Microsoft Pushes for a Seat at the SSE Table
Microsoft is getting ready to muscle its way into the burgeoning security service edge (SSE) space, the growth of which is fueled in large part by the ongoing trend toward hybrid and remote work that rapidly accelerated during the COVID-19 pandemic.
The IT giant will be casting its long shadow on an already crowded market that includes the likes of Cisco Systems, Palo Alto Networks, Proofpoint, Zscaler and Cloudflare. It’s hoping to leverage the growing capabilities within its Entra identity and access management suite to gain ground against rivals that have already been selling SSE products and services for two years.
Microsoft unveiled Entra a year ago as the home for a growing range of products aimed at addressing myriad security concerns in an increasingly mobile and distributed IT world. The offerings include tools for managing access to critical assets, driving secure access to applications and cloud services and verifying credentials.
The company last week drew headlines–and mixed reactions from users–when it announced that Azure Active Directory is changing its name to Entra ID. What may have gotten lost in the shuffle was the introduction of two new services that announced Microsoft’s first steps into SSE.
From SASE Comes SSE
SSE grew out of the secure access service edge (SASE) push to create cloud services that merge software-defined WAN (SD-WAN) with network security abilities like zero-trust, cloud access security broker (CASB) and firewall-as-a-service (FWaaS). SSE essentially dispenses with the SD-WAN part, converging CASB, zero-trust and secure web gateway (SWG).
Microsoft is combining two new services, Entra Internet Access (SWG) and Private Access (for zero-trust network access) with its CASB offering–Defender for Cloud–to create an SSE portfolio. Both are in public preview, with Entra Internet Access expected by the end of the year.
“Neither identity nor network security alone can protect the breadth of access points and scenarios that modern organizations require,” Joy Chik, president of identity and network access for Microsoft, wrote in a blog post announcing the move. “That’s why, as cyberattacks get more sophisticated, we’re adding identity-centric network access to our cloud identity solutions.”
From a market perspective, Microsoft’s move makes sense. According to a report earlier this year by Axis Security–itself an SSE tech provider–88% of organizations it surveyed had a hybrid or remote work model and 71% of security professionals are familiar with the term.
In addition, 65% of organizations planned to adopt SSE within two years, with 43% intent on implementing it before the end of 2023.
A Different Approach
But Bob O’Donnell, principal analyst with TECHnalysis Research, said Microsoft’s decision is being driven in large part by the massive numbers of organizations that run its applications (and at least part of their businesses) in Azure. Bringing network security and verification capabilities to those relationships is important.
It’s a departure from other SSE vendors, who tend to see the market from a networking point of view, O’Donnell told Security Boulevard.
“It’s a different approach than other folks have,” he said. “They’re approaching this from the inside out rather than the outside in. It’s not a networking approach.”
Mike Parkin, senior technical engineer at security firm Vulcan Cyber, had a similar view.
“Considering how broadly used Microsoft’s products are in business, it’s natural for them to try and extend their presence into the SSE space,” Parkin told Security Boulevard. “They can take advantage of an intimate knowledge of the operating systems and applications on each end, giving them a potential advantage.”
That said, it’s unclear how Microsoft will fare against vendors already in the market, he said. It’s also a question of whether organizations will want to adopt Microsoft’s SSE offerings and become even more embedded in the company’s ecosystem.
Renuka Nadkarni, chief product officer for SD-WAN and SASE provider Aryaka, said Microsoft has a lot of catching up to do with established vendors and that its focus on Microsoft assets addresses only a fraction of the traffic enterprises have to deal with. She also noted that most organizations have a multi-cloud strategy, using more than one cloud provider.
Going further, Nadkarni said that any SSE program comes up short when addressing enterprise needs when compared with SASE, adding that “security vendors like Palo Alto Networks and Zscaler only solve part of SASE with SSE.”
Microsoft pushed back against that sort of thinking. Sinead O’Donovan, the company’s vice president of product management for identity and network access, wrote in a blog post that the entire SSE portfolio would be delivered via Microsoft’s global network, which connects its data centers across 61 Azure regions with more than 185 global network points of presence (POPs) and a mesh of edge nodes.
The new offerings “enable customers to secure access with a unified, identity-centric approach to any application, resource, or destination, using user identity, device compliance, application and now new network compliance as conditions,” O’Donovan wrote. “This is an easy way to unify and centralize all your access policies and strengthen them with continuous access evaluation.”
