I have a lot of conversations with organizations trying to evaluate not only the functional differences, but the cost and licensing differences between Office 365 and a Cloud Access Security Broker (CASB). In one such recent conversation, I was asked how much the organization in question could save by carving out the "built-in" add-on security from Microsoft and going with a CASB instead. The answer for the organization in question? $2,040,000. Let's break down the scenario and where that number comes from.
The organization in question is over 10,000 users, but let's use 10,000 for simplicity. This organization also needs the Microsoft Office standalone applications, which means their starting point is the Office 365 E3 license, at $20 per user per month, regardless of whether they do anything for security. Their stated security requirements include:
- Real-time DLP/quarantine and Access Control for Office 365 (i.e. proxy vs simply API)
- Mobile data protection for BYOD and a highly mobile workforce accessing Office 365
- Single Sign-on, Contextual Step-up Auth and User Behavior Analytics
- Ability to protect their data and devices from known and unknown malware proliferation
- This organization also wants support for AWS, and a couple of additional custom applications.
- Shadow IT and Breach Discovery
Let's run through a point by point comparison. First up, Microsoft:
- You can't get real-time data protection with any Microsoft product. Forcing the customer to remove this requirement, they can get out-of-band basic DLP with file quarantine if they buy the Cloud App Security (CAS) add-on, at $5 per month.
- Microsoft only offers inTune, a traditional MDM, which is a horrible fit for BYOD, but let's shoehorn it in there. To get inTune, we need to step-up from CAS to Enterprise Mobility Suite (EMS) E3. That ups the add-on cost from $5 to $8.75.
- Single Sign-on, Step-up Authentication and UEBA requires Azure Active Directory Premium P2 and Microsoft Advanced Threat Analytics, which luckily, can be had as a package if the customer steps up from EMS E3 to EMS E5, so we're now at $15 per user per month above the starting E3 license.
- Known malware detection, via signature based engine, comes with the E3 base license, but this organization doesn't want malware protection with 50% efficacy. They want to guard against the unknowns - and that means they need to add Advanced Threat Protection, which requires a step-up to the top-of-the-line E5 license. That's another $15 per month over the E3, so we're at $50 per user per month total. Yowza!
- If we want to future proof, Microsoft supports 6 apps beyond Office 365 (I refuse to count Okta as an "app"). No added cost for this one, just a gamble, though no support for their custom apps so they'll need to buy something else, cost unknown.
- CAS (and EMS E3 and EMS E5) include Shadow IT discovery. No answer for Breach Discovery (malware, anonymizers, etc). Another gamble.
Total cost: $50/user/month * 10,000 users = $6,000,000 per year
Now, let's look at the comparison point. For budgetary purposes, let's put the Bitglass Standard edition at $10/user/month, with anti-malware add-on at $3/user/month:
- Real-time data protection included in Standard edition.
- Agentless mobile data protection included.
- Full identity suite and UEBA included.
- Known and unknown malware protection (through partnership with Cylance) add-on.
- Bitglass Standard Edition includes support for a broad catalog of SaaS, IaaS, and custom applications.
- Bitglass Breach Discovery includes both Shadow IT and several other threat intelligence datasets.
Total cost: ($20 for E3 license, $10 for CASB, $3 for anti-malware)*10,000 users = $3,960,000 per year
Savings? $2,040,000 per year! Plus a lot more functionality and a lot less confusion. CASB, FTW.