What are People Saying About Microsoft Entra’s New SSE Products?
In July 2023, Microsoft announced it was entering the ‘Security Service Edge’ market, with two new products: Microsoft Entra Private Access and Microsoft Entra Internet Access. The former is a cloud-backed VPN connection to on-premises environments and the latter is a cloud-based endpoint proxy. I shared my initial thoughts about these products at the time. Microsoft’s announcement and my article received some feedback. In this article, I analyze that feedback and try to figure out how well the market accepts Microsoft’s SSE initiative.
Operating System Support
One comment made it clear: A VPN/proxy solution with only a Windows client is unacceptable. While the largest percentage of desktop clients are still Windows-based, there are many macOS and Linux devices out there. In my customer base, macOS is often used by management, marketing, and developers. While these devices are a small percentage of the Windows base, products to protect devices need to be supported on all devices. Not having a macOS client is a showstopper for a lot of my customers.
Microsoft already has a VPN client for mobile called ‘Microsoft Tunnel.’ Microsoft has not said if they intend to integrate Microsoft Tunnel into the Microsoft Entra stack, or if they will remain separate products (which is not desired. Two products for the same use case add unnecessary complexity and overhead).
The Microsoft 365 Kill Chain and Attack Path Management
An effective cybersecurity strategy requires a clear and comprehensive understanding of how attacks unfold. Read this whitepaper to get the expert insight you need to defend your organization!
Dependency on Existing Hardware
While the new SSE products cover a gap in Microsoft’s portfolio, other vendors have extensive experience with SSE products gathered over multiple years. This means that organizations have existing contracts with cloud vendors or have already purchased on-premises hardware that will be in place for multiple years.
To me, Microsoft is very aware of this situation. Building success for a new product line takes time – ‘Rome wasn’t built in a day’. You can compare it to the release of Microsoft 365 Defender. It is not like hundreds of companies migrated to Defender the minute it became available, most migrated because their current Exchange license was expiring, the on-premises hardware had to be renewed, or the alternative functionality is vastly superior. The same will be true for Microsoft’s SSE products. Microsoft makes a lot of noise in this market and wants people to be aware of their solution. If people know Microsoft as a contender, there is more chance that people will jump on these solutions when they renew contracts/hardware.
Unknown Cost
As with most products in public preview, there is no clear indication about what Microsoft will charge for the two products. Microsoft does not have a great track record in pricing new products, with the recent price of Microsoft 365 Copilot coming in at a whopping $30 per user per month. While there might be value for some users (as noted in Tony’s article), Microsoft has made no effort to showcase the ROI Copilot might bring, this makes it a tough sell as people don’t know what exact benefits they are getting. With the number of products Microsoft is putting outside a Microsoft 365 E5 bundle, people are getting hesitant to trust Microsoft from a licensing aspect, and this is the case here too. We have no idea whether Microsoft’s pricing will be in line with other products. If the price is not, Microsoft will have a difficult time hitting its sales objectives in terms of licenses.
Putting all Your Eggs in One Basket
When discussing Microsoft products with customers, some say to me ‘We don’t want to put all our eggs in one basket’, meaning they don’t want to trust Microsoft with everything. Some customers like to keep networking products with other vendors (such as VPN and proxy solutions, typically bundled in a firewall appliance). This can have a couple of advantages:
- If Microsoft experiences a network issue, it can potentially impact your entire organization (including remote access to on-premises solutions).
- Other vendors have other Threat Intelligence sources, meaning they might identify an IP address or URL which Microsoft might have missed. I have seen cases where an IP address is blocked by a product like zScaler, but not identified by Microsoft as malicious. In such cases, it is nice to have another source of threat intelligence as a second layer.
In my opinion, this hesitation is valid, and I hear the same discussion when talking about Microsoft 365 Defender. To me, it comes down to integration and ease of licensing. If an organization decides to be full-on with Microsoft, they have an easier time connecting the different products as it’s more likely that the products are designed to work together. Licensing will be simpler, as you have only one vendor to deal with and can negotiate on an exclusive basis.
Before people can get past their skepticism, Microsoft must prove that they have a strong, unified SSE product stack that is on par with competitors.
People are Skeptical
Most people I have talked to are skeptical about these two new products and I have to agree with them. It is clear that Microsoft’s current solution has many gaps and there is still a long road ahead before the SSE products are mature enough for a production roll-out. Combining this with an unknown cost, it is difficult to recommend that organizations ditch existing solutions to migrate to Microsoft’s SSE stack. My recommendation is to await further development. The current stack lacks features and there is no clear indication of what the licensing model will be.