Hello and welcome to the let's Talk. Azure podcast with your host Sam Foote and Alan Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused it security professionals.
It's episode 15 of season five. Sam and I had a recent discussion around Microsoft's identity centric security service, edge solution, entra global secure access. Here are a few things we covered. What is SSE and entra global secure access solution? What is Entra Internet access for Microsoft 365? What is Entra Internet access and entra private access?
We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show your support to the show.
It's a really great episode, so let's dive in.
Hey, Alan, how are things this week?
Hey, Sam. They're not too bad. Busy week as always. How about you? How's your week been?
Yeah, it's been really good. Our remote team is meeting up in the office this week, which is exciting because that doesn't often happen. It's always good to see everybody in. The flesh, so to speak. So, yeah, it should be fun. Yeah, it's been a while since I've.
Been to the office. I think this year.
Yeah, definitely. Yeah. I think most of my week this week has really been about. Finding the. Limits, shall we say, of 365 copilot? I'm actually. Yeah, really loving that AI solution.
Should we call it that?
It seemed to. Does. Does seem to really help with productivity.
Yeah, definitely. Yeah. We've had an opportunity to test it. Out and it has been quite useful, actually. Yeah, you're right. Surprising how you get into it, isn't it? I think. You think, you know, we're not too sure if I'm going to use it. Or not, but then it just, it. Just flows to be fair, doesn't it?
Yeah, I think it's. I think it's sort of adjusting your, I don't know, perception to some of the things that you do. You know, if we're building like, designs, architecture plans, low level designs, you know, X, Y and Z, I think it's. It's kind of like you sort of. Have to train yourself to think, is.
There a way that I could, you know, sort of build a prompt to actually generate a lot of what I need? I'm finding it really useful for like, user guidance, documentation, things like that. And don't get me wrong, it does hallucinate. It comes up with all sorts of stuff sometimes, but as a starting point and especially what I really like it for, is that sometimes it can come out with some really good structures and it can sort of give you your starting points. You always have to go through it.
Check it and rewrite things, add more context that it doesn't know about. But as a time saver, you know. It'S doing, I think it's doing really. Well to be honest with you. Yeah, definitely. Yeah. But yeah, I forget. Keep it. Yeah, that's for sure. Well, because of the licensing, we've got it for a year. So. Yeah sure. It should. You should at least have it for a year. That's, that's for sure. So um. This is really good. So jumping from one, I'll call it.
Hype train to the next, actually. This, this one, does one have AI in it? Because it's, it's not quite at that level, I don't think. But you're, you're definitely very excited for this product. And to be fair, when, when we talk about it, I don't really hear any sort of negative things being talked about to be totally honest with you. So. Yeah. What are we talking about this week?
Yeah, so we're gonna, we did an episode I think last season maybe. I don't know. I can't remember what episode it was, but it was when it first got announced. So we'll talk about Microsoft's security service edge global secure access. It's probably been out for some time now, but a lot of it was. Under private preview and I think well.
Now Microsoft have released a lot more of it into the public preview with some other parts still in private, but it's there for everyone to sort of try out now at least before it gets released. So yeah, it's definitely worth bringing back up. And now I've had a chance to. Have a go at using it and things like that. I can give a bit more feedback. And experience with it this time. Okay. Yeah.
So should we start from the sort of beginning and sort of explain what a security service edge solution is and why do organizations have them?
Yeah, so the concept of a security service edge is, I say relatively new. It's probably three or four years. I say three or four years, maybe. Two or three years now of a concept now. And it's starting to sort of bubble. Up as a potential requirement for organizations. And it's part of really the, what's the abbreviation? The, the secure access service edge. So the sassy sort of framework that came out from, I think Gartner might. Have brought it out. In effect sassy is part of sort.
Of four main traits. It's all around identity driven access. The infrastructure and solutions are all in the cloud and they're all delivered that way. So they're almost SaaS solutions or security as a service. It'S able to support, you know, the sassy sort of, sort. Of traits, you know is it supports. All edges so fiscal, digital, logical, that. Can be protected and it's globally distributed which seems like quite sort of high. Level sort of parts, but some of the key parts to sassy I hope.
I'm saying that and pronouncing that right or the acronym for that. But it kind of details in sort. Of six areas and that is sort of they are kind of technology areas or solution areas and that is software. Defined wide area network. So not necessarily big networks. It's all in effect over VPN's kind. Of doing that sort of as a wan. You've got firewall as a service which.
Says what it is on the tiny. You've got secure web gateways. So that is protecting network going out to the Internet. So web content filtering, blocking malicious URL's and stopping malware from being downloaded and things like that. So kind of act as your. I suppose not to say traditionally, but. They were known as proxies. When you're all on premise, you've now got the other. One of the other areas is now.
Zero trust network access ZTNA. So this is doing checks when you try and access resources on premise and only providing you access to specific things on the network rather than the whole. So a traditional network or traditional VPN would allow you access to the whole network and then it'll be based on. The firewalls, firewall configuration to specify what. Resources you could talk to. But that might be specific to.
The. Whole everyone that goes through that VPN solution and not necessarily the individuals or. The group of users. Kind of the two last areas is cloud access security broker. So you know, adding to what we. Have as micro defender cloud apps in the Microsoft world and then centralized and unified management. So be able to do manage all these sort of solutions in a single place, a single platform. So that's kind of the sase side of things.
So the security service edge SSE is sort of a subset of some of those technologies. So it's part of the sase solution. It's a bundle of. Managing or the. Areas that are sort of cloud security services related. So this is really looking around. Web. Gateways, the CASB side of things and. ZTNA side of things. So protecting your access to internal resources, the access to the Internet, as well as protecting your SaaS applications. So that's kind of the key areas. Where SSE kind of as a solution.
As a framework kind of sits. And in effect why, why would organizations be looking to implement this? Well traditionally some of this solution might. Be just on premise. So you may have today. The requirement. For all your users to go for. A proxy to do your secure web gateway. And this might not be a cloud service or there might be a source. That only does that part of it. And in effect you have to VPN. You might have to VPn the users. All onto your on premise network, then.
Go through your network appliances, your physical virtual appliances there that managing that service so. That incurs potential cost on having. A VPN solution that's putting everyone to. Your network and then they've got to come out of that network to in effect go to the services they're allowed to. So that means that users access to the Internet to their, to 365 to effect everything they probably do today is. Reliant on hardware and your networking infrastructure.
Which means that, you know, you've got to build in resilience across that environment which causes potential complexities in that, you know, in that environment, not always, but. You know, as, as you're adding more. Hops and things like that into. The way that the user has to go. To access services, then there's more points. Of failure along that route. So with it bringing in an SSE.
Solution that is all cloud managed, cloud driven, the users and their endpoints go off over their Internet pipe, wherever they might be to this service edge to then be for it then to be managed, what access they have, how they access your on premise and how they. Access the SAS services and then that's. Managed in effect up there. So there's less reliance on on premise infrastructure. It might be that actually you're looking. To move to the cloud, move as.
Much into SaaS solutions rather than maybe got some IaaS infrastructure service in Azure or all the other clouds, but trying to reduce costs that way and then. Bring it into a subscription and things like that. So I think that's why organizations look to do it. Because with users not always in the. Office, maybe work from home or having, you know, maybe simplifying your, your sites to only have, you know, a plain Internet connection. Now with a VPN solution, maybe for.
You know, the servers that might be on site for certain things like printers. Things like that. And then allowing them. To access it because you know, 60. 70% of their users interaction for the organization might be SaaS applications. So yeah, I think that's why organizations. Would start to look at this. Some of this, like I said, might have some of it already in place, but maybe across multiple vendors or some of it is reliant on fiscal virtual. Appliances that are needed to allow to.
Broker the user's data or users Internet access.
So are we sort of seeing a cloud approach for networking architectures and appliances? Is that sort of fair to say? Because our workloads are shifting. Okay, let's generalize it. So some workloads are shifting from on prem into the cloud. And there's other SaaS line of business applications as well, right? That sort of network traffic, it's not all on Prem anymore. It's remote workforce accessing remote solutions. So maybe having sort of the central, I don't know, your central network universe being on Prem now might just not be viable today, if that makes sense, because you're effectively proxying a lot of that traffic through your on premise Internet connections, right? Yeah.
It's coming down to that sort of perimeter sort of scenario, isn't it, that your perimeter now isn't your data center or your site anymore. It's every, you know, your perimeter is so now vastly wide. I guess this is kind of, kind of feels like this is doing a. Similar thing, that your endpoints have to. Go to this secure service edge before. They can access anything. But it's not an on premise environment. It'S a cloud service kind of thing. So then that's your partially your perimeter.
To at least the Internet and applications and your on premise in effect. Yeah.
And if, I suppose if you are moving workloads into Azure, your new infrastructure sort of location is Azure. Right. You know, and traditionally all of that networking kit and appliances would sat, you know, there to support that infrastructure previously. So in some respects it's, it makes sense for it to be there now, right? Yeah, yeah.
From that perspective. Yeah. That you're, you're closer, you know, I. Mean we're talking now more around global secure access, aren't we? From the perspective of where you may sort of tunnel into or out of to. But I suppose from a service that you, it is from the Internet. So you will be on some, or you deem to be on some good. Internet pipes from the egress point of that service to the resources. That you. Need to access like Azure and AWS and GCP etcetera or other SaaS solutions. Okay.
So yeah, it sounds like piecing a lot of this together. Sounds like it's its own skill set. Should we actually. Do you want to just talk about and introduce enter global secure access and. What it's trying to achieve? Yes.
So enter global secure access is Microsoft's. Security service edge. It is identity centric. So it's all about what the, you know, it's based on the, the identity. Of the user and what they're allowed. To access. It bakes into. So it's kind of broken down to three parts. So the three parts are entra private access. Which kind of the zero trust network access sort of part of it. You've got the entrance access and from a high level that is in effect.
The secure web gateway part of it and you know, and some more. And then the third part is Internet. Access for Microsoft 365. So specifically, you know, Microsoft 365 as the SAS solution. And that is quite interesting in itself around the sort of concept of that. So that's kind of how it ties together. Oh, that's the three sort of areas. And in effect access to various solutions or the mechanism for securing the different.
Types of access there is baked into what we always talk about. But it's conditional access. So conditional access, if no one knows. About what it is, it's a mechanism within enter id to allow you to. Control when a user and or yeah. A user has access to resources. So it might be Microsoft 365, it. Might be to a SaaS applications that's. Integrated, might be to the azure pool. And with it you can use signals. Like where the user's coming from, what.
Device they're on, their, their location, their. IP, you know, has it been deemed as malicious, that IP address or you. Know, things like that. And the compliance of the device. And using those signals you can then. Determine what type of access they have or what they need to do to get access, which might be an MFA prompt, might be they need to use a phishing resistant MFA, you know, authentication for maybe a more sensitive application or. For an admin role.
And it's all based on groups and things like that as well. So different users can have access. So using that sort of mechanism, we. Can now say that part of those. Three areas, based on this criteria, certain users can have access to different resources and having to perform potential MFA prompts or be on certain devices to access. Them from, from a managed, from a managed endpoint at this point. Nice.
So yeah, very highly, very highly integrated with the rest of the, you know, Microsoft security stack. That's probably fair to say, you know. Yeah, yeah.
And I think that's the kind of. The point to it and you know. If I dive into, I'll dive into. These a bit more sort of now. So really if we talk about actually. The Internet access Microsoft 365, what this. Is doing is within conditional access there is a in effect a new area for locations or network locations which is called compliant network. So what we can force now. Is. That when you're accessing Microsoft 3365 you have to be on a compliant network. So had you become a compliant network.
Where you in effect you have to. Come from the Microsoft global secure access sort of network. So it's probably actually worth talking a. Little bit about that actually is that. The global scrap access, once it's got. These sort of three areas when you connect you're in effect running across Microsoft. Global backbone to the surfaces themselves. So you're in effect using the Microsoft's network once from the, from the device. To the security service edge global secure.
Access you'll then running across the Microsoft's. Backbone to then the services there. So once you come in and then. You'Ve been authenticated against that network in effect against your tenant, you're then deemed. As being on a compliant network which. Then means you can say you can have access to 365. So it's another check that you can. Do now to make sure that and. I guess your traffic is technically encrypted even though 365 is across. SSL and. Things like that anyway, but it's in.
Fact encrypted up to the service edge. But the great thing really about that connection. So this means that traditionally I suppose. You might say that to access 365 you have to come from the corporate network, you have to come from a. VPN which was a good way to. Stop, you know basically allowing anyone to access it from anywhere to prevent those compromised accounts being used against the environment. Because you'd say you have to come.
From the corporate network so you'd have to come from a managed device. But now because we can prove that. We'Re on a managed device using the in going through the global scraxis tunnel in effect we can now do that from anywhere. So you now don't have to now. Secure 365 potentially that way. But some of the main things as. Well is that you can, because we're. Saying it's got to come from that compliant network. We can prevent attacks with users or.
Malicious people, malicious attackers doing token theft. And one of the things actually on. Here Sam, which was quite interesting is that they suggest that this is around. Data loss prevention controls which I thought was quite interesting.
And the reason for that is that you can actually restrict users from going to different tenants using this. So you can stop them going to their test tenants because technically, I suppose you might allow users to go to sharePoint or to OneDrive or to outlook.com or those services, but from a secure web gateway or allow office 365, but they can switch their tenant and potentially. Attempt to upload files to that Onedrive or to another organization. Yeah.
Because I suppose sort of basic web filtering controls would only be able to sort of whitelist URL's. Nothing else from that, right.
From the service. No.
Yeah, exactly like, you know, opening a private browser window and then logging into.
Well, not even that, just switching tenants. Yeah, true. It stops that because it says you're not allowed to go to the other. Tenant because it's not trusted. Yeah. Okay.
Yeah, that's nice.
Yeah, that's even. That's even quite crazy in itself as well, because. Yeah, you know, in theory, people can be invited, can't they, to any tenant. I don't restrict.
Yeah.
Anyone from.
Yeah, yeah, yeah. So, yeah, it can stop, you know.
That and only doing, you know, ones that are, you know, allowed to. You're allowed to go to. From an organization perspective. Yeah. Really good. So, yeah, that's. That's kind of that part. And that. I mean, that bit is quite powerful in itself. Just that, you know, that there. So that's the Internet access for 365. So if we move on to just. I say just. But enter Internet access. So this is then looking at, in effect, you know, web content filtering, URL.
Blocking and things like that, in effect. Against the users themselves. So this kind of, like I said. Before, this is probably more traditional security web gateway, where you can specify categories depending on the user, groups, things like that. What's interesting is that you can. Because it's built into conditional access, you can actually say that. Say that you want to go to a more sensitive site or site that you don't normally go to. Yes. You could normally be blocked, but for some.
Some of them, you could actually ask for MFA, additional MFA for it. So you could say, actually, if I. Want to access the. I don't know. I can't think of a website that you'd want to go to that you'd need more secure access from.
Think of some, like, legacy line of business app that doesn't have MFA, maybe.
Okay. Yeah. So I was thinking of a different way of it, but, yeah. Anything that's not. That you. That's not integrated into entra, in effect. You can perform MFA in front of it. You're absolutely right. Or at least have to have performed. MFA to access it. So it could be. It could be anything. It could be. I can't think of any now. It's like, yeah, let's say. Let's say Facebook. It's not, you know, maybe social media, the marketing side of things.
Maybe use Facebook workplace or something like.
That, even though you can integrate that. That's the problem.
Yeah, okay.
Yeah, anyway.
Some. Some line of business application that somebody.
Yeah, maybe it's a site where you do orders for. For your business, where you have to purchase things. There's no MFA in front of it. Maybe that's an easier one. And you want to put MFA on it. When they're accessing from their devices, maybe. You'Ve got a password manager, so they. Don'T actually know the password. It's all stored in there. They can't reveal it. They can access it. So they can only do that on their devices. But you want to put MFA in. Front of it to make sure it's.
Them so that someone doesn't go and purchase 200. I know, 200 barbecues or something. Yes. It's not like I just bought a barbecue. That's why it came top of mind. But.
No, definitely not. But anyway, yes, you can put that in front of it.
What's great as well, and this is probably similar to other know, secure web gateways, is that you can have a baseline, you know, policy that says everything. Is blocked or majority of things are. Blocked, and then you can put policies. On top and prioritize them. So you can say, yeah, all users. Are generally blocked at. I don't know. AI, maybe not AI, but personal Onedrive, but, you know, this subset of users are allowed to use it because that's. The only way they can access their.
Clients, you know, data or something like that. Maybe there's a scenario for that and. You can layer it up like that. I guess in theory as well, with some of the other entra sort of solutions around governance, you could have an access work package that says you're allowed to access this category of websites or this websites for x amount of time for say three days or something, because. You need to do it so you.
Can start building in just in time. Access, I said, guess potentially to web, you know, websites and things like that. Which is quite an interesting concept as well around that. So. Yes, so that's kind of, you know, web content filtering. Like I said, it can be done by. Domain URL's or the domain names.
I should say as well as the categories and if anyone's had a look at this or the web categories from defender for endpoint which are device based categories I think it's fair to say there's quite a few categories but they weren't very granular. They're very sort of. I think it's fair to say they're.
Sort of high level there with this one. There is a lot more categories in there. You know it's very, it is broken down a lot more. And as well this time you can also generate your, your URL's, your domain. Sorry your domains to add as well. Or to, to allow there. Yeah, so there's, there's things like you know some of the categories here it's. Like dating and personal criminal activity and. There'S a few, few others there as well.
So that's generally, you know, enter Internet access and again that's then running across the Microsoft backbone as well. And then if we come to enter private access. So this is, this is very similar. So I don't know if anyone has. Used. Microsoft Entra application proxy where you. Can redirect your websites in effect from. Your browser down to on premise environment. So again yes, surface websites to your users and put MFA on it. This sort of is similar to that but.
Superly enhanced I guess as a word that doesn't really make sense. But this is in effect there is. An upgraded in effect application proxy. But what this allows you to do. Is this allows you to in effect communicate with anything on your on premise. Network where there's an app proxy or. I think they've called it private access connector. Now I think they've just rebranded all. And it's, it's any sort of service but also any, any port where previously.
We were limited to 80 and 443. Now it can be anything, it could be an any service so it could. Be RDP, it could be SMB file shares, anything like that. So when you create policies you can. Now specify a, you know, potentially have a policy for a service and specify all the year, all the internal URL's you need to access and all the ports for those URL's or for those services or servers. And then that service can then be. Attached to specific users. So even though you know the app.
Proxy or the private access connector is. Is sat on the, in your environment. And may have access to the various services for all users it's only specified by conditional access who has access to what services. So that's bringing in that zero trust network access part. So forcing MFA or different types of. MFA, depending on the different services. Maybe if you're rdping, if maybe RDP.
You know, a previous access workstation, you know, we can force, you know, enforce fido two keys, you know, phishing resistance. MFA there to access it to prove. That your device is clean before you access it. You know, there may be some other things like that that you can do. Maybe it's access to a file share that you need to, which maybe you. Access all the time previously to connect.
To a VPN, this is now all sort of seamless in the background to the user. So that's generally the private access side of things. It is, you know, is, you know. Potentially removing the requirement to sign up to a VPN. Do MFA, you know, once in effect. Against a single, you know, single connection.
This is now potentially across all of, you know, all of those different types of connections you might be making. So there might be different requirements, you know, it might be a requirement that you can't access a file share when. You'Re outside the UK, but you can. Access the RDP session. It can be that granular with it.
Yeah, that specific scenario, I can imagine that's going to be very useful for data compliance, sovereignty, potentially. I do get that some respect. If you're physically located in a different place, you know, are you really exfiltrating data to a different country or processing it a different country? But I suppose if you do have those hard and fast requirements, being able. To sort of be that granular is.
Sort of another level of flexibility. Right. Because this sits sort of at the application level, if that's fair to say, doesn't it? You know, it's not that one singular big like VPN pipe. It's every single connection that you make. I assume is evaluated. Yeah. And prioritized for any other requirements that might need to go on top of it.
Yeah, I mean, I've, from the MFA perspective when I've been testing it, I don't, I haven't seen many MFA prompts, but that is because I'm using Windows hello for business. And when that's used, that acts because it's using the TPM, it's acting as a second factor. So generally when I access 365 and. That from my managed device, my MFA. Is performed that way at a Fisher. Resistant level without knowing about it, which is amazing, is only when I had. To actually.
Break, not break, but unenroll from Windows hello and have to try. And remember my password again for my account to actually see the MFA prompt in effect. So even potentially with the user, it. Might be seamless to them if you're. Using Windows hello for business because that's. Doing that MFA sort of factor, providing you sign in with Windows hello, then it's acting, it's proving that your token. Is valid in effect for that logon for that endpoint. Yeah.
And again, another integration, another part of the ecosystem. Right. You know that is all the way from the device and integrated through. Right. Just to, and dare I say about Microsoft, no offense Microsoft, but you know, really improving that user experience. Right. You know. Yeah.
And probably another thing to sort of mention because that all in effect, the user traffic is all going up through the entry. Global secure access. In effect there's a lot more logging. So there's a lot more we can detect from what's happening in sharepoint and entra. Not entra, sharepoint in teams and potentially exchange as well. So there's more auditing there. And it can also detect applications that. Users are accessing as well and maybe services. So it's kind of also because we.
Kind of mentioned CASB sort of previously. But I think this might be another. Way of collecting that user activity as. Well, maybe being more granular about what they're actually accessing. Because we know that we're with MDA. Doing Microsoft cloud apps sometimes that. The. Cloud discovery is right in what it's seeing. But sometimes I think we've seen with a couple of our customers, haven't we. Sam, that the services back onto AWS.
Cdns and things like that and we don't truly see what the actual application is. So I think this might help with that.
Yeah, no, that seems, yeah, it seems really powerful. So Alan, how do you deploy it?
Okay, so in effect for the endpoints there is a client. So for Windows, Mac, Android and iOS. Is going to be supported. I think some of them are in private preview or what's the term for. Is it flight test on Apple? Test flight test point. Yeah, so we're in that sort of.
That scenario at the moment for, for Android you actually install the defender for endpoint and then that is used to in effect tunnel the data through the GL secure access. For Windows and Mac. I think there's just a client that. You install and then you sign into it and then that in effect. And what you do is you sign into that service. And I think you.
Only sign into it once and then it knows that you're in effect your account on your device is then sort of matched alongside it and then it starts building the policies and things like. That, that you're assigned to and generally. Sort of checks for policy updates as. And when it needs to. So that kind of gives you the. Process for connecting at least to the service from the endpoints. You then like I said before, do. Your configuration in the entry portal. You have to sort of enable the.
Service and a few things like that and then build policies and apply them. Using conditional access to the users to actually be enforced. And then for the access to on premise or infrastructure service based services. I kind of mentioned it before, you. Do have to deploy. The private access. Connectors, I think they're called or in effect the upgraded app connector. And they are sort of outbound Internet traffic.
So you don't have to tunnel into your network. They're looking at services or waiting for. Service connections from entrance, from the entry sort of backend. And you can group those depending on the services. So it might be that if you've got a data center you may have. A connection within there for a service. And then other connectors for different sort of other scenarios. So you can be quite granular with. How you control access in your network environment. And there is probably a step there.
To talk about designing as and you. Know, where those connectors sit, what access they have. And kind of, you know, things like that. So it's sort of an architecture sort of designed for that which you know, you would have for any sort of SSE sort of solution. And then that's pretty much, I say. It'S pretty much it really. A lot of the sort of deployment isn't necessarily deploying the, the agent or.
Deploying the app proxy. It's more around the design of the, the architecture of the networking side of things potentially, like I said, where you. Put those connectors, but also the policies. You know, how many policies you want to have, how do you layer them, what services you want to allow access. To on, you know, on premise or. In data centers, who needs access? All those sort of different combinations there. So that's where the sort of complexity I guess all the designing side of things.
Takes place. But generally to get started, it's relatively easy I guess, to get started.
Yeah, it seems. Yeah. Really? Well yes. It's a cloud service, isn't it? You know, it's, it's almost, I don't know. A bit underwhelming in some respect. Yeah.
I mean if you're talking for like 40 minutes and I just said sort of in five minutes, hey, in a very high level, you know, how easy it is to get started sort of thing and that's that's probably quite true on how easy it is to get started. It's just then, like I said, it's just then. Okay, now how do I map out what, who needs what access is, you know, because it is all identity driven. So it's then working out all those. Scenarios and then mapping them out and then building the policies.
Yeah, I suppose we've got to think about the, the inverse relationship of the features, you know, like the number of features and sort of value add versus the deployment and sort of maintenance and upkeep time. Right. So if we just take money out of the equation a second, that is important obviously. But in terms of like for us sort of technical folk of getting it implemented, using it, you know, just generally in the cloud you have, sometimes you don't have feature parity I suppose is fair to say, but you have a vastly, generally you have a vastly lower maintenance, onboarding, deployment and technical resource requirement. You're just effectively saying install a client, which you can probably, if you've got modern endpoint management, you can deploy that client assume relatively trivially if not just one click and then you know, you do some configuration and things are set up. There is no appliances to configure, you know, there's nothing to physically do if.
That makes sense, which is when it. Comes to networking, just very different to the quotes are norm, isn't it?
Yeah, I mean there may be like maybe a couple of minutes for, you know, the service you're in your tent to spin up maybe, but that's probably about it at the moment anyway.
Yeah, that's amazing. What about licensing and cost and where it is in terms of its product journey?
Okay, so at the moment it's in public preview and at the moment you only need a entra plan, one license or any combination that has that to partake in the, the public preview. So today you can try in effect everything out under public preview sort of licensing. So in effect go say for free. But once it's in public preview you can, you can access it. In effect. At the moment we don't know what the licensing is going to look like.
It's not currently public and it's still being, you know, finalized by Microsoft at the moment. So we don't know what the cost. Is going to be either. But sort of an idea of, you. Know, Microsoft, you know, hitting this sort of this market because this is kind of the first product in the SSE sort of networking from an endpoint perspective sort of solution. I would probably guess it's going to. It'S going to be quite competitive to. Some of the other competitors like Zscaler.
And things like that. So yeah, we just have to see. We don't have any idea yet when. It'S going to go generally available ga but it's definitely worth trying it out. Seeing what some of that functionality is. Even if you just trial it on. A test machine just to get an idea of its capability. And then I guess it will then be a decision as to whether the cost is reasonable enough to help with.
The, the issues you might be having or to replace the current solution you have and simplify things. That's the aim for it all. So we'll see.
Yeah, no, definitely a very exciting, I'm going to call it an addition because I do feel it's a completely new thing for Microsoft, isn't it, to have this fully managed solution. Because some of this you can build SD Wan in, you know, Azure, can't you? All the individual components. I know this isn't the same thing, but you can effectively transit through Azure and sort of move your networking topology up to there. Right? Yeah, but as a fully managed solution except for requiring certain things like client applications or um, other, you know um, the.
Yeah, the connectors into connectors on premise environment. But that's kind of expected I guess. Yeah.
You know, you're going to need something. Something's got to be there in order to. Yeah. Proxy that traffic. Right. Um. So to have it so well integrated as well with entra because you know, we are looking at this not just from a device and I think you sort of called it out on your, when you were talking about the web, the web filtering that we've got with defender. You know, this is all user based and it's all session based really as well. Right.
And application and application based. So it's, it's sort of multiple tiers up the hierarchy if that makes sense. Right. So you know, if you want that integration, I mean the commercials have to stack up and also that, you know, people are going to have to skill into this area potentially. But you know, I can assume, I can assume that that tight integration could be very valuable for organizations.
Yeah, yeah, definitely. There's just something else I just need to see because, because again this is, you know, this solution is, there are some private preview parts to it there in the, what you call it the. The customer connection program for entrance. And there's some interesting things there that.
Are happening as well. On top of what, you know, I've already sort of announced that I can't talk about, which also, you know, quite exciting in various ways. But I think there's a part that I can't. I thought was public but isn't, so I have to backtrack from that, unfortunately.
That's a teaser for Ga.
I thought. I thought it was public, but I. I can't say anything about it, so I can't. I'd rather be safer than sorry with that.
Well, on that note, yeah, thanks. Thanks for taking us through GS Allen. It looks like a really positive product. Very interested to see it out in. The world, that's for sure. Yeah.
Okay. Yeah, no worries. Hopefully I did it justice. We managed to speak for 15 minutes with it. Okay, so what's the next episode then, Sam?
Next episode is going to be April news. So every month, the first episode of the month is the news from the previous month. I sort of COVID Azure infrastructure related updates. Alan generally tends to cover security related changes. Last month was a bumper month. I haven't looked at the list yet, so I can't comment. So, yeah, we should have. We pick out our top topics. Our topics. Yeah. That sort of interest us. There's much more than what we just talk about and.
Yeah. And we sort of wrap it into a single episode to keep you guys up to date.
Cool. Yeah. I do wonder what's been released. I haven't looked either from the Microsoft side, from the security XDR side of things, anyway. Okay, so did you enjoy this episode? If so, please do consider leaving us a review on Apple or Spotify. This really helps us reach out to more people like yourselves. If you have any specific feedback or suggestions for our episodes, we have a link in our show notes to get. In contact with us. Yeah.
And if you've made it this far, thanks very much for listening, and we'll catch you on the next one. Yeah, thanks all. Bye.