IT professionals have long wrestled with the trade-offs between using a best-of-breed, single point solution and one of a suite of offerings from a large, well-established vendor. Yet, the old catchphrase, “nobody ever got fired for choosing IBM,” seems increasingly out of place in the fast-changing and high stakes world of cyber security, where safe can leave you sorry.
Microsoft is migrating customers from its licensed suite of office productivity software to Office 365 (O365), its cloud and mobile-first platform. In order to address the cloud’s unique security and compliance issues, and to generate additional revenue streams, Microsoft has developed product features and acquired businesses that compete with best-of-breed (BoB), independent providers. Some of the products in its Enterprise Mobility & Security E3 and E5 packages, and its BoB competitors, include:
Azure Active Directory. Identity and access management service, competing with Okta, Ping Identity, OneLogin and Centrify.
Defender Advanced Threat Protection. Service that detects, investigates and responds to advanced attacks. It competes with anti-virus software providers as well as endpoint detection and response providers such as Cylance, CrowdStrike, Bromium and Carbon Black.
Cloud App Security. Service that identifies and controls employee use of SaaS apps as a means of combating “shadow IT,” a phenomenon in which employees procure or access technology without first seeking IT’s consent. It competes with Netskope, Skyhigh Networks, Bitglass and CipherCloud, which started with shadow IT, but also have developed many other features and functions to achieve comprehensive control over data flowing to and from the cloud.
Let’s focus on Cloud App Security.
Microsoft’s cloud and mobile-first strategy has given the company newfound mojo. Their O365 product is a compelling, evolutionary step beyond their traditional, licensed Office suite. More than 70 million people currently use O365 commercial every single month. However, at this point, Microsoft's journey to build security into O365 has left them far short of the capabilities offered by their best-of-breed alternatives. Not surprisingly, their Enterprise Mobility & Security E5 package (which includes Cloud App Security) is routinely offered at heavy discount to its list price of $15 per user per month. Microsoft’s security offerings will continue to improve, but most customers have real problems they need to solve now, and a best-of-breed solution is the only way to go.
The cloud represents a generational transformation, requiring a whole new way of thinking about its intended and unintended consequences. The typical company today has more than a third of its data in the cloud, and many have no visibility on all the SaaS apps and cloud hosts used by their employees and contractors. There are more than 25,000 SaaS apps in circulation, of which fewer than 10% are enterprise ready, so the cloud introduces considerable security and compliance issues to manage.
By 2012, about a dozen firms that Gartner calls cloud access security brokers (CASBs) had emerged to address these issues. CASBs are gateways that filter data flowing to and from the cloud. They provide an assessment of risk for each app, usually expressed on a 1-100-point scale, so IT can quickly decide which apps should be sanctioned, permitted or unsanctioned.
CASBs can also extend a company’s data loss prevention (DLP) policies to the cloud, enabling IT to track employee behavior and even encrypt data at rest within sanctioned apps like O365, Salesforce, Workday, and many others. It’s virtually impossible to comply with data privacy regulations such as EU GDPR (where non-compliance penalties can cost a company up to 4% of global revenue), NYCRR, and many others without a best-of-breed CASB.
Today, Microsoft, as well as Cisco, Symantec and Forcepoint, offer CASB-like functionality as part of their broader offerings. Customers waiting for a seamless integration of all the elements of an integrated suite of products from these major vendors may have their patience tested. In February 2017, one CEO of a major vendor described his plans to integrate a CASB business that he had just acquired: “We’re breaking the bones and resetting the company to be really strong when we grow up.” That sounds like a pretty painful customer journey.
Netskope and Skyhigh Networks, among others, remain pure play CASBs, and are best-of-breed in the category. Using Microsoft’s security products can lower enterprise risk, especially as a layer in a comprehensive strategy, and they’re certainly better than doing nothing. However, considering the stakes involved in cyber security, relying just on Microsoft is like bringing rocks to a gun fight. Here are some reasons why you would want to rely on a BoB CASB.
Architecture. Any major sanctioned app, such as O365, Salesforce or Box, offers its own, independent platform for security. BoBs promote a centralized approach that is applicable across all apps. The walled garden approach to security isn’t scalable in the cloud; not when the typical company has over 1,000 apps on their network. Only a comprehensive approach can detect anomalies, identify threats traversing apps, and monitor data that might exfiltrate to an app.
Bias. Will Microsoft devote enough attention to apps with which they compete? Will the security issues associated with Box get the attention paid to OneDrive? How about Salesforce/Dynamics CRM, Slack/Teams and Google/O365?
Persistence of Coverage. A CASB’s ability to inspect traffic is dependent on the form of its connection to the app. Microsoft only connects to an app via an application programming interface (API), so it cannot inspect traffic in real-time. A BoB CASB connects in-line, including forward and reverse proxies, providing visibility and control in real-time.
Size of App Directory. As a core competency, a BoB CASB maintains the most complete directory of apps, currently numbering over 25,000. Microsoft’s directory is much less than complete.
Adaptive Access Control. Enforcing DLP policies in the cloud requires a granular understanding of device classification and permissible activity across apps. For example, a BoB CASB can block PHI data from being downloaded from Box to an unmanaged device if the user is not a member of a “medical professional” Active Directory group.
Use Case Coverage. Cloud security is all a BoB CASB has been thinking about for over seven years now. During that time, a BoB CASB has built its platform to accommodate all the conceivable use cases from hundreds of customer deployments. Focus brings expertise and agility that Microsoft simply cannot match.
IBM and Microsoft perfected the tactic of introducing FUD (fear, doubt and uncertainty) into the technology purchase decision. Today, the best-of-breeds are more likely to get you to question the safety of relying solely on the big guys, and for good reason.