):
Well, it kind of depends.
So what we mainly do with our customers is first of all we check their current network security setup, whatever firewall they use and whatever those policies are, how they do the VPN access, etc.
Jordy Decock (11:20):
It seems the first logical step.
Robbe Van den Daele (11:22):
Yeah, because you have mainly two type of customers.
The customers who do know which kind of users access which kind of applications and the customers that do not know currently.
And that is something that Global Secure Access fits pretty well.
Because you can use the Quick Access feature in Global Secure Access where you can just say, okay, I want to completely replace the VPN solution without any micro segmentation so every user can access every private application this way you just do a lift and shift basically from your old VPN solution to a newer one and then you basically let Global Secure Access learn which user accesses which application.
Jordy Decock (12:07):
So there's an AI involved.
Robbe Van den Daele (12:09):
Well, I don't think it's really AI.
AI is a hot topic these days, so it might be.
I don't know for sure.
Jordy Decock (12:18):
Okay, but it learns itself or.
Robbe Van den Daele (12:21):
Well, I'm not sure if it really learns or if it just shows you which application because basically it shows you which user is accessing which application.
Jordy Decock (12:30):
So it's not going to be automatically saying hey, this user is using this, it's going to show you who is accessing which.
But it's not going to decide on its own this user doesn't have access to this anymore.
Robbe Van den Daele (12:42):
I don't think that kind of capabilities is currently baked into app discovery.
Thor Nicolaï (12:46):
I think the way Quick Access works at the moment is being that VPN replacement and having that easy to set up first initial private access profile.
So for the Private Access profile and Quick access to work, the only things you need to do is enable the profile.
Of course, significant licensing for that.
Configuring the Private Access network connector, which is pretty easy if you're in Azure.
(13:09):
You can also use the Azure Connector which is available in the Azure Marketplace, which is deploying a VM for you.
And then you just set up Quick Access, as Robbe said, with that subnet that you already have for your VPNs.
And then once the logging, once people are using that connection to connect to those private resources on Prem multi, cloud, wherever, then you get logging and all the logging is basically congregated into apps.
(13:34):
So you can see that someone is navigating towards a private resource app and then you see a overview of which users are actually using that app specifically.
And once you're ready, after some period of time, you can transition that specific line for the connection into a private access application.
So it's a Global Secure Access application and that's where the micro segmentation begins again, where you can make sure that Only the people that really need access to that.
(14:01):
You can just easily sweep them straight into the new application that you create.
Jordy Decock (14:05):
Okay, so that's private access.
Is it the same for Internet access or is there a different way there for Internet access?
Robbe Van den Daele (14:13):
We typically check the current policies that a customer has in their firewall or whatever they want global secure access to replaced with and try to mimic that.
So there is no real give everything access, everyone access to all destinations and see what happens there.
You can do it if you really want to.
But mainly we would do a migration from the old solution to Internet access.
Jordy Decock (14:36):
Why forget the old one if it works already, right?
Robbe Van den Daele (14:39):
Yeah, indeed.
Most organizations already put some thought into that in the past.
If they haven't, then that's something you need to design before you do Internet access, of course, which categories to which Persona users need, et cetera.
Jordy Decock (14:56):
Okay, but so what I take away from this is private access.
You can more micro segmentate about specific persons use this program, specific person uses that program.
So that's a really cool effect.
But at the Internet access it's still based on groups.
So HR uses these programs.
(15:17):
The entire HR team will have access to this.
It's not really person based on the Internet access.
Robbe Van den Daele (15:23):
Well, they both use the same backbone.
So what you can do with groups and Personas, or user specific and private access, you can also do that internet access.
So that's basically the same.
Thor Nicolaï (15:34):
Global secure access remains an identity centric platform.
Right?
So everything related to users and groups you can basically do for private access, but also for Internet access.
So depending on what your needs are for those specific traffic profiles, you can lift and shift wherever you need.
But this is where global secure access is quite nice.
And it's also very flexible because we're talking about those three traffic profiles, Private Internet and Microsoft traffic, you have the flexibility to enable one next to the other.
(16:02):
And you don't have to commit to all of the traffic profiles at the same time.
So if you have a specific use case for private access, and you want to explore how it works, have that specific license for private access, you can set it up, have a dedicated project for it.
And in the meantime you have that.
You have the GSA client running on your endpoints by the time.
(16:23):
If you want to broaden your search and go into Internet access or Microsoft traffic, you can easily do that because you already have the integration with the client on the endpoint side.
And then you can just start using the traffic profile to also start addressing Internet access and Microsoft traffic, or vice versa.
Of course.
It doesn't have to be in this order.
And that's quite nice on flexibility.
Jordy Decock (16:44):
Okay.
Robbe Van den Daele (16:45):
Yeah.
Another thing I want to maybe add on that is you can not only say I want to specifically use private access or Internet access, but if your organization already use some kind of SSE solution, you can actually deploy Global Secure Access next to that third party SSE solution.
Because the Global Secure Access client actually works a bit different than typical agents that you install on a Windows machine.
(17:13):
The Global Secure Access Agent uses mtls, which is a specific protocol, but basically what other products in a lot of time do is build an IPsec tunnel from your agent to the Global Secure or the SSE cloud platform, which is pretty beefy.
It's takes all the traffic.
(17:34):
You get a new network adapter in your network interfaces in your Windows device, for example, and then you take every networking traffic and put that over that same tunnel.
While Global Secure Access uses a more lightweight protocol that tunnels every traffic stream independently basically.
(17:54):
And because they do that via a lightweight filter driver, it makes it possible to deploy Global Secure Access next to an already existing global.
Yeah, Secure Service Edge solution.
A couple of use cases where you can do that is for example when you say I still want to use my third party Secure Service Edge solution, but I want to use the Microsoft 365 profile of Global Secure Access as well.
(18:22):
Because the Microsoft 365 profile has some specific benefits that other SSE solution cannot give you.
A couple of examples are for example Source IP Restoration.
So if you use a third party SSD solution like Palovault or Kalto Networks or whatever it might be, and you look into your M365 logs of the IP addresses that access Microsoft 365, you actually see the public IP addresses of the SSE solution.
(18:53):
So not really the public IP address of the client or the user.
With source IP asterization and the M365 profile, you can make sure that your SoC engineers for example that use the Global Secure Access logs see the real IP address of the user that is connecting.
This is also something that we see in practice where third party SSD solution is used that entra IDentity protection breaks because entra IDentity protection heavily depends on public IP addresses and for which countries they come from.
(19:29):
If you come from that third party SSE public IP that might fiddle with the logic and actually throw some false positives.
While with Global Secure Access you have the real source ip.
So now identity protection works again.
So there are a couple of benefits of using the M365 traffic profile of global Secure Access even when you have already a third party SSC solution that you want to use.
Jordy Decock (19:54):
Okay, yeah, it's a great and end solution.
That's what I'm getting from it.
We already spoke about the licensing.
Knowing Microsoft, there's always the licensing part, of course.
Do we have some information about that?
Is it just one license we need to get or do the Traefik profiles have different kind of licensing?
Thor Nicolaï (20:15):
Yeah, so.
Well, the way you're seeing it is basically how it is at the moment.
So different traffic profiles have different standalone licensing if you want like the one Robbe just talked about, Microsoft Traefik, where you can enrich your default logging and you have it side by side with your existing sse.
It's also very possible that you already have Microsoft Entra ID P1 or P2 licenses available in your tenant for your users.
(20:42):
Then Microsoft Traefik, the Traefik profile is already available to you if you start using the GSA client as well.
On top of that, yeah, Internet Access has a different license, so you can basically use it per requirement basis.
And then Private Access also has a standalone license if you want to use only the private access connectivity.
On top of that, we know Microsoft, of course, if you ever looked at new features in Microsoft, you most likely come across a suite product or a suite licensing deal.
(21:11):
And that's what Entra Suite is also offering in Microsoft at the moment.
So Entra Suite is a combination of different standalone licenses at a discounted price.
So you have the P1 and P2 features that come into the Entra Suite, but you also have like entitled Management which is Entra ID governance availabilities and Verified id.
So on top of Global Secure Access, you're getting a lot of other good stuff in that sweet licensing deal.
Jordy Decock (21:36):
I do have to announce as well to all the listeners who have Enterprise licensing, they best check their licenses because if you got an E3 or an E5 license, I think the P1 or P2 licensing is already included or the Entra Suite P1 or P2 licenses are already included.
So you only have to get the add on for the private access or the Internet access.
(22:02):
But I think the majority of the business premium licenses of Microsoft can benefit from the Entra Suite licensing.
Indeed.
Thor Nicolaï (22:09):
Yeah.
And once you go for the Entra Suite licensing, it's interesting to also add your identity and access management team on top of that because you get those extra features in the licensing deal.
So I think there's a trial for 90 days available.
And if you activate this just to do some Global Secure Access fiddling, maybe it's interesting to inform your identity and access management team to also start looking into the functionality and the capabilities of Entra ID governance and maybe verified ID if you want to go that way.
Jordy Decock (22:40):
Okay, we already said a lot about Global Secure Access, but how do I set it up?
Where do I set it up?
What's the main things that I can take away from that?
Robbe Van den Daele (22:48):
Yeah, so maybe start with the Private Access profile.
I think that's the most popular one currently as well, the VPN replacement.
So first of all, you need to identify which private resources or applications do my users need access to.
Let's say that most of your resources are in an on premise data center.
Then the first thing you need to do is set up the Global Secure Access private connector, which needs to be installed on a Windows virtual machine.
(23:16):
So depending on the bandwidth you want to tunnel through that virtual machine, you need to give it more CPU and RAM, etc.
But then basically what the Private Access connector does, it makes a outbound connection to the Global Secure Access cloud.
And then when a user tries to access a private resource, it tunnels you basically back.
(23:38):
So the benefit from that is that you don't need to do any port forwarding in your firewall.
So the Private connector just connects to Global Secure Access via HTTPs and then it pulls you back in when a user tries to access the private resource.
And then it's just giving making sure that the Private Access connector is able to connect to the private resource that the user needs to have access to.
Jordy Decock (24:04):
Okay, is there a web interface where I can set things up or is it in an existing Microsoft portal?
Is there anything?
Robbe Van den Daele (24:14):
Yeah, it's basically the Private Access connector you need to download from the entra portal.
So entra.Microsoft.com then you get an XE, I think it is, or is it an MSI, I'm not sure anymore.
But you basically log into your Windows server that you want to install it on, install it, click, click, and then it onboards itself into your tenant basically.
(24:37):
And then when you onboarded the private actor private connector into the Global Secure Access cloud, then you need to assign it to a connector group they call it basically, which you will later use to assign your applications to and which users can access which applications, etc.
Jordy Decock (24:57):
That's just for private access or is it the same workaround for all the traffic layers?
Thor Nicolaï (25:03):
So yeah, for Internet access obviously you don't need any connectors because there's just dependent on security policies and profiles you can create.
So similar in the Entra portal, Global Secure Access has a blade separate for it, so you have the option to go into web filtering and then it depends.
It can be FQDN based or web category filter based where you can allow or block certain Internet access.
(25:28):
Addition to that you have security profiles which you enable for different Personas.
So imagine you need different Internet access capabilities for different Personas in your company.
You can create multiple profiles and those profiles get enforced through conditional access.
So there are some conditional access policies you need to create related to that Persona that will make it available to you to enforce those web categories that you previously created.
(25:56):
Now how does this all come down to the user itself and their endpoint?
That's when the Global Secure Access client comes in.
So it's a lightweight client that is not natively built in at the moment, so you'll have to deploy it to any device.
But it's also not limited to Windows devices.
It's supported on iOS, Android, Windows, macOS, and I think there are already some Linux distributions that it supports natively.
(26:23):
So there are a lot of available connections and there's not many limitations on platform support at the moment for the Global Secure Access client.
Robbe Van den Daele (26:31):
The only thing we need to think about with the agent is it supports most of the platforms like Tor said, it's Windows, macOS, Android, iOS, etc.
But currently there are still some specific limitations like the agent does not cannot use secure DNS for example, DNS or TCP is not supported.
(26:53):
There are a couple of nuances that you need to check out in the Microsoft docs that you still need to disable, but nothing too important for most production environments.
Thor Nicolaï (27:04):
Yeah, and there's also some hardening that you can enforce on the client itself.
As you know, maybe you don't want them, but maybe you don't want your users to be able to stop the capabilities of Global Secure Access client, of course, so you're able to disable the functionalities for disabling the profiles and disabling the client itself that it restarts of course by default.
(27:27):
And this will ensure that your user is always connected through the policies that you have enforced and written down for them.
On top of that, Global Secure Access client also has some diagnostic settings, so there is some hands on diagnostics you can do on the device itself.
Additionally it has a health check functionality which is quite helpful to check if everything is in order to for you to start using the GSA client capabilities.
(27:51):
But on the Admin side.
You also have some monitoring available which allows you to get into the details of traffic logging for specific devices and users, or deployment logging, which gives you insights into delays for your clients on specific devices, for example.
And on top of that you can start creating alerts which would notify you if there's anything different than you're used to.
Jordy Decock (28:15):
I also hear logs, the availability of them I directly because of the soc, the collective has have to think about log ingestion and the connectivity it can make with a sock.
What can we say about that?
Robbe Van den Daele (28:28):
The logs of Global Secure Access give us some specific benefits.
So when you use the M365 Access profile, the logs mainly benefit from enriched.
So then 365 locks get enriched with latency data where you can see how long it takes before the user reaches the edge, etc.
But also it gives some extra information about the token so we can see if a user is connected through Global Secure Access or not.
(28:58):
And additionally we can do some extra protections on that as well.
Because in conditional access policies we mainly use compliant device.
Now where you need to have intune policies that says when is device compliant, etc.
But now we have compliant network as well, where we can say you can only access these resources when you're connected from a Global Secure Access client and then they give it the name you're coming from a compliant network basically.
(29:27):
So those are a couple of benefits of the M365 profile and their logging and enrichment.
But then we have the Internet Access profile as well, because at the SoC we sometimes, or in specific cases, we miss the layer 7 logs.
So layer 7, I mean as the HTTP header logs when a user connects to a website and in a traditional EDR solution you do not have those logs.
(29:54):
So then you need an SSE solution like Global Secure Access to have that.
You can build some specific detections for that on those logs, but it's also very handy for investigations.
So that's also a benefit of the logs, especially for the Internet Access profile.
In the past with Global Secure Access we only had HTTP logs because we could not inspect HTTPs traffic because it's encrypted.
(30:20):
Since a couple of weeks ago, we actually have TLS inspection and Public Preview now, where we need to deploy a certificate and the Global Secure Access configuration and on the clients, and then we can actually inspect encrypted traffic as well.
So then we see for all traffic types, whether it's encrypted or not, what the HTTP headers are, et cetera, which is Cool for a SOC to have.
Jordy Decock (30:46):
Okay, does that mean that GSA filters traffic way more than the normal Palo Alto Cisco does right now?
Robbe Van den Daele (30:55):
Well, I would not say, I would not compare it with Palo Alto and the other products now because Internet access is a pretty new solution.
It only exists for like a year I think now.
Jordy Decock (31:07):
Yeah, I understand it's a bit of.
Robbe Van den Daele (31:09):
A. Yeah, the competitors are baby in.
Jordy Decock (31:12):
Comparison with the others.
Robbe Van den Daele (31:13):
But yeah, the others are a few steps ahead and Global Secure Access needs to take some time and develop all the features that other competitors have.
But I'm optimistic.
I think they will get there soon.
But now Global Secure Access still misses some features that the other competitors don't have.
But it is an improvement in comparison to the MDE Web category filtering because Web category filtering was something you can already do with Defender for Endpoint as well.
(31:43):
Now you can do it again with Global Secure Access.
That was the first feature internet access that was released.
Sometimes we get the question like what is the difference?
Why should I use Global Secure Access Web content filtering while we can do it in mde?
Well, there my recommendation is just take a look at the web categories that are in the MDE web category filtering and the GlobalSecure access web category filtering.
(32:07):
And then you will see that Global Secure Access have a much bigger list of web categories.
It's also integrated with again that identity centric approach.
So you have much more flexibility of which users can access which categories in which cases you can even give a user temporary access to a specific web category.
(32:28):
So it's more flexible, it's a bigger web category list, another engine, etc.
Jordy Decock (32:34):
Yeah, you were going to say something that was fast.
Thor Nicolaï (32:39):
I was going to jump into your question regarding like is GSA doing a better job on Internet access than competitors in this space?
Like if you look at Internet access.
Indeed, Robbe , I agree that it's not as mature as other products that we have seen and worked with.
But looking at TLS inspection, coming to Public preview now, giving you the availability to get Those traffic layer 7 details is very important.
(33:07):
Definitely.
If you're coming from an existing solution that already has this.
Right.
So there's a lot of companies out there that have this on a checklist that says if my solution does not have TLS inspection, I'm not looking into it.
So it's very good to see it in Public preview.
It's going to give you uncovering those hidden threats, the encrypted traffic.
For enhanced visibility you can apply intelligent risk aware access controls.
(33:31):
Enhancing your audit readiness and regulatory compliance if you need to.
In general, just elevating your security posture without adding any hardware complexity.
Robbe Van den Daele (33:40):
If we also look at the rate that the new features are coming up, it's pretty amazing.
Okay, Global Secure Access has a long way to go to make sure that they have everything like the competitors have.
But yeah, if you look at the public preview features or even if you have access to the private access features or the private preview features, at least, it's amazing how fast that goes.
Jordy Decock (34:02):
Well, one thing Microsoft is really good at, and it also brings us indeed to the next topic of the future of gsa a little bit is Microsoft.
Their products always start really maybe baby is a pretty good way to mention it.
They start from baby steps, but they really make some fast steps.
(34:23):
It usually takes some time to get onto the next level, but once they're on the next level, they go really hard on the next level.
What is for you guys, the next step of gsa?
Robbe Van den Daele (34:34):
Well, I think I will mainly talk about the Internet access profile because I think that's the profile that needs the most work for Internet access.
We can basically look at what the competitors do and what Microsoft doesn't have yet.
So an important thing for me is everything related to threat detection, whether that be antivirus engine or an IPS engine or a cloud firewall or however you want to call it.
(35:00):
That's something that I hope is coming in GlobalSecure access soon because now we have the web content filtering, we have TLS inspection, but now that's kind of it for the Internet access profile.
So what I'm currently looking at is an engine that helps you detect threats on the network level that really captures those packets for you and say, hey, this is a CV that is being exploited over the network, etc.
(35:25):
And then block that.
Or another thing I'm really looking forward to is if they come with an threat intelligence filtering platform that says your user is going to that destination like an fqdn, a website or an IP address, but we know it's a bad one so we block it for you already.
So then it's also a bit TI based, which is something that is not added yet.
Thor Nicolaï (35:50):
Yeah.
And I think in general the future for GSA we know there's a lot of things boiling up in the AI space.
And for GSA the identity centric approach is the right way because you have user and entity behavior analytics already.
If we can dive deeper into that and use the capabilities of AI going forward to get more visibility for Your security operators.
(36:13):
That'll be a great feature, of course.
And since we're talking about traffic profiles currently, in my eyes, there's a bit of limitation there that you only have three profiles.
And maybe you would want to have that custom profile where you can just use it to test your new configuration.
Maybe you want to try out a new configuration that is not specifically for all of your users at the same time.
(36:37):
And that's currently a limitation in my eyes, where you can only enable the private access or Internet access for a specific user group, where maybe you just want to create a specific traffic profile for your liking to be more specific on testing or validation.
And that's something that's missing.
It might be that they're working on that or not.
(36:58):
But it looks for now that we're going to be stuck with three profiles at the moment.
Jordy Decock (37:02):
Okay, our listeners, they heard a lot about Global Secure Access right now.
I think they have a lot to take away from this podcast.
What are the few things we already mentioned but you guys really want to get back onto like, hey, this is really important if you want to do something with Global Secure Access, or if you want to not even today, not even tomorrow, not even next week, but.
(37:23):
But if you want to start with Global Secure Edge Access, these are key takeaways you really need to keep your eye on.
Robbe Van den Daele (37:30):
Well, first of all, the first key takeaway I want to give to the listeners is take a look at the M365 profile.
Because for a lot of organizations that's already included into your current license.
If you have a P1, Entra P1 or Anthrop P2, you can already start using the M365 profile.
And since it is already in your licenses, the only thing you need to do is deploy the agent to your clients.
(37:54):
Make sure that it can coexist next to your current SSE solution.
If you already have that one, Microsoft has some great documentation about that as well.
Jordy Decock (38:01):
Or we can help you with that.
Robbe Van den Daele (38:03):
Or we can help you with that.
That's also a possibility.
But deploy the M365 profile.
It's probably already in your license estate and then you can already benefit from the M365 profile.
Benefits like reduced latency to Office 365 enriched logs, token protection, phishing resistance, authentication via conditional access policies, and all that kind of stuff.
(38:26):
Then the second takeaway I want to provide is for the Private Access profile.
We talked about providing access to private applications, but another main benefit of the Private Access profile is that you can enforce Multifactor authentication on protocols that do not support multifactor authentication.
Because basically what you can do if you have for example a server like an SSH server, the SSH protocol does not include multi Factor authentication by default.
(38:56):
You can basically say that the users or IT admins are only able to access that SSH server via the private access connector.
And then you can create a policy and entra ID that says if you want to go to that server, you first need to do multifactor authentication via Conditional Access policy and only when that completes the global Secure Access client will allow you to tunnel that traffic and actually go to that server.
Jordy Decock (39:23):
That actually fills a great gap in.
Robbe Van den Daele (39:25):
Yeah, yeah, we think as well because MFA non legacy or.
Yeah, non MFA supporting protocols has always been an issue.
So there are some great solutions for that as well, like Palm solutions.
But a palm solution Privileged Access Management solution that is.
Yeah, it's more than just that.
So if you really want to for specific MFA for some services you can.
Jordy Decock (39:48):
Already just for mfa, a PUM solution is a really.
Robbe Van den Daele (39:52):
It's a heavy deployment.
A PUM solution is not something you set up quickly.
Private access not as well or it's also not set up in like an hour.
But I think it's more easy than buying a complete palm solution just for that MFA purpose.
Jordy Decock (40:10):
It's not cost efficient as well if you just want to use it for MFA solution.
Robbe Van den Daele (40:14):
Yeah, yeah, that's right.
So it really comes down to check what you need.
But if you have a use case where your IT admin for example or a user needs to get access to an application with multifactor authentication while the protocol doesn't support multi factor authentication, then you can use private access and integrate that with your entra IDentity settings.
(40:37):
Again like you can use privileged identity management and all that kind of stuff.
Thor Nicolaï (40:42):
Yeah, and that's definitely what is the identity centric way of global CQXS and how it wants to position in the market for Microsoft.
I think it's very nice to demo this for some clients as well.
When you show them that some protocols that they are not used to seeing going over that proxy with some MFA restrictions thanks to conditional access.
(41:02):
It's a very seamless integration.
Once you have it up and running and to demo it most of the time it turns some heads.
Jordy Decock (41:10):
So do know that we at the Collective can also help you as a customer with this product that we can bring workshops to the table.
There are these lovely gentlemen that are with me on the table that will bring this workshop to you, but it also brings us to the end of the of today's episode.
So a big thank you to you, Thor.
(41:32):
To you as well, Robb.
Robbe Van den Daele (41:33):
Thanks for inviting us.
Jordy Decock (41:34):
You're very welcome.
And thank you for sharing your valuable insights on this topic.
Thank you.
And of course, thank you all for tuning in.
We hope you found today's discussion helpful.
If you did, don't forget to subscribe and share this with your colleagues, helping us reach more people who are just as passionate about building a safer digital world.
We'll be back next time with another important topic in corporate security.
(41:56):
Until then, stay vigilant, stay secure, and let's keep working together to shape a safer future.
Global Secure access is here.
Global Access, tighter control.
Let's break down what it means and why your security team should care.
Welcome to The Collective podcast.
The podcast where we delve into the ever evolving world of corporate security to help businesses stay ahead of the curve.
Whether you're a small startup or a global enterprise.
(00:23):
I'm your host, Jordy Decock.
Working for the collective where we pride ourselves on a hands on approach, working closely with our clients to cut through the noise and deliver the solutions they actually need.
No unnecessary fluff, no overselling.
Each episode I'll be joined by experts, practitioners and thought leaders diving into today's most pressing security challenges.
(00:47):
We're here to provide insights, strategies and actionable advice to keep your organization safe and secure in a digital first world.
Joining me today are Robbe Van den Daele.
Robbe Van den Daele (00:58):
Hi everyone.
Jordy Decock (00:59):
And Thor Nikolai.
Thor Nicolaï (01:01):
Hi everyone.
Jordy Decock (01:02):
Both security consultants at The Collective.
Together we'll dive into the world of gsa.
Get ready for practical insights, best practices and strategies to strengthen your hybrid cloud environment one episode at a time.
Hello guys.
Thank you for joining the podcast to speak about the new kid on the block.
Is it true Microsoft fill one of their missing puzzle pieces in their security offer with this?
Robbe Van den Daele (01:25):
Yeah, that's true.
Microsoft recently came with a pretty new solution called Global Secure Access.
It's basically a secure Service edge solution that fills in the gaps that they still had in their security offering and especially in the network security offering.
And when we look at their current products, they have, they of course already had the Defender for cloud, Stack, Windows Defender, Firewall, Azure network security, etc.
(01:50):
But a secure service edge solution or a networking security solution for the on premise world was missing up until now.
So yeah, pretty excited about that.
Jordy Decock (02:01):
So basically all the other products of Microsoft talk with each other.
They give each other the opportunity to collaborate, let's call it that way.
Is GSA Global Secure Access doing the same for the on premise tech or.
Robbe Van den Daele (02:15):
Yeah, you can see it a bit like that.
But it's bigger than on premise alone.
It's basically network security.
So the traditional way of doing network security with a firewall is basically another concept when you do secure service edge, where you do your network security filtering fully in the cloud, basically.
(02:37):
So in the past you had to tunnel all of your users some way through your corporate firewall, a big Palo Alto system, that kind of stuff, a physical machine that was somewhere sitting in a rack.
But now with the Secure Service Edge principle, you can do all of that in the cloud.
So you just Connect your users to the Secure Service Edge via an agent and then you do all your security network hardening in the cloud, basically.
Thor Nicolaï (03:04):
Okay, yes.
And that's exactly what Secure Service Edge can do for you.
And when we look at Global Secure Access, it's, it doesn't stop there.
It goes further than just that SSE solution.
And that maybe makes it a bit of unique position in the market where it has the integration with Entra ID by default and Microsoft 365 in that security stack.
So it doesn't only support all network protocols for private access, but you can go into web based traffic filtering and Also increase your Microsoft 365 logging, for example, with the enriched logs.
Jordy Decock (03:37):
Basically what you're saying is it's way easier to put up, or is that not the case, than a physical.
Thor Nicolaï (03:44):
Well, if we're comparing it to physical appliances and hardware firewalls and network security solutions, it's far from that.
I think that's a good thing also, considering the costs.
Indeed.
So knowing that it's far from that hardware stack, we already are in the SSE part.
So the Secure Service Edge, which is a cloud delivery framework.
Right.
(04:04):
So using that, we can ensure zero trust.
We can have a unified platform designing and protecting users that are not within our known perimeter behind that firewall.
Because we have remote users, we have external users.
How are we going to provide the same protection that we do on site, on prem?
And that's where GSA is perfectly positioned to do that.
(04:25):
And if you're already running in the Microsoft stack, it only has more benefits to adopt it.
Jordy Decock (04:30):
Okay, so gsa, what's the difference between that and the physical hardware or the SSA that's currently in place with a lot of companies.
Thor Nicolaï (04:40):
Yeah, so with Global Secure Access you have basically traffic profiles and there's three of them currently available.
But what are traffic profiles?
Maybe they're easily referred to as like traffic lanes, smart lanes and digital highways.
So each with their own rules, security profiles, policies and optimizations.
If we go into the first one, which is private access, you can basically replace your legacy VPN solution and provide access for your users directly to on premise resources, but also to cloud resources, multi cloud resources, depending where they live in your environment.
Robbe Van den Daele (05:18):
Then the second solution is the Internet Access Traffic profile.
And with Internet access you can give secure network access to SaaS applications.
So everything that's not owned by you as an organization, you can tunnel your users through the Internet Access profile and then check if they meet certain policies.
(05:40):
Like this user is allowed to go to these Categories of websites and then other users are allowed for other categories and much more.
Thor Nicolaï (05:49):
And for the last traffic profile, we'll have the Microsoft Traffic profile, which is encapsulating all the Microsoft 365 traffic directly to the Microsoft backend.
So what is the benefit there?
That you can obviously enrich your default365 logs that you already have with that extra data that you are receiving from the Global Secure Access client and ensuring that whenever someone is connected to 365 services that they are using what is your compliant network configuration?
Jordy Decock (06:22):
Okay, so for example, me as a company or my company wants to start with gsa.
What are the first things I need to do?
What are the first things I need to find out inside my company?
Robbe Van den Daele (06:32):
So I think the first things you need to ask yourself is what solution do you need?
Do you need private access or do you need Internet access?
Because some companies mainly want to focus on the private access part where they want to give their users access to private resources that you cannot access from the Internet.
If that is what you need as a company, then you should look at Global Secure Access Private Access Profile.
(06:58):
If you need secure access to all Internet resources like a typical firewall does or an SSE solution does, then you can use the Internet Access profile and define policies which users can access which websites and check if they don't access malicious websites, for example, and all that kind of stuff.
Jordy Decock (07:18):
Okay, can it be both?
Can my company need both of them?
I mean, of course my company can need both of them, but is it possible to use both of them?
Robbe Van den Daele (07:28):
Yeah, it's perfectly possible to use both of them.
So they are both licensed with their own license.
So you can license private access separately and Internet access separately.
But if you want to use both solutions, that's perfectly fine.
Then you can define to which private resources some users need to go and also define at the meantime if they go to the Internet, what those policies are.
(07:51):
You also have the M365 access profile.
That's the third profile we just talked about.
That's also something you can use separately or with the other two.
So you can actually have the three profiles next to each other and secure any destination that you want.
Jordy Decock (08:07):
Okay.
To this cloud solution I should call it.
Thor Nicolaï (08:17):
Well, if you're trying to solve private access in this case for firewall related stuff, first let's see how can you copy paste?
Like what are you trying to achieve?
Are you also replacing your VPN solution?
Then you can easily get access to that same subnet that is Currently your VPN subnet and you can give everyone access as they used to have access to everything.
(08:40):
But the benefit of private access here is that you can also go into micro segmentation which is splitting up all those private applications and resources into that specific lane that one user needs specific access to abc, then they will only have access to ABC and not to the complete subnet that's behind your VPN solution at the moment, which is a big benefit because the attack surface reduces significantly.
(09:04):
If we're talking about Internet access.
Yeah, we can basically have the same policies from your firewall integrated into Internet access if you don't want people to serve to specific categories or specific websites.
But you can also flip it around where you don't just give them a block list, you give them an allow list instead, where you know that these categories are business, production, use cases and you have specific website that you allow, but all the rest is blocked natively, which is a huge benefit.
Jordy Decock (09:34):
And this Internet access is also capable to do it user based or is it group based?
Like do I have to place my users inside a group and then decide this group can access this website?
This website?
Robbe Van den Daele (09:45):
Yeah, that's one of the bigger benefits of Global Secure Access.
It's fully based on Android.
And that's mainly the main difference of Global Secure Access in comparison to other SSE solutions is that it's built from an identity point of view.
Most other network solutions start from a network security point of view, but Global Secure Access is really identity based.
(10:08):
So everything that you use in Entra ID can be used to access your or create your policies.
And Global Secure Access, that means if you have a complete onboarding process with for example access packages or dynamic groups or in sync with your on premise ad or maybe your HR system, you can perfectly plug into that and all of your users can get the right profiles at the moment that they onboard basically.
(10:35):
So that's really a big benefit.
That's also why we mainly say to our customers that not only the networking team should be involved in this project because it's really a bridge between networking security and Internet and access management.
Jordy Decock (10:52):
Well, first thing, as well as from a business perspective, when I hear all of this, the first thing I think about is I have to write down which users use which applications.
I have to find out.
So I have to sit down every single person inside my company.
Robbe Van den Daele (11:07):
Well, it kind of depends.
So what we mainly do with our customers is first of all we check their current network security setup, whatever firewall they use and whatever those policies are, how they do the VPN access, etc.
Jordy Decock (11:20):
It seems the first logical step.
Robbe Van den Daele (11:22):
Yeah, because you have mainly two type of customers.
The customers who do know which kind of users access which kind of applications and the customers that do not know currently.
And that is something that Global Secure Access fits pretty well.
Because you can use the Quick Access feature in Global Secure Access where you can just say, okay, I want to completely replace the VPN solution without any micro segmentation so every user can access every private application this way you just do a lift and shift basically from your old VPN solution to a newer one and then you basically let Global Secure Access learn which user accesses which application.
Jordy Decock (12:07):
So there's an AI involved.
Robbe Van den Daele (12:09):
Well, I don't think it's really AI.
AI is a hot topic these days, so it might be.
I don't know for sure.
Jordy Decock (12:18):
Okay, but it learns itself or.
Robbe Van den Daele (12:21):
Well, I'm not sure if it really learns or if it just shows you which application because basically it shows you which user is accessing which application.
Jordy Decock (12:30):
So it's not going to be automatically saying hey, this user is using this, it's going to show you who is accessing which.
But it's not going to decide on its own this user doesn't have access to this anymore.
Robbe Van den Daele (12:42):
I don't think that kind of capabilities is currently baked into app discovery.
Thor Nicolaï (12:46):
I think the way Quick Access works at the moment is being that VPN replacement and having that easy to set up first initial private access profile.
So for the Private Access profile and Quick access to work, the only things you need to do is enable the profile.
Of course, significant licensing for that.
Configuring the Private Access network connector, which is pretty easy if you're in Azure.
(13:09):
You can also use the Azure Connector which is available in the Azure Marketplace, which is deploying a VM for you.
And then you just set up Quick Access, as Robbe said, with that subnet that you already have for your VPNs.
And then once the logging, once people are using that connection to connect to those private resources on Prem multi, cloud, wherever, then you get logging and all the logging is basically congregated into apps.
(13:34):
So you can see that someone is navigating towards a private resource app and then you see a overview of which users are actually using that app specifically.
And once you're ready, after some period of time, you can transition that specific line for the connection into a private access application.
So it's a Global Secure Access application and that's where the micro segmentation begins again, where you can make sure that Only the people that really need access to that.
(14:01):
You can just easily sweep them straight into the new application that you create.
Jordy Decock (14:05):
Okay, so that's private access.
Is it the same for Internet access or is there a different way there for Internet access?
Robbe Van den Daele (14:13):
We typically check the current policies that a customer has in their firewall or whatever they want global secure access to replaced with and try to mimic that.
So there is no real give everything access, everyone access to all destinations and see what happens there.
You can do it if you really want to.
But mainly we would do a migration from the old solution to Internet access.
Jordy Decock (14:36):
Why forget the old one if it works already, right?
Robbe Van den Daele (14:39):
Yeah, indeed.
Most organizations already put some thought into that in the past.
If they haven't, then that's something you need to design before you do Internet access, of course, which categories to which Persona users need, et cetera.
Jordy Decock (14:56):
Okay, but so what I take away from this is private access.
You can more micro segmentate about specific persons use this program, specific person uses that program.
So that's a really cool effect.
But at the Internet access it's still based on groups.
So HR uses these programs.
(15:17):
The entire HR team will have access to this.
It's not really person based on the Internet access.
Robbe Van den Daele (15:23):
Well, they both use the same backbone.
So what you can do with groups and Personas, or user specific and private access, you can also do that internet access.
So that's basically the same.
Thor Nicolaï (15:34):
Global secure access remains an identity centric platform.
Right?
So everything related to users and groups you can basically do for private access, but also for Internet access.
So depending on what your needs are for those specific traffic profiles, you can lift and shift wherever you need.
But this is where global secure access is quite nice.
And it's also very flexible because we're talking about those three traffic profiles, Private Internet and Microsoft traffic, you have the flexibility to enable one next to the other.
(16:02):
And you don't have to commit to all of the traffic profiles at the same time.
So if you have a specific use case for private access, and you want to explore how it works, have that specific license for private access, you can set it up, have a dedicated project for it.
And in the meantime you have that.
You have the GSA client running on your endpoints by the time.
(16:23):
If you want to broaden your search and go into Internet access or Microsoft traffic, you can easily do that because you already have the integration with the client on the endpoint side.
And then you can just start using the traffic profile to also start addressing Internet access and Microsoft traffic, or vice versa.
Of course.
It doesn't have to be in this order.
And that's quite nice on flexibility.
Jordy Decock (16:44):
Okay.
Robbe Van den Daele (16:45):
Yeah.
Another thing I want to maybe add on that is you can not only say I want to specifically use private access or Internet access, but if your organization already use some kind of SSE solution, you can actually deploy Global Secure Access next to that third party SSE solution.
Because the Global Secure Access client actually works a bit different than typical agents that you install on a Windows machine.
(17:13):
The Global Secure Access Agent uses mtls, which is a specific protocol, but basically what other products in a lot of time do is build an IPsec tunnel from your agent to the Global Secure or the SSE cloud platform, which is pretty beefy.
It's takes all the traffic.
(17:34):
You get a new network adapter in your network interfaces in your Windows device, for example, and then you take every networking traffic and put that over that same tunnel.
While Global Secure Access uses a more lightweight protocol that tunnels every traffic stream independently basically.
(17:54):
And because they do that via a lightweight filter driver, it makes it possible to deploy Global Secure Access next to an already existing global.
Yeah, Secure Service Edge solution.
A couple of use cases where you can do that is for example when you say I still want to use my third party Secure Service Edge solution, but I want to use the Microsoft 365 profile of Global Secure Access as well.
(18:22):
Because the Microsoft 365 profile has some specific benefits that other SSE solution cannot give you.
A couple of examples are for example Source IP Restoration.
So if you use a third party SSD solution like Palovault or Kalto Networks or whatever it might be, and you look into your M365 logs of the IP addresses that access Microsoft 365, you actually see the public IP addresses of the SSE solution.
(18:53):
So not really the public IP address of the client or the user.
With source IP asterization and the M365 profile, you can make sure that your SoC engineers for example that use the Global Secure Access logs see the real IP address of the user that is connecting.
This is also something that we see in practice where third party SSD solution is used that entra IDentity protection breaks because entra IDentity protection heavily depends on public IP addresses and for which countries they come from.
(19:29):
If you come from that third party SSE public IP that might fiddle with the logic and actually throw some false positives.
While with Global Secure Access you have the real source ip.
So now identity protection works again.
So there are a couple of benefits of using the M365 traffic profile of global Secure Access even when you have already a third party SSC solution that you want to use.
Jordy Decock (19:54):
Okay, yeah, it's a great and end solution.
That's what I'm getting from it.
We already spoke about the licensing.
Knowing Microsoft, there's always the licensing part, of course.
Do we have some information about that?
Is it just one license we need to get or do the Traefik profiles have different kind of licensing?
Thor Nicolaï (20:15):
Yeah, so.
Well, the way you're seeing it is basically how it is at the moment.
So different traffic profiles have different standalone licensing if you want like the one Robbe just talked about, Microsoft Traefik, where you can enrich your default logging and you have it side by side with your existing sse.
It's also very possible that you already have Microsoft Entra ID P1 or P2 licenses available in your tenant for your users.
(20:42):
Then Microsoft Traefik, the Traefik profile is already available to you if you start using the GSA client as well.
On top of that, yeah, Internet Access has a different license, so you can basically use it per requirement basis.
And then Private Access also has a standalone license if you want to use only the private access connectivity.
On top of that, we know Microsoft, of course, if you ever looked at new features in Microsoft, you most likely come across a suite product or a suite licensing deal.
(21:11):
And that's what Entra Suite is also offering in Microsoft at the moment.
So Entra Suite is a combination of different standalone licenses at a discounted price.
So you have the P1 and P2 features that come into the Entra Suite, but you also have like entitled Management which is Entra ID governance availabilities and Verified id.
So on top of Global Secure Access, you're getting a lot of other good stuff in that sweet licensing deal.
Jordy Decock (21:36):
I do have to announce as well to all the listeners who have Enterprise licensing, they best check their licenses because if you got an E3 or an E5 license, I think the P1 or P2 licensing is already included or the Entra Suite P1 or P2 licenses are already included.
So you only have to get the add on for the private access or the Internet access.
(22:02):
But I think the majority of the business premium licenses of Microsoft can benefit from the Entra Suite licensing.
Indeed.
Thor Nicolaï (22:09):
Yeah.
And once you go for the Entra Suite licensing, it's interesting to also add your identity and access management team on top of that because you get those extra features in the licensing deal.
So I think there's a trial for 90 days available.
And if you activate this just to do some Global Secure Access fiddling, maybe it's interesting to inform your identity and access management team to also start looking into the functionality and the capabilities of Entra ID governance and maybe verified ID if you want to go that way.
Jordy Decock (22:40):
Okay, we already said a lot about Global Secure Access, but how do I set it up?
Where do I set it up?
What's the main things that I can take away from that?
Robbe Van den Daele (22:48):
Yeah, so maybe start with the Private Access profile.
I think that's the most popular one currently as well, the VPN replacement.
So first of all, you need to identify which private resources or applications do my users need access to.
Let's say that most of your resources are in an on premise data center.
Then the first thing you need to do is set up the Global Secure Access private connector, which needs to be installed on a Windows virtual machine.
(23:16):
So depending on the bandwidth you want to tunnel through that virtual machine, you need to give it more CPU and RAM, etc.
But then basically what the Private Access connector does, it makes a outbound connection to the Global Secure Access cloud.
And then when a user tries to access a private resource, it tunnels you basically back.
(23:38):
So the benefit from that is that you don't need to do any port forwarding in your firewall.
So the Private connector just connects to Global Secure Access via HTTPs and then it pulls you back in when a user tries to access the private resource.
And then it's just giving making sure that the Private Access connector is able to connect to the private resource that the user needs to have access to.
Jordy Decock (24:04):
Okay, is there a web interface where I can set things up or is it in an existing Microsoft portal?
Is there anything?
Robbe Van den Daele (24:14):
Yeah, it's basically the Private Access connector you need to download from the entra portal.
So entra.Microsoft.com then you get an XE, I think it is, or is it an MSI, I'm not sure anymore.
But you basically log into your Windows server that you want to install it on, install it, click, click, and then it onboards itself into your tenant basically.
(24:37):
And then when you onboarded the private actor private connector into the Global Secure Access cloud, then you need to assign it to a connector group they call it basically, which you will later use to assign your applications to and which users can access which applications, etc.
Jordy Decock (24:57):
That's just for private access or is it the same workaround for all the traffic layers?
Thor Nicolaï (25:03):
So yeah, for Internet access obviously you don't need any connectors because there's just dependent on security policies and profiles you can create.
So similar in the Entra portal, Global Secure Access has a blade separate for it, so you have the option to go into web filtering and then it depends.
It can be FQDN based or web category filter based where you can allow or block certain Internet access.
(25:28):
Addition to that you have security profiles which you enable for different Personas.
So imagine you need different Internet access capabilities for different Personas in your company.
You can create multiple profiles and those profiles get enforced through conditional access.
So there are some conditional access policies you need to create related to that Persona that will make it available to you to enforce those web categories that you previously created.
(25:56):
Now how does this all come down to the user itself and their endpoint?
That's when the Global Secure Access client comes in.
So it's a lightweight client that is not natively built in at the moment, so you'll have to deploy it to any device.
But it's also not limited to Windows devices.
It's supported on iOS, Android, Windows, macOS, and I think there are already some Linux distributions that it supports natively.
(26:23):
So there are a lot of available connections and there's not many limitations on platform support at the moment for the Global Secure Access client.
Robbe Van den Daele (26:31):
The only thing we need to think about with the agent is it supports most of the platforms like Tor said, it's Windows, macOS, Android, iOS, etc.
But currently there are still some specific limitations like the agent does not cannot use secure DNS for example, DNS or TCP is not supported.
(26:53):
There are a couple of nuances that you need to check out in the Microsoft docs that you still need to disable, but nothing too important for most production environments.
Thor Nicolaï (27:04):
Yeah, and there's also some hardening that you can enforce on the client itself.
As you know, maybe you don't want them, but maybe you don't want your users to be able to stop the capabilities of Global Secure Access client, of course, so you're able to disable the functionalities for disabling the profiles and disabling the client itself that it restarts of course by default.
(27:27):
And this will ensure that your user is always connected through the policies that you have enforced and written down for them.
On top of that, Global Secure Access client also has some diagnostic settings, so there is some hands on diagnostics you can do on the device itself.
Additionally it has a health check functionality which is quite helpful to check if everything is in order to for you to start using the GSA client capabilities.
(27:51):
But on the Admin side.
You also have some monitoring available which allows you to get into the details of traffic logging for specific devices and users, or deployment logging, which gives you insights into delays for your clients on specific devices, for example.
And on top of that you can start creating alerts which would notify you if there's anything different than you're used to.
Jordy Decock (28:15):
I also hear logs, the availability of them I directly because of the soc, the collective has have to think about log ingestion and the connectivity it can make with a sock.
What can we say about that?
Robbe Van den Daele (28:28):
The logs of Global Secure Access give us some specific benefits.
So when you use the M365 Access profile, the logs mainly benefit from enriched.
So then 365 locks get enriched with latency data where you can see how long it takes before the user reaches the edge, etc.
But also it gives some extra information about the token so we can see if a user is connected through Global Secure Access or not.
(28:58):
And additionally we can do some extra protections on that as well.
Because in conditional access policies we mainly use compliant device.
Now where you need to have intune policies that says when is device compliant, etc.
But now we have compliant network as well, where we can say you can only access these resources when you're connected from a Global Secure Access client and then they give it the name you're coming from a compliant network basically.
(29:27):
So those are a couple of benefits of the M365 profile and their logging and enrichment.
But then we have the Internet Access profile as well, because at the SoC we sometimes, or in specific cases, we miss the layer 7 logs.
So layer 7, I mean as the HTTP header logs when a user connects to a website and in a traditional EDR solution you do not have those logs.
(29:54):
So then you need an SSE solution like Global Secure Access to have that.
You can build some specific detections for that on those logs, but it's also very handy for investigations.
So that's also a benefit of the logs, especially for the Internet Access profile.
In the past with Global Secure Access we only had HTTP logs because we could not inspect HTTPs traffic because it's encrypted.
(30:20):
Since a couple of weeks ago, we actually have TLS inspection and Public Preview now, where we need to deploy a certificate and the Global Secure Access configuration and on the clients, and then we can actually inspect encrypted traffic as well.
So then we see for all traffic types, whether it's encrypted or not, what the HTTP headers are, et cetera, which is Cool for a SOC to have.
Jordy Decock (30:46):
Okay, does that mean that GSA filters traffic way more than the normal Palo Alto Cisco does right now?
Robbe Van den Daele (30:55):
Well, I would not say, I would not compare it with Palo Alto and the other products now because Internet access is a pretty new solution.
It only exists for like a year I think now.
Jordy Decock (31:07):
Yeah, I understand it's a bit of.
Robbe Van den Daele (31:09):
A. Yeah, the competitors are baby in.
Jordy Decock (31:12):
Comparison with the others.
Robbe Van den Daele (31:13):
But yeah, the others are a few steps ahead and Global Secure Access needs to take some time and develop all the features that other competitors have.
But I'm optimistic.
I think they will get there soon.
But now Global Secure Access still misses some features that the other competitors don't have.
But it is an improvement in comparison to the MDE Web category filtering because Web category filtering was something you can already do with Defender for Endpoint as well.
(31:43):
Now you can do it again with Global Secure Access.
That was the first feature internet access that was released.
Sometimes we get the question like what is the difference?
Why should I use Global Secure Access Web content filtering while we can do it in mde?
Well, there my recommendation is just take a look at the web categories that are in the MDE web category filtering and the GlobalSecure access web category filtering.
(32:07):
And then you will see that Global Secure Access have a much bigger list of web categories.
It's also integrated with again that identity centric approach.
So you have much more flexibility of which users can access which categories in which cases you can even give a user temporary access to a specific web category.
(32:28):
So it's more flexible, it's a bigger web category list, another engine, etc.
Jordy Decock (32:34):
Yeah, you were going to say something that was fast.
Thor Nicolaï (32:39):
I was going to jump into your question regarding like is GSA doing a better job on Internet access than competitors in this space?
Like if you look at Internet access.
Indeed, Robbe , I agree that it's not as mature as other products that we have seen and worked with.
But looking at TLS inspection, coming to Public preview now, giving you the availability to get Those traffic layer 7 details is very important.
(33:07):
Definitely.
If you're coming from an existing solution that already has this.
Right.
So there's a lot of companies out there that have this on a checklist that says if my solution does not have TLS inspection, I'm not looking into it.
So it's very good to see it in Public preview.
It's going to give you uncovering those hidden threats, the encrypted traffic.
For enhanced visibility you can apply intelligent risk aware access controls.
(33:31):
Enhancing your audit readiness and regulatory compliance if you need to.
In general, just elevating your security posture without adding any hardware complexity.
Robbe Van den Daele (33:40):
If we also look at the rate that the new features are coming up, it's pretty amazing.
Okay, Global Secure Access has a long way to go to make sure that they have everything like the competitors have.
But yeah, if you look at the public preview features or even if you have access to the private access features or the private preview features, at least, it's amazing how fast that goes.
Jordy Decock (34:02):
Well, one thing Microsoft is really good at, and it also brings us indeed to the next topic of the future of gsa a little bit is Microsoft.
Their products always start really maybe baby is a pretty good way to mention it.
They start from baby steps, but they really make some fast steps.
(34:23):
It usually takes some time to get onto the next level, but once they're on the next level, they go really hard on the next level.
What is for you guys, the next step of gsa?
Robbe Van den Daele (34:34):
Well, I think I will mainly talk about the Internet access profile because I think that's the profile that needs the most work for Internet access.
We can basically look at what the competitors do and what Microsoft doesn't have yet.
So an important thing for me is everything related to threat detection, whether that be antivirus engine or an IPS engine or a cloud firewall or however you want to call it.
(35:00):
That's something that I hope is coming in GlobalSecure access soon because now we have the web content filtering, we have TLS inspection, but now that's kind of it for the Internet access profile.
So what I'm currently looking at is an engine that helps you detect threats on the network level that really captures those packets for you and say, hey, this is a CV that is being exploited over the network, etc.
(35:25):
And then block that.
Or another thing I'm really looking forward to is if they come with an threat intelligence filtering platform that says your user is going to that destination like an fqdn, a website or an IP address, but we know it's a bad one so we block it for you already.
So then it's also a bit TI based, which is something that is not added yet.
Thor Nicolaï (35:50):
Yeah.
And I think in general the future for GSA we know there's a lot of things boiling up in the AI space.
And for GSA the identity centric approach is the right way because you have user and entity behavior analytics already.
If we can dive deeper into that and use the capabilities of AI going forward to get more visibility for Your security operators.
(36:13):
That'll be a great feature, of course.
And since we're talking about traffic profiles currently, in my eyes, there's a bit of limitation there that you only have three profiles.
And maybe you would want to have that custom profile where you can just use it to test your new configuration.
Maybe you want to try out a new configuration that is not specifically for all of your users at the same time.
(36:37):
And that's currently a limitation in my eyes, where you can only enable the private access or Internet access for a specific user group, where maybe you just want to create a specific traffic profile for your liking to be more specific on testing or validation.
And that's something that's missing.
It might be that they're working on that or not.
(36:58):
But it looks for now that we're going to be stuck with three profiles at the moment.
Jordy Decock (37:02):
Okay, our listeners, they heard a lot about Global Secure Access right now.
I think they have a lot to take away from this podcast.
What are the few things we already mentioned but you guys really want to get back onto like, hey, this is really important if you want to do something with Global Secure Access, or if you want to not even today, not even tomorrow, not even next week, but.
(37:23):
But if you want to start with Global Secure Edge Access, these are key takeaways you really need to keep your eye on.
Robbe Van den Daele (37:30):
Well, first of all, the first key takeaway I want to give to the listeners is take a look at the M365 profile.
Because for a lot of organizations that's already included into your current license.
If you have a P1, Entra P1 or Anthrop P2, you can already start using the M365 profile.
And since it is already in your licenses, the only thing you need to do is deploy the agent to your clients.
(37:54):
Make sure that it can coexist next to your current SSE solution.
If you already have that one, Microsoft has some great documentation about that as well.
Jordy Decock (38:01):
Or we can help you with that.
Robbe Van den Daele (38:03):
Or we can help you with that.
That's also a possibility.
But deploy the M365 profile.
It's probably already in your license estate and then you can already benefit from the M365 profile.
Benefits like reduced latency to Office 365 enriched logs, token protection, phishing resistance, authentication via conditional access policies, and all that kind of stuff.
(38:26):
Then the second takeaway I want to provide is for the Private Access profile.
We talked about providing access to private applications, but another main benefit of the Private Access profile is that you can enforce Multifactor authentication on protocols that do not support multifactor authentication.
Because basically what you can do if you have for example a server like an SSH server, the SSH protocol does not include multi Factor authentication by default.
(38:56):
You can basically say that the users or IT admins are only able to access that SSH server via the private access connector.
And then you can create a policy and entra ID that says if you want to go to that server, you first need to do multifactor authentication via Conditional Access policy and only when that completes the global Secure Access client will allow you to tunnel that traffic and actually go to that server.
Jordy Decock (39:23):
That actually fills a great gap in.
Robbe Van den Daele (39:25):
Yeah, yeah, we think as well because MFA non legacy or.
Yeah, non MFA supporting protocols has always been an issue.
So there are some great solutions for that as well, like Palm solutions.
But a palm solution Privileged Access Management solution that is.
Yeah, it's more than just that.
So if you really want to for specific MFA for some services you can.
Jordy Decock (39:48):
Already just for mfa, a PUM solution is a really.
Robbe Van den Daele (39:52):
It's a heavy deployment.
A PUM solution is not something you set up quickly.
Private access not as well or it's also not set up in like an hour.
But I think it's more easy than buying a complete palm solution just for that MFA purpose.
Jordy Decock (40:10):
It's not cost efficient as well if you just want to use it for MFA solution.
Robbe Van den Daele (40:14):
Yeah, yeah, that's right.
So it really comes down to check what you need.
But if you have a use case where your IT admin for example or a user needs to get access to an application with multifactor authentication while the protocol doesn't support multi factor authentication, then you can use private access and integrate that with your entra IDentity settings.
(40:37):
Again like you can use privileged identity management and all that kind of stuff.
Thor Nicolaï (40:42):
Yeah, and that's definitely what is the identity centric way of global CQXS and how it wants to position in the market for Microsoft.
I think it's very nice to demo this for some clients as well.
When you show them that some protocols that they are not used to seeing going over that proxy with some MFA restrictions thanks to conditional access.
(41:02):
It's a very seamless integration.
Once you have it up and running and to demo it most of the time it turns some heads.
Jordy Decock (41:10):
So do know that we at the Collective can also help you as a customer with this product that we can bring workshops to the table.
There are these lovely gentlemen that are with me on the table that will bring this workshop to you, but it also brings us to the end of the of today's episode.
So a big thank you to you, Thor.
(41:32):
To you as well, Robb.
Robbe Van den Daele (41:33):
Thanks for inviting us.
Jordy Decock (41:34):
You're very welcome.
And thank you for sharing your valuable insights on this topic.
Thank you.
And of course, thank you all for tuning in.
We hope you found today's discussion helpful.
If you did, don't forget to subscribe and share this with your colleagues, helping us reach more people who are just as passionate about building a safer digital world.
We'll be back next time with another important topic in corporate security.
(41:56):
Until then, stay vigilant, stay secure, and let's keep working together to shape a safer future.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com