<img src="//pixel.quantserve.com/pixel/p-_JKXxuL8SR7wu.gif?labels=_fp.event.Default" style="display: none;" border="0" height="1" width="1" alt="Quantcast">
blog-banner.jpg

Next-Gen CASB Blog

Office 365 Security Licensing Demystified

By Rich Campagna | October 20, 2017 at 12:28 PM

Office_365_logo.pngMicrosoft offers many different upgrade and add-on options for adding "built-in" security to Office 365. So many, that it sometimes seems impossible to figure out what you're actually getting from each package, and how the functionality compares to a third party security solution like a Cloud Access Security Broker (CASB). 

Fortunately, we have done the hard work for you and have consolidated the various options into this quick reference. We've also included comparison to the Bitglass CASB as a reference point. If you want to see how this plays out in a real world example, check out this previous blog post.

A couple of points on how to use these tables:

  • The overview table shows the addressable scope/use cases of the respective technologies - across both app support and enforcement capabilities (inline vs out-of-band). The second table shows the details of available data protection capabilities that can be used within the addressable scope.
    • For example, if a solution doesn't support inline data protection, none of the data protection capabilities in the second table can be applied inline. 
  • The E3 and E5 options are base Office 365 enterprise license packages. Most organizations will opt for the E3 at least, since that is the first Office package that includes the traditional offline Office applications, so the table assumes E3 as the starting point. E5 includes all E3 functionality, as well as additional features.
  • All of the packages marked as "add-on" are in addition to the E3 or E5 package, and they build upon one another. For example, the EMS E3 includes CAS and some additional functionality. Add-ons can be bought with either the E3 or the E5 Office license.
  • All pricing is list pricing.
  • Links to Microsoft's description and pricing for each service have been included in the table for easy reference.

The obvious takeaway? You can get a lot more for a lot less by investigating a third party solution like a CASB. That said, I know you're being pressured to at least consider what Microsoft has to offer, and that's where the table below can help. 

Still too daunting? Schedule a free licensing consultation with one of our in-house experts:

Office 365 Security Licensing Consultation

 

Overview Bitglass E3 E5 ASM Add-on CAS Add-on EMS E3 Add-on EMS E5 Add-on
Price ($$$ / user / month) $7/$10 $20 $35 $3 $5 $8.74i $14.80i
               
App Support              
O365 Support Yes Yes Yes Yes Yes Yes Yes
Other SaaS Support Yes No No No Yes Yesii Yesii
IaaS Support Yes No No No No No No
Private Cloud App Support Yes No No No No No No
               
Enforcement capabilities              
Inline protection on unmanaged devices (upload/download) Yes No No No No No No
Inline protection on managed devices (upload/download) Yes No No No No No No
API out-of-band protection Yes No Yes Yes Yes Yesiii Yesiii

 

 Details Bitglass E3 E5 ASM Add-on CAS Add-on EMS E3 Add-on EMS E5 Add-on
Identity              
Single sign-on Yes Yes Yes No No Yes Yes
Auto-redirect Yes Yes Yes No No Yes No
Contextual step-up auth Yes No No No No Noiv Yesiv
Credential compromise detection Yes No Yes No No Yes Yesv
Premises AD integration Yes Yes Yes Yes Yes Yes Yes
               
Mobile data protection              
Data protection for managed devices Yes Yes Yes No No Yesvi Yesvi
Agentless data protection for BYOD Yes No No No No No No
               
Data protection              
Basic DLP (Keyword, Regex only) Yes Yes Yes Yes Yes Yes Yes
Advanced DLP (exact match, prox, etc) Yes No No No No No No
DLP Actions (WM, Redact, Encrypt, etc) Yes No No No No No No
DRM Yes Yes Yes No No Yes Yes
               
Access Control              
Managed vs Unmanaged Device Yes No No No No Partialvii Partialvii
Restrictions by app, access method Yes Yes Yes No Yes Partialviii Partialviii
IP address restrictions Yes Yes Yes No Yes Yes Yes
Geo-fencing Yes No No No No No No
               
Encryption              
File encryption and data residency Yes No No No No Yes Yes
Field encryption Yes No No No No No No
BYOK key management Yes No No No No No No
               
Threat Protection              
Known malware protection Yes Yes Yes No Yes Yes Yes
Zero Day threat protection Yes No Yes No No No No
               
Visibility              
Audit level transaction logging Yes No No No No No No
UEBA Yes No No No No No No
Shadow IT discovery Yes No No No Yes Yes Yes
Breach discovery Yes No No No No No No
               
Integration & Architecture              
Interoperable with SWG proxies Yes Yes Yes Yes Yes Yes Yes
ICAP w/prem DLP Yes No No No Yes No No
SIEM integration Yes No No No Yes No No
  1. EMS E3, E5 available with all O365 enterprise levels
  2. CAS, EMS E3, EMS E5 support 7 apps, including O365
  3. E5 incl. ASM, a CAS subset - O365 only, barebones feature set
  4. EMS E3, E5 include Azure AD Premium P2 identity protection
  5. EMS E3, E5 include Azure AD Premium P2 identity protection
  6. EMS E3, E5 include inTune MDM
  7. EMS E3, E5 detect domain joined Win or InTune MDM mgd devices only
  8. EMS E3, E5 restrict Activesync and all browser apps only
  9. E5 includes Advanced Threat Protection