Microsoft Expands Entra Into Secure Service Edge

In response to an expanding threat landscape, Microsoft today released a new set of products that expands its Entra identity and access management (IAM) line into the secure service edge (SSE).

"Within the last 12 months, we have observed the average of more than 4,000 passwords attacked every second, which, compared to a year ago, was up from 1,287. So that is almost a 2.5 [times] increase," says Joy Chik, president of identity at Microsoft. "It's shocking, but it also means it's more critical than ever [to] protect in terms of that secure access."

The most significant part of the product announcement is the introduction of Entra Internet Access and Entra Private Access, now in public preview. The former is an identity-centric zero-trust network access (ZTNA) service that protects Internet traffic and integrates with the company's Conditional Access intelligent policy engine. The latter controls access to business assets and applications based on network conditions and situational needs. Together they represent Microsoft's entry into the SSE product category.

Entra Private Access enables secure access from any network to private apps and resources.

"A user can be anywhere — you can be at home, you can be at a cafe — and still be able to access those applications and those private data in a secure way," Chik says.

If something about a user access attempt raises suspicion, Entra Internet Access can throw up a two-factor authentication (2FA) prompt, limit access to resources, or simply block the user. Entra Internet Access integrates with Microsoft 365 apps and extends Conditional Access policies to network conditions, Chik says.

In short, Entra Private Access allows users to securely access company resources through a secure Web gateway, and Entra Internet Access ensures that the network access itself is secure.

"We don't need to create a VPN type of a perimeter, but we can make sure you can still access both Internet or private resources in a secure way," Chik says.

Other New Entra Products

Last year Microsoft debuted the Entra project line with Azure Active Directory (Azure AD), Entra Permissions Management, and Entra Verified ID. Microsoft later added Entra ID Governance and Entra Workload ID to the mix.

Today Entra ID Governance became generally available and introduced more features, such as a life cycle management workflow and entitlement management. Also in general availability, Entra Verified ID allows users to add confirmed information to a digital wallet so they can verify employment on LinkedIn or career certifications to their employers.

Entra Workload ID verifies identity and controls access for non-human users, aka machine identities, so that access privileges for programs and bots can be centrally controlled.

"There's way more workload identities than human identities in all the products and services we all use, and they tend to be overpermissioned," Chik says. "How can we have a product to identify all the permissions ... and also how do we remediate or reduce all those permissions? It's super important that we don't just try to only focus on the human aspect but then neglect the workload aspect of identity."

Entra External Identity, which is now in public preview, extends Entra secure identity access from employees and workload identities to external users, such as customers, guests, and business partners. It brings B2B customer identity and access management (CIAM) capabilities to the Entra platform.

The last announcement is simply that Azure AD has been given a new name: Entra ID.

Bringing in AI Features

This being 2023, Microsoft is incorporating artificial intelligence (AI) and machine learning (ML) in a couple of different ways. Entra ID (formerly known as Azure AD) leverages the extra data Entra Internet Access and Entra Private Access collect to learn about typical user behavior and flag suspicious variation from the pattern. When an anomaly is detected, Entra ID can either raise an alarm to the customer or just block user access, Chik says.

Another category that uses AI/ML is workflow automation.

"We're thinking about when an employee comes and leaves — they join, they leave, they change their jobs — and how do we make all that auditable? How do we make sure they only have the right access to the right resources at the right time?" Chik says.

A typical access pattern can create a standard set of permissions for new employees and also produce security compliance reports.

"You can do everything from the security product — detect, monitor, remediate," Chik says. "I think more critical than ever is how to protect your secure access to begin with."