Netskope CASB alternatives and competitors

MCAS was onboarded for the purpose of detecting shadow IT. As the organization moved towards more SaaS solutions, we wanted to make sure that there is a way to monitor and govern the IT services coming up as shadow IT. We are a very big organization where a lot of services get onboarded, and some of the things may go unnoticed. We wanted to detect the shadow IT software being installed or shadow IT happening within a department or business unit.

We also wanted to make sure that the cloud access security broker provides a DLP kind of solution for Office 365. For example, if I am uploading a document with PI data, MCAS should scan and make sure that the right classification is applied. When the right classification is applied, the document gets encrypted, and relevant information protection is applied. If the right classification is not applied, the users are alerted to make sure that they go and remediate the document, task, file, etc.

This is how we started with this solution the last year. Going forward, as a strategic solution, we are also looking at using MCAS to govern the Office environment. We have started onboarding solutions like Microsoft Teams, SharePoint Online, OneDrive, and Exchange Online. 

Our setup is a mixture of on-premises and cloud solutions. At this point in time, the major cloud providers are AWS and Azure, and we also have on-premises products such as Symantec DLP, Doc Scan, etc.

There are certain regulatory requirements in our bank for personal data and confidential information that need to be monitored from a security standpoint. It is a regulatory and standard requirement to have such a solution in place. 

MCAS is a dedicated solution for Office 365 and other productivity-related solutions, and it really helps to automate some of the processes. It would have been difficult for us to find a similar product. It gels well with some of the solutions or technologies that we have, especially with Microsoft Azure and Office 365.

From a security monitoring perspective, there is a productivity improvement and fewer human errors.

In terms of user experience, if users mistakenly put PI information or some kind of data, it can detect and alert them. From that aspect, it is doing the job, but we are using it from a security standpoint. I'm more from a regulatory environment, and there are security requirements that are enforced by regulators. So, we cannot provide some of the end-user experience features, and there should always be a balance between the end-user experience and the security standpoint. MCAS is more of a backend security posture product. I won't position it as enhancing the user experience.

The feature that helps us in detecting the sensitive information being shared has been very useful. In addition, the feature that allows MCAS to apply policies with SharePoint, Teams, and OneDrive is being used predominantly.

It is a kind of unified solution. As compared to other solutions such as Netskope, Symantec, or McAfee, it provides a more unified reporting structure.

It also integrates with other technologies. We have Azure Information Protection, and it goes well with the solutions that we are already using.

It takes some time to scan and apply the policies when there is some sensitive information. After it applies the policies, it works, but there is a delay. This is something for which we are working with Microsoft.

It cannot detect all the things that are required as per our bank's standards. We are working with Microsoft to see how they are going to help us resolve this, and based on NDA, which new features are coming in because we require a unified solution. We have other security solutions that are working on top of it, but we don't want to use multiple solutions and then end up with a human error. From a security perspective, the weakest link is human error. If certain features are monitored by MCAS, certain features are handled by Zscaler, and certain features are handled by Symantec DLP, it becomes difficult to synchronize from an operational standpoint. This is the situation we are in currently, but these issues come with new products or new cloud solutions. We have to slowly orchestrate and see how to unify the solutions. So, at present, it doesn't solve all the problems. There are many problems, but at least, we have other solutions that are currently providing some mitigation.

It doesn't provide any way to scan Microsoft Teams when an external exchange of images is happening. You can always do the filtering on the documents during the chat, but if there is an image, then some kind of OCR capability is required to detect it. At present, there is no way MCAS can go and detect those kinds of images and alert us. They can maybe integrate it with an existing OCR-capable product. This is something that we are absolutely looking into. There should also be a feature to immediately increase the time to detect some PI information being exchanged via chat.

Its reporting capabilities can be better. Currently, to generate reports, you need to have Power Automate in place. If such capabilities are built into the product, it would be easier because when we bring in Power Automate, we need to make sure that Power Automate also gets monitored from the DLP and governance standpoints. MCAS doesn't have many reporting capabilities, and it's really an operational nightmare to get all these things done at this point in time by using MCAS. These are some of the operational capabilities that our engineers require from this solution from the reporting perspective. Symantec and other solutions are more mature in this area. It could be because MCAS is still an upcoming product.

We onboarded Office 365 and cloud services less than two years ago. MCAS was one of the strategic and DLP kind of solutions for Office 365 and other productivity products. Because the onboarding of the cloud services is in phases and not everything can be onboarded at the same time and it requires the involvement of different security and project departments, MCAS was onboarded last year.

From an enterprise perspective, it meets most of the interoperability requirements. So, scalability is there. I don't see an issue from the scalability perspective. Only features are missing here and there.

Currently, it is almost serving the entire bank. In terms of the SaaS products that MCAS is monitoring and the number of users it is serving, we have onboarded around 40,000 users for Office 365 and other SaaS products. Eventually, it will be serving the entire bank, but at this point in time, it is only serving all Office 365 and SaaS product users. 

It is more of a cybersecurity solution for the bank to comply with all the security requirements and meet the security quotient. The end users don't see MCAS as a direct solution, but MCAS is providing security services for the bank behind all the services.

We have proper help desk support. For example, if someone uploads a document that has PI data and there is an issue, it is highlighted to the user asking them to remediate it. The manager is also copied. The help desk takes care of such things. 

Once the solution is implemented, it is almost auto-run. From the support perspective, it is mostly about why did I get this alert, what was wrong with this document, etc. Such things are usually taken care of by the user because users are responsible for what content they are allowed to load on a particular website, SharePoint site, or software. A robust change management process and help desk are already in place, and I don't see a big concern on this aspect.

Previously, we didn't have any cloud product. We only had on-premise products. Our organization joined the cloud around one and a half years ago mainly because of this pandemic situation.

It depends on the requirements. Certain requirements are really complex. The deployment itself is quite fast because MCAS is on the cloud, but there are a lot of requirements from the regulations and the bank's standards perspective.

It took us one week for the architecture and to decide things like whether we need a reverse proxy. To have all the requirements and get all the things done in an enterprise environment, typically, a simple product like MCAS can take three to six months. That's because there are a lot of governance requirements, and we need to make sure there is no PI data, and the keys are encrypted somewhere in the user ID part. 

In terms of the implementation strategy, at the high level, for Office 365 and SaaS solutions, we wanted a unified product to replace our existing one. From the strategy perspective, we wanted to go to the cloud. MCAS was able to integrate with most of our Office productivity tools. We procured the licenses and then went through the strategy of the bank and how the product can meet the needs. This was at a very high level. Of course, when we go into operations, we get operational challenges. That's why we need to have a longer time period to make a product coexist with the existing products.

We have our own department, and they are trained in it. We also engage all sorts of vendors to provide us the results. At least for the interiors, we do not engage a third-party reseller or contractor.  

It was more of an in-house implementation, but Microsoft helped us in coming up with a service design for Azure-related products including Office 365. Based on our requirements and infrastructure, they provided high-level architecture and design documents and told us about the things to be included or considered. We took that service design document and built our operations based on that and got it to work. So, the service design came from Microsoft, but hands-on was by our bank.

In terms of maintenance, this is actually managed by security folks and cybersecurity services. Currently, it is being managed by three people. There are only three operators. Of course, when there are new things to be implemented and new policies to be created, it goes to engineering. For changes, we need one more person on average. So, there are a total of four people.

I can't give a specific number. One of the returns on investment is that we will soon be getting rid of our on-premise infrastructure and maintenance. The CapEx costs and repeated hardware refresh cycle are gone. From that perspective, there are savings. All we need is the skill set to maintain and manage a particular cloud access security broker. Today, we have four people, and tomorrow, it could be eight people because of the increase in the number of applications. The bottom line is that we will get rid of all operational issues in terms of patching and fixing different systems. We don't have to patch the Windows systems, Linux systems, etc. All these are taken care of and are maintained in the cloud.

I'm not totally involved in the pricing part, but I think its pricing is quite aggressive, and its price is quite similar to Netskope. 

Netskope has separate licensing fees or additional charges if you want to monitor certain SaaS services, whereas, with MCAS, you get 5,000 applications with their Office 365. It is all bundled, and there's no cost for using that. You only have the operational costs. In the country I am in, it is a bit difficult to get people with the required skill sets.

I have been here for just around one year.  When I came, they were already using MCAS. In my previous organization, I made the decision to use MCAS for Office 365. For the entire cloud, I decided to use a dedicated cloud access broker like Cisco. It really depends on the organizational requirement and how they want to size their IT department. 

There are pros and cons. If you are totally on Microsoft products, MCAS has an integration. Otherwise, there are other products that may work better. Of course, you may still be dependent on some APIs from the cloud providers. It really depends on the organization's strategy.

My advice would be that an organization should assess where they are today and then map out what do they want from a cloud access security broker product. After that, they should decide whether MCAS or another product meets their requirements. This is important because you may have all the things in terms of interoperability and a solution may be the best fit from an operational perspective, but if all of the requirements are not met, you may end up using multiple products. Therefore, an organization must assess its current IT infrastructure, where do they want to go, and what are the key requirements from a regulatory and IT governance standpoint. They also have to make sure they have the right skillset in the market. For example, in Singapore, if I want to implement Google Cloud, the skillset is very less as compared to the skillset for AWS.

From a vendor perspective, you should assess the reputability of the vendor and what kind of capability the vendor provides. For example, it's very obvious that Microsoft is very good at integrating its own products. They have now also started to integrate with others. These are some of the aspects you should consider before making a decision between product A or B. There is no magic silver bullet.

From a security standpoint, overall, it has satisfied 80% of our requirements in terms of regulatory and bank standards. For 20% of our requirements, we still need additional products or features. They are currently not really there, and we are trying to find the solution for those gaps. In general, MCAS has a long way to go. It is definitely a good product that integrates with Office 365 Suite very well, but from a capability perspective, other products such as SkyHigh, McAfee, or Symantec have more features. It has the potential. A lot of features are lined up in MCAS, and eventually, they'll be there. These features are mentioned on Microsoft's website, and they are in development. I am looking forward to those.

In terms of data governance, we have a very good tool, and we just need to focus on how to govern the data, DLP policies, etc. We don't have to bother about the physical data center, physical network, or physical host. The entire layer below the server is gone, and we just have to focus on the identity and security aspects. We just need to focus on what kind of security we need to put and which policies do we need to implement. We get better visibility by focusing on the key client endpoints by using MCAS. The team is now really focused. Previously, every day, teams used to come up with issues like, "Network has this problem. Data has this problem, and Host has this problem." Now the focus is, "Hey, this MCAS DLP isn't doing the job." The focus is more on the product's capability.

I would rate Microsoft Cloud App Security a seven out of 10.

There are several use cases that we use it for:

• DLP purposes. 
• Multi-factor, step-up authentication. 
• In conjunction with Okta. We have a lot of sensitive data that goes back and forth into the cloud. Also, to some cloud offerings where our mail is, with Office 365 being one of them. Bitglass helps us secure that traffic. It allows us to see where our data is going, who's accessing our data, and what people are trying to access our data.

It will alert us of somebody trying to knock on the front door (perimeter) and one of my end user's account is compromised. We are in the Orlando area and also across the state of Florida. However, if I know this person is in Orlando, then 10 minutes later, they're trying to log in from Tampa, that can't be done. I have tried. I have tried to drive as fast as I could to get from Orlando to near Tampa. It just didn't worked out.

Logging in from Orlando and shifting to Tampa, that's a very real scenario where we had a staff member who was compromised. We were able to stop that based on the multi-factor, step-up authentication because the solution noticed the geographic locations were so disparate.

It gives us that extra set of eyes and ears, especially now with the pandemic. We don't have the amount of staff that other organizations have, since we're a nonprofit. The bad guys count on that. This solution gives us another layer of protection when it comes to end users, who are the people already behind the perimeter. It greatly helps us. 

In the cloud stuff, we set up all the rules and policies on one page based on the applications and things that we have rolled out. In this past year, we have been able to move from an on-premise Exchange Microsoft environment to Office 365. This is by its very nature what people use Office 365 for. Bitglass was able to help us secure this as a communication tool and also add the governance piece and enforce it.

The biggest thing that I like about this product is that it's easy to use and teach. When we have somebody new starting to work with the product, it's easy to teach them. It's also easy to use the product as it does so much.

I'm into looking at the DLP rules and finding out where our data is going and who is accessing it, especially now that our organization has gone remote. When typically only one section of our organization has been remote (our caseworkers), now everybody is remote. Therefore, we need to know for everyone else:

• How is data governance being performed? 
• Where can we increase our security posture by ensuring policies, procedures, and compliance are being taken care of? 

Bitglass is a big part of where our data is going. Then, the fact that I can make it unusable if it goes to places that we don't think that it should, by using digital rights management (DRM).

Integration into different multi-factor authentication tools. On their page, they tout Duo, but I don't use Duo. I use another vendor. Not that they don't interact, but it takes a little bit more doing. Any amount of efficiencies here would help.

The one area of improvement that I would suggest: Integrating to some on-prem things, like Active Directory. That would be helpful, but then I would need to have a third-party piece to do things automatically, not manually. 

This is the second organization that I've implemented Bitglass. So, we're talking three years.

I've not had any problems with Bitglass going down. I've not had any issues with the AJAX-VM agentless protections at all. This is good tech.

I'm not seeing any latency with the traffic flow at all. Some of the biggest bottlenecks would be when folks are in the field and what wireless network that they connect to, e.g., are they using free WiFi? That is what prompted the need for a CASB. It was based on the data sets that we use. When our people go out, then they stop at a Starbucks or McDonald's because they have deadlines and things that they have to do. So, if they don't have a wireless access point or a MiFi, then they jump on these free WiFi things and we need to be able to secure their data. Bitglass allows us to do that.

We're at 99.99 percent uptime. The only outage had to do with when AWS had an outage and that lasted a short amount of time.

I don't think there has been a problem with the scalability. I can scale what I need. Of course, there's a licensing fee involved, but I think they can handle whatever I throw at them. We're not a very large organization, but some of the organizations that I've met along the way that are a lot bigger than me don't seem to have a problem.

Right now, we have 1,800 employees working from home, so now I have 1,800 offices. Anything that is going out of our environment or perimeter, wherever that perimeter may be, we need to know:

• How are they using our data? 
• How has it changed? 

People are more confident in their own confines. In their house, they're very confident because that's their domain. So, they may not be following our data governance or best practices. Bitglass alerts look at:

• How the data is being pushed.
• How the data is being accessed.
• Who's accessing it. 
• Where it's being accessed from. 
• Who are they sharing it with. 

We see all of that. It's all based on whatever rules we can think of.

Previously, we had a 25,000 full-time staff and faculty, and more than 220,000 students going through Bitglass.

If I do have an issue or a support need, the organization is responsive. I'm on the East Coast, and they're on the West Coast. You really couldn't tell, because they're right on it and been there. They've been what I call a strategic business partner in both instances that we put this on.

I had an issue at the previous company that I worked at. We are on the East Coast, and they are on the West Coast; they're in California, and we're in Florida. So, we had an issue at seven o'clock in the morning. It turned out that we had a certificate expire in ADFS. We called over there because we had no idea what was going on, as the initial troubleshooting was going to the Bitglass portal and blocking people from logging in there. So, we're getting people on the phone just so we could come to a conclusion to get a root cause. Not only did my account rep call me back and get somebody on the phone, the support engineer was called and was working with the team before I talked to our account rep. Then, we had a senior VP and the CEO call me within an hour. I also had some other folks call me within an hour to make sure that we were okay. That is the type of business that Bitglass is.

Before, when I first got to the organization, things happened. People were compromised. Outlook accounts were indicators of compromise. To this date, I'm not finding those as often when I'm being alerted.

The initial setup was pretty much straightforward. We did some integrations to get it all done and implemented, then you're off and running. 

The biggest drawback to the implementation was the organization. It took a little bit of time to buy because this is a different type of technology that the organization has not used, so going through the multiple meetings to give the benefits and what this provides us. That's a drawback in running the implementation.

The application only took a night to deploy. I'm talking about a few hours, but that was once everything was approved to go through.

We started with the critical data in the cloud. These type of datasets include the regulated data, such as HIPAA or PCI.

We used our deployment managers. We took the training, then we used them. We didn't use any outside people.

There are two and a half people on my infrastructure team, including a consultant (who is not full-time). I am managing a lot of this solution myself by going in, cleaning up, and deactivating users. Users who leave the organization free up their places.

We are not a large IT shop. Anytime we can gain efficiencies and don't have to track down any false positives or false alerts, then we see ROI. With a small team, there's always that alert burnout where there can be so many alerts happening that it's just easier to do nothing. We don't find that. We find that we're able to get in and do a lot more of the infrastructure and things because the product works the way we expect it to.

There is training involved. If you're going to add more people to it, such as cross train more of your group, there's a cost. Other than that, that's it. We have paid exactly what the invoices have said. We signed a three-year contract and not gone above it.

Understand what it is you're paying for with a CASB. Do your homework and understand what your use cases will be, because you will pay based on use case. Always be weary of someone who comes in and just wants to cut prices. If they're going to lose to a competitor and just whacks their price in half just to get the business. If it didn't match your needs based on what the product does in the beginning, you're going to be sorry. Know your use cases and purchase towards your use case. Make sure that you get a strategic business partner when it comes to your vendors.

I did do an exhaustive search when it came to selecting a CASB. We looked at other major players: Netskope, Symantec, and Skyhigh. We looked at a lot of them before we saw Bitglass.

At the time, Bitglass had more out-of-the-box features and integrated more closely with our platforms. We're talking about Active Directory, where I can get that integrated. It's not a data dump or a nightly upload of our LDAP or directory solutions into the product. We were able to do or add the scanning via Cylance. That came standard with these, while with the other companies, it was an add-on piece or they reverse engineered the solution to try and make it work. I've been doing IT for 20 plus years. Anytime a company tries to reverse engineer something after they first purchase it, it's never a good experience for the end user because for support, it is always, "Oh, you've got to go over here," or "I've got to transfer you over here". Well, okay. "Now I've got to transfer you over here." That is not anything that I can hang my hat on. Therefore, you're looking at the amount of features and functionality from the Bitglass side, as opposed to some of their competitors. 

We didn't take one of their competitors because it was a large deployment with multiple servers in different areas. I was trying to reduce space, not increase my infrastructure footprint.

The biggest thing is know your use cases. If you're not sure what your use cases are, have them help define them. When you understand your use cases, you understand how you're going to use the product. It doesn't mean that you don't learn the other bits and functionality of it, but your core duty to your organization is to protect that critical data. Understand what those data sets are and how critical are they:

• Are they regulated via the state or at the federal level? 
• What is it that you're trying to protect? 

If you can understand these questions, then you can tailor a lot of the training and a lot of what you have for what you need. I talk to my team all the time when we do things, and it has to be sustainable, maintainable and also adaptable. It has to be adaptable to the client because technology is the one thing that we have in business that will change. We know it will change. So, if you're rigid with whatever you're doing and not adapting, then you are already behind.

I really like what this product does and what it stands for. We are a nonprofit, and until our use cases change, we are not using the product to its fullest potential.

I do not use SASE yet. That is more for budgetary purposes. With the pandemic, our budget allocation has been a bit steep.

Biggest lesson learnt: The different ways people can use data. Where they access and share it, then send it, do things, and respond. I understand now the need, more than ever, to evangelize. In the security industry, there's a saying, "Your weakest link is your end user." I tend to disagree now. The weakest link happens to be our security awareness training. How well are we doing there? Because if you train and teach, then things go a bit smoother. 

With everything that I know about Bitglass and working with the organization as a whole, such as, meeting the CEO on down through new folks, I would rate them a 10 out of 10. They have a fantastic culture and ethic when it comes to the customer first. If I need something, they're there. Just this past week, we went to do an integration of the fifth application, but something happened, and we had to postpone it. Our deployment manager says, "No problem. I'm there." He didn't even wait for me to say what we were going to postpone it to. He just said, "Okay, I'm there." That puts me at ease. They have my back and are there to help.

We use this product for enterprise cloud security. My role is in strategy and security.

We were using MVISION for data protection.

The most valuable feature is the support. It's the best.

MVISION has a really good strategy and the CASB solution is excellent.

We used McAfee MVISION Cloud for two years, but have recently stopped using it.

This is a stable product.

It is definitely scalable.

The support is excellent.

Prior to MVISION, we used dedicated security tools like endpoint protection, virus scan, and so forth.

This is an expensive product, but you have to compare that with other solutions that are on the market. We have a good relationship with McAfee and have a lot of their products, so we do not pay the same price that an end-user would.

We are currently evaluating another product and will not be using MVISION in the future. One of the products that we are looking at is MVISION for the cloud.

We evaluated Netskope, but we were offered a better price for MVISION.

Personally, I have always found that McAfee has good products. This is a product that I recommend. My advice is to compare this product against other solutions to ensure that you receive the features that you want.

I would rate this solution an eight out of ten.