In response to an expanding threat landscape, on July 11 Microsoft released a new set of products that grows its Entra identity and access management (IAM) line into the secure service edge (SSE).
“Within the last 12 months, we have observed the average of more than 4,000 passwords attacked every second, which, compared to a year ago, was up from 1,287. So that is almost 2.5 [times] increase,” Joy Chik, president of identity at Microsoft, says. “It’s shocking, but it also means it’s more critical than ever [to] protect in terms of that secure access.”
The most significant part of today’s product announcement is Entra Internet Access and Entra Private Access, now in public preview. The former is an identity-centric zero-trust network access (ZTNA) service that protects Internet traffic and integrates with the company’s Conditional Access intelligent policy engine. The latter controls access to business assets and applications based on network conditions and situational needs. Together they represent Microsoft’s entry into the SSE product category.
Entra Private Access enables secure access from any network to private apps and resources. “A user can be anywhere — you can be at home, you can be at a cafe — and still be able to access those applications and those private data in a secure way,” Chik says.
If something about a user access attempt raises suspicion, Entra Internet Access can throw up a 2FA prompt, limit access to resources, or simply block the user. Chik says it integrates with Microsoft 365 apps and extends Conditional Access policies to network conditions.
In short, Entra Private Access allows users to securely access company resources through a secure Web gateway, and Entra Internet Access ensures that the network access itself is secure. Chik says, “We don’t need to create a VPN type of a perimeter, but we can make sure you can still access both Internet or private resources in a secure way.”
Other New Entra Products
Last year Microsoft debuted the Entra project line with Azure Active Directory (Azure AD), Entra Permissions Management, and Entra Verified ID. Microsoft later added Entra ID Governance and Entra Workload ID to the mix.
Today Entra ID Governance became generally available and introduced more features, such as a lifecycle management workflow and entitlement management. Another tool in general availability, Entra Verified ID allows users to add confirmed information to a digital wallet so that they can verify employment on LinkedIn or career certifications to their employer.
Entra Workload ID verifies identity and controls access for non-human users, aka machine identities, so that access privileges for programs and bots can be centrally controlled. “There’s way more workload identities than human identities in all the products and services we all use, and they tend to be overpermissioned,” Chik says. “How can we have a product to identify all the permissions … and also how do we remediate or reduce all those permissions? It’s super important that we don’t just try to only focus on the human aspect, but then neglect the workload aspect of identity.”
Entra External Identity, which is now in public preview, extends Entra secure identity access from employees and workload identities to external users such as customers, guests and business partners. It brings B2B customer identity and access management (CIAM) capabilities to the Entra platform.
The last announcement is simply that Azure AD has been given a new name: Entra ID.
Bringing in AI Features
This being 2023, Microsoft is incorporating AI/ML in a couple of different ways. Entra ID (formerly known as Azure AD) leverages the extra data Entra Internet Access and Entra Private Access collect to learn about typical user behavior and flag suspicious variation from the pattern. When an anomaly is detected, Entra ID can either raise an alarm to the customer or just block user access, Chik says.
Another category that uses AI/ML is workflow automation. “We’re thinking about when an employee comes and leaves — they join, they leave, they change their jobs — and how do we make all that auditable? How do we make sure they only have the right access to the right resources at the right time?” Chik says. A typical access pattern can create a standard set of permissions for new employees, and also produce security compliance reports.
“You can do everything from the security product — detect, monitor, remediate,” Chik says. “I think more critical than ever is how to protect your secure access to begin with.”
