Office 365 Security Licensing and Pricing – 2019 Edition
In late 2017, I wrote a post, Office 365 Security Licensing Demystified, to help clarify the dizzying array of cloud security licensing options available from Microsoft, and how those options compare in both price and functionality to the Bitglass Next-Gen Cloud Access Security Broker. Both vendors have continued to develop their offerings, adding new features and functions, so this comprehensive update reflects those changes over the past year.
A couple of points on how to use these tables:
- The Overview table shows the addressable scope/use cases of the respective technologies – across both app support and enforcement capabilities (inline vs out-of-band). The Details table shows the details of available data protection capabilities that can be used within the addressable scope.
- For example, if a solution doesn’t support inline data protection, none of the data protection capabilities in the second table can be applied inline.
- The E3 and E5 options are base Office 365 enterprise license packages. Most organizations will opt for the E3 at least, since that is the first Office package that includes the traditional offline Office applications, so the table assumes E3 as the starting point. E5 includes all E3 functionality, as well as additional features.
- All of the packages marked as “add-on” are in addition to the E3 or E5 package, and they build upon one another. For example, the EMS E3 includes CAS and some additional functionality. Add-ons can be bought with either the E3 or the E5 Office license.
- All pricing is list pricing.
- Links to Microsoft’s description and pricing for each service have been included in the table for easy reference.
Takeaways from this update?
- The shift from a core group of major SaaS applications for most enterprises makes the Microsoft offering, which still only supports 7 applications, less and less relevant with each day that passes.
- Microsoft has not dropped prices on any of its offerings, continuing to provide limited functionality at a very high price.
- It remains as confusing as ever to purchase and deploy the Microsoft suite of products, with numerous packages available and many separate tools from which to configure and deploy their security offering.
Regardless, many enterprises will at least take a look at the Microsoft offerings, and hopefully this post can make that challenge at least a bit easier, though I would recommend skipping the whole exercise and heading straight for the Bitglass CASB:
| Overview | ||||||||
| Bitglass | E3 | E5 | CAS Add-on | EMS E3 Add-on | EMS E5 Add-on | |||
| Price ($$$ / user / month) | From $7 | $20 | $35 | $3.50 | $8.74 | $14.80i | ||
| App Support | ||||||||
| O365 Support | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Major SaaS Support | Yes | No | No | Yesii | Yesii | Yesii | ||
| Other SaaS Support | Yes | No | No | No | No | No | ||
| IaaS Support | Yes | No | No | Limitediii | Limitediii | Limited | ||
| Custom App Support | Yes | No | No | No | No | No | ||
| Enforcement capabilities | ||||||||
| Inline Data Protection on unmanaged devices | Yes | No | No | Limitediv | Limitediv | Limitediv | ||
| Inline data protection on managed devices | Yes | No | No | No | No | No | ||
| API out-of-band data protection in the cloud | Yes | No | Yesv | Yes | Yes | Yes | ||
| Details | ||||||||
| Identity | Bitglass | E3 | E5 | CAS | EMS E3 | EMS E5 | ||
| Single sign-on | Yes | No | No | No | Yes | Yes | ||
| Native Multifactor Authentication | Yes | No | No | No | Yes | Yes | ||
| Integrates with 3rd Party MFA | Yes | No | No | No | No | No | ||
| Auto-redirect | Yes | No | No | No | No | No | ||
| Contextual step-up auth | Yes | No | No | No | Novi | Novi | ||
| Credential compromise detection | Yes | No | No | No | Novi | Yesvi | ||
| IDaaS Integration | Yes | No | Yes | Yesviii | Yesviii | Yesviii | ||
| Premises AD integration | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Mobile data protection | ||||||||
| Data protection for managed devices | Yes | No | No | No | Yesix | Yesix | ||
| Agentless data protection for BYOD | Yes | No | No | No | No | No | ||
| Data protection | ||||||||
| Basic DLP (Keyword, Regex only) | Yes | Yes | Yes | Yes | Yes | Yes | ||
| Advanced DLP (exact match, prox, occur, image, ML, etc) | Yes | No | No | No | No | No | ||
| DLP Actions (WM, Redact, Encrypt, etc) | Yes | No | No | No | No | No | ||
| Apply & Read Data Classification Labels | Yes | Nox | Nox | No | Nox | Yesx | ||
| DRM | Yes | Yesx | Yesx | No | Yesx | Yesx | ||
| Access Control | ||||||||
| Managed vs Unmanaged Device Detection | Yes | No | No | No | Yesxi | Yesxi | ||
| Allow/block session conditional access | Yes | No | No | Yesxii | Yesxii | Yesxii | ||
| Restricted app access via real-time controls | Yes | No | No | Limitedxiii | Limitedxiii | Limitedxiii | ||
| IP address restrictions | Yes | No | No | No | Yes | Yes | ||
| Geo-fencing | Yes | No | No | No | No | No | ||
| Encryption | ||||||||
| In-cloud file encryption and data residency | Yes | No | No | No | No | No | ||
| Field encryption | Yes | No | No | No | No | No | ||
| BYOK key management | Yes | No | Limitedxiv | No | No | No | ||
| Threat Protection | ||||||||
| Known malware protection | Yes | Yes | Yesxv | No | No | Yes | ||
| Zero Day threat protection | Yes | No | Yes | No | No | No | ||
| Cloud Security Posture Management | ||||||||
| Admin Portal Access Control | Yes | No | No | Yes | Yes | Yes | ||
| Service visibility and remediation | Yes | No | No | No | No | No | ||
| Data-at-rest DLP scanning | Yes | No | No | No | No | No | ||
| Data-at-rest encryption | Yes | No | No | No | No | No | ||
| Custom app in IaaS CASB | Yes | No | No | No | No | No | ||
| Visibility | ||||||||
| Audit level transaction logging | Yes | No | No | No | No | No | ||
| UEBA | Yes | No | No | No | No | No | ||
| Manual Shadow IT discovery | No | No | Yes | Yes | Yes | Yes | ||
| Automated Shadow IT discovery | Yes | No | No | No | No | No | ||
| Breach discovery | Yes | No | No | No | No | No | ||
| Integration & Architecture | ||||||||
| Coexists w/Fwd Proxies (SWG) | Yes | Yes | Yes | Yes | Yes | Yes | ||
| ICAP w/prem DLP | Yes | No | No | No | No | No | ||
| SIEM integration | Yes | No | No | No | No | No | ||
Recent Articles By Author
*** This is a Security Bloggers Network syndicated blog from Bitglass Blog authored by Rich Campagna. Read the original post at: https://www.bitglass.com/blog/office-365-security-licensing-and-pricing-2019-edition
