In late 2017, I wrote a post, Office 365 Security Licensing Demystified, to help clarify the dizzying array of cloud security licensing options available from Microsoft, and how those options compare in both price and functionality to the Bitglass Next-Gen Cloud Access Security Broker. Both vendors have continued to develop their offerings, adding new features and functions, so this comprehensive update reflects those changes over the past year.
A couple of points on how to use these tables:
- The Overview table shows the addressable scope/use cases of the respective technologies - across both app support and enforcement capabilities (inline vs out-of-band). The Details table shows the details of available data protection capabilities that can be used within the addressable scope.
- For example, if a solution doesn't support inline data protection, none of the data protection capabilities in the second table can be applied inline.
- The E3 and E5 options are base Office 365 enterprise license packages. Most organizations will opt for the E3 at least, since that is the first Office package that includes the traditional offline Office applications, so the table assumes E3 as the starting point. E5 includes all E3 functionality, as well as additional features.
- All of the packages marked as "add-on" are in addition to the E3 or E5 package, and they build upon one another. For example, the EMS E3 includes CAS and some additional functionality. Add-ons can be bought with either the E3 or the E5 Office license.
- All pricing is list pricing.
- Links to Microsoft's description and pricing for each service have been included in the table for easy reference.
Takeaways from this update?
- The shift from a core group of major SaaS applications for most enterprises makes the Microsoft offering, which still only supports 7 applications, less and less relevant with each day that passes.
- Microsoft has not dropped prices on any of its offerings, continuing to provide limited functionality at a very high price.
- It remains as confusing as ever to purchase and deploy the Microsoft suite of products, with numerous packages available and many separate tools from which to configure and deploy their security offering.
Regardless, many enterprises will at least take a look at the Microsoft offerings, and hopefully this post can make that challenge at least a bit easier, though I would recommend skipping the whole exercise and heading straight for the Bitglass CASB:
|Bitglass||E3||E5||CAS Add-on||EMS E3 Add-on||EMS E5 Add-on|
|Price ($$$ / user / month)||From $7||$20||$35||$3.50||$8.74||$14.80i|
|Major SaaS Support||Yes||No||No||Yesii||Yesii||Yesii|
|Other SaaS Support||Yes||No||No||No||No||No|
|Custom App Support||Yes||No||No||No||No||No|
|Inline Data Protection on unmanaged devices||Yes||No||No||Limitediv||Limitediv||Limitediv|
|Inline data protection on managed devices||Yes||No||No||No||No||No|
|API out-of-band data protection in the cloud||Yes||No||Yesv||Yes||Yes||Yes|
|Identity||Bitglass||E3||E5||CAS||EMS E3||EMS E5|
|Native Multifactor Authentication||Yes||No||No||No||Yes||Yes|
|Integrates with 3rd Party MFA||Yes||No||No||No||No||No|
|Contextual step-up auth||Yes||No||No||No||Novi||Novi|
|Credential compromise detection||Yes||No||No||No||Novi||Yesvi|
|Premises AD integration||Yes||Yes||Yes||Yes||Yes||Yes|
|Mobile data protection|
|Data protection for managed devices||Yes||No||No||No||Yesix||Yesix|
|Agentless data protection for BYOD||Yes||No||No||No||No||No|
|Basic DLP (Keyword, Regex only)||Yes||Yes||Yes||Yes||Yes||Yes|
|Advanced DLP (exact match, prox, occur, image, ML, etc)||Yes||No||No||No||No||No|
|DLP Actions (WM, Redact, Encrypt, etc)||Yes||No||No||No||No||No|
|Apply & Read Data Classification Labels||Yes||Nox||Nox||No||Nox||Yesx|
|Managed vs Unmanaged Device Detection||Yes||No||No||No||Yesxi||Yesxi|
|Allow/block session conditional access||Yes||No||No||Yesxii||Yesxii||Yesxii|
|Restricted app access via real-time controls||Yes||No||No||Limitedxiii||Limitedxiii||Limitedxiii|
|IP address restrictions||Yes||No||No||No||Yes||Yes|
|In-cloud file encryption and data residency||Yes||No||No||No||No||No|
|BYOK key management||Yes||No||Limitedxiv||No||No||No|
|Known malware protection||Yes||Yes||Yesxv||No||No||Yes|
|Zero Day threat protection||Yes||No||Yes||No||No||No|
|Cloud Security Posture Management|
|Admin Portal Access Control||Yes||No||No||Yes||Yes||Yes|
|Service visibility and remediation||Yes||No||No||No||No||No|
|Data-at-rest DLP scanning||Yes||No||No||No||No||No|
|Custom app in IaaS CASB||Yes||No||No||No||No||No|
|Audit level transaction logging||Yes||No||No||No||No||No|
|Manual Shadow IT discovery||No||No||Yes||Yes||Yes||Yes|
|Automated Shadow IT discovery||Yes||No||No||No||No||No|
|Integration & Architecture|
|Coexists w/Fwd Proxies (SWG)||Yes||Yes||Yes||Yes||Yes||Yes|
|ICAP w/prem DLP||Yes||No||No||No||No||No|
|iEMS E3, E5 available with all O365 enterprise levels|
|iiCAS, EMS E3, EMS E5 support 17 apps, including O365|
|iiiCAS, EMS offer admin portal conditional access only, no CSPM or CASB functionality|
|ivCAS, EMS offer browser reverse proxy only; no Office 365 support|
|vE5 incl. CAS subset - O365 only, barebones feature set|
|viEMS E3, E5 include Azure AD Premium P2 identity protection|
|viiiCAS/EMS includes Azure AD and Okta connectors only|
|ixEMS E3, E5 include inTune MDM|
|xAzure Information Protection differs for O365 vs P1/P2 in EMS Suites|
|xiEMS E3, E5 detect domain joined Win, InTune MDM mgd devices, or certificates; Requires use of Azure AD|
|xiiCAS, EMS restrict Activesync and all browser apps only|
|xiiiCAS/EMS: Browser only, limited apps, DOES NOT SUPPORT Office365|
|xivE5 Customer Key available for O365 only|
|xvE5, EMS E5 include Advanced Threat Protection|