SaaS DLP for Google Drive: Metomic vs. Bettercloud

• M‍ore than two billion people use Google Drive. What's your SaaS data loss prevention strategy for Google Cloud?
• Human error is still the number one cause of cloud security breaches in 2024.
• 80% of data-related security incidents are the result of "identity and credential" misconfigurations.
• IBM's "Cost of a Data Breach" report names misconfigurations as the third most common attack vector.

Data is the new gold, likely as or more valuable than any of your other corporate assets. If you're here, you probably have a wide range of data sitting in Google Drive, ranging from credit card numbers to unstructured corporate IP. It's not hard to believe your docs, spreadsheets, and slides may as well be the Wild West for bad actors who are looking to escalate their privileges—or worse, hold your data for ransom.

Protecting your Google Cloud from potential breaches may seem like a herculean feat for SMBs and enterprises alike. This is especially true if you’re working with legacy SaaS data loss prevention solutions (aka SaaS DLP solutions) which often leave gaps for bad actors to sneak through your spotty cloud security.

The cloud security landscape is full of vendors like Google Cloud DLP, Forcepoint Data Loss Prevention, Material Security, Fortra's Digital Guardian, Palo Alto Enterprise DLP, and more—all of which address different aspects of cloud security.

But here, we want to hone in on two competing SaaS security platforms: Metomic and Bettercloud. Both of these platforms offer distinct approaches to SaaS DLP. While this may seem like a jarring comparison at first, the truth is that the way a software company sees itself is often less important than how their clients use their products. In this comprehensive guide, we're focusing on evaluating how effective each security platform is for organizations looking to secure sensitive PII, PCI, PHI, secrets, IP, and more in Google Drive.

What are the key threats to your data in Google Drive?

When you think about securing a digital asset, the first thing to consider is the value of the data it contains, as well as specific potential threats to that data. From there, you can reverse engineer which features will be most important to you in building an ironclad SaaS security posture. Here are just a few key threats to consider during that process:

• User error: This is the most common way to lose, corrupt, or expose data in cloud workspaces. According to Verizon's Data Breach Investigation Report, just under three quarters of data breaches involve the "human element." To illustrate just how easy this  "human element" could take the form of an employee sharing sensitive documents and accidentally granting access privileges to "anyone with the link."
• Misconfigurations: Once again, human error is front and center. Cloud environments, like Google Cloud, can be quite complex. Without proper visibility into sharing settings and permissions, it can be difficult to know when employees grant access privileges to someone who shouldn't have them.
• Insider threats: While most insider threats tend to be earnest employees who accidentally violate policy rules, they can also be malicious employees who purposefully violate policy rules to exfiltrate sensitive documents, abscond with IP, or reap some form of financial benefits. In any ase, insider threats can leave gaps in your cloud security that can open the door to potential breaches.
• Third parties and contractors: Third parties and contractors are often given access privileges for Google Cloud along with a wide range of business-critical apps across your cloud platforms. While they may need this access to do their jobs, this also opens them up as potential attack vectors.
• Vulnerabilities: Resourceful attackers can exploit architectural problems in software to gain unauthorized access to sensitive data, or generally to cause mayhem. Not too long ago, researchers uncovered a security flaw in Google Drive's free version that, due to its lack of forensic capabilities, allowed threat actors to enter, exfiltrate data, and leave Google Drive without leaving a single trace. (In the end, this "free" version was actually quite costly.)
• Phishing and social engineering attacks: These well-known—and highly effective—attacks are most likely to result in credential theft when Google Drive is the target. 
• Malware: This hostile software can help hackers to gain unauthorized access to a device, steal data, and wreak havoc on regulatory compliances. For instance, ransomware prohibits access to data until a ransom is paid. Worse, though: Malware can be just a small part of a more layered attack that established a backdoor for ongoing data exfiltration

How does SaaS data loss prevention help with cloud security?

In short, SaaS DLP is a cloud security solution that's built to keep data from walking out the door. Effective SaaS DLP is focused on securing data everywhere it lives across your cloud platforms, whether it's at rest or in motion. Solutions vary from being more preventative (e.g. securing data before it becomes a problem) and responsive (e.g. blocking data mishandling, like data exfiltration).

Even at the most basic level, SaaS DLP must have a few essential capabilities, including:

• Accurate data discovery both real-time and historical data in cloud apps.
• Up-to-date data classification technology to help security teams adhere to compliance standards.
• Customizable policy rules (e.g. redaction rules) for determining how to action sensitive data once it's detected.

Sounds simple enough, right? But often, legacy SaaS DLP solutions suffer from noisy detection, outdated machine learning (ML) technology, and complex policy engines. Especially in medium-sized and enterprise businesses, this may lead to heavy security workloads, noncompliance with regulations, and poor cloud security.

Why is cloud security so difficult?

ollaboration-oriented SaaS apps like Slack or Teams may feel deceptively private—so much so that employees might not think twice before sharing credit card numbers or sensitive documents. As a result? Data sprawl runs rampant across cloud platforms big and small.

While pasting sensitive data into a DM, post, or prompt may feel necessary in order to accomplish tasks, this is exactly how companies who have experienced major breaches (like Uber, Okta, and Disney) keep finding themselves bested by threat actors despite having robust cybersecurity programs.

The missing link? Better SaaS security for cloud workspaces like Google Cloud. By implementing SaaS DLP and developing a stronger SaaS security posture management program, it's possible to stop data sprawl, prevent privilege escalation attacks-turned-breaches, and maintain continuous compliance with regulations.

Challenges with controlling access privileges

In today's distributed environments, where people are working from locations all over the globe, and networks are incredibly complex, centralizing app protection has proven difficult even for the brightest minds in cybersecurity. Controlling access initially promised to "keep attackers out", and while it's a necessary fundamental, the truth is that access control is not reliable on its own as a means of prevention.

There are just too many ways for people to mistakenly mishandle data, even when SaaS security practices are taught, reiterated, and required. Further, cloud access security brokers (CASB) and secure access service edge (SASE) have emerged over the past decade in an attempt to address the tremendous risk to data in SaaS applications. However, as any CISO writing the checks for these solutions will tell you, they are very, very expensive and come with their own set of challenges.

Challenges with finding the right SaaS DLP solutions

SaaS DLP solutions tend to fall into two categories: legacy and next-gen. The former focuses on manual processes, and the latter incorporates "smart" features and automation. The reason next-gen SaaS DLP was developed, simply put, was because legacy solutions leave too many gaps. Every time an employee logs in and performs work, changes are being made to corporate data. Telling employees to do their jobs well while following company security policies to the letter, with 100% accuracy, and 100% consistency is unrealistic.

Of course, you could monitor every move they make, correcting any rule violations on the spot, but who wants to babysit remote teams all day? Plus, at what cost to company culture would you be implementing such a solution? 56% of employees who are actively, digitally monitored report additional stress or tension at work.

Challenges with compliance standards

Technology leaders and security professionals alike are concerned with more than just preventing data breaches.  The truth is, risk management involves meeting industry and legal compliance standards – most of which have been created to protect against personal, customer, and sensitive data exposure.

Regulatory compliance violations are not only significant risks to any business due to the hefty financial costs associated with fines, but also because they distract organizations from their main purpose. The impact of compliance violations to operations, customer trust, and brand can be quite significant.

SaaS DLP showdown: Metomic vs. Bettercloud

Metomic at a glance

Automated data discovery and classification

Metomic can identify and classify sensitive data across a range of SaaS apps, including Google Drive, Slack, and Notion. By discovering staples like PII, PCI, and other data, Metomic grants security teams visibility into cloud environments to help improve their SaaS security posture management overall.

Alerts and remediation

While Metomic doesn't offer automated remediation options like automated encryption, Metomic does offer alerts regarding compliance violations found within scanned files. In this way, it can improve security teams' abilities to get a better idea of what digital assets are stored and shared across the cloud.

Metomic pros and cons

Pros:

• ‍Automated discovery and classification: These two processes are essential to pinpointing and preventing possible data leaks before they happen. ‍
• Customizable classification and rules: Security teams can create custom policy rules (e.g. redaction rules) to maintain compliance with regulations. ‍
• Cryptographic hashing and redaction: Within Google Drive, this form of remediation helps to prevent unauthorized access to sensitive data.
  

Cons:

• Too many false positives: Users report being overwhelmed by false positive alerts. As business scale, they increase the quantity of data that needs to be scanned—and without a high enough true positive rate, false positive alerts can become unsustainable to monitor and respond to. ‍
• Real alerts get lost: With an extremely noisy alerting system, real alerts can get lost in the mix. As any SOC analyst will tell you, alerts are only useful when they are consistently accurate and actionable. ‍
• Hidden costs: Metomic's noise level also changes what may be perceived as cost efficiency, because staff is having to do more work manually than they should to maintain their security tool—and security specialists' time is not cheap. ‍
• Immature AI: Metomic needs a greater period of time on the market to tune its rudimentary ML detection. Small and midsize businesses, as well as enterprises, may prefer a more mature model to get more accurate alerts, save on time and costs, and ultimately, create a more agile, responsive cybersecurity program.

Bettercloud at a glance

SaaS DLP management

Bettercloud is designed to view all SaaS apps in use in a single place, enhancing visibility into SaaS spending. This aspect makes it less of a security tool and more of a holistic software inventory management solution. That said, it also has a robust set of security features that can make a huge difference in managing risks.

For example, Bettercloud helps by automating data protection, such as by assisting with employee onboarding and off-boarding, policy management, threat prevention, centralized data protection, and even auto-logouts when users are implementing risky apps (which are inevitable due to employees use of shadow IT).

Data visibility and compliance monitoring

Bettercloud offers historical file scans, identifies security and compliance policy violations, and creates an audit trail in the process. This discovery capability can be very helpful, but it doesn't include live scanning, discovery, classification, and remediation within many of the most commonly used SaaS apps.

Policy enforcement

Bettercloud can enforce acceptable use for what actions a user takes in SaaS apps. This is very helpful for tech leaders who carry a lot of stress about whether or not users will remember to follow security and compliance policies after their onboarding and annual trainings.

Bettercloud pros and cons

Pros:

• SaaS inventory management beyond Google Drive: Identity management can be quite challenging, especially now that SaaS apps are easy to access for any user within an organization. By centralizing SaaS discovery in one tool, security teams can prevent permissions sprawl and shadow IT, mitigating insider risk and bolstering cloud security in the process. ‍
• Collaboration rule settings: Bettercloud's ability to manage collaboration settings within SaaS apps can help prevent instances of data sharing violations during the course of daily work.‍
• Continuous monitoring: While Bettercloud does not meet stringent enough requirements to be a comprehensive continuous monitoring solution, it does provide a way to monitor SaaS apps for specific violations in an ongoing way.

Cons:

• Limited data security: Knowing what SaaS apps your teams are using is not the same as securing data being used within them. ‍
• No automated remediation: Alerting is not the same as remediation. The burden of responding still rests on security teams who are already overwhelmed with alerts from numerous security platforms.‍
• Limited data scanning: Sensitive data doesn't just live in Google Drive. As a legacy SaaS DLP solution, Bettercloud doesn't scan live locations, and may therefore be limited in preventing data sprawl via certain channels like messages and emails. ‍
• Lack of customization: Customers say that Bettercloud lacks the granular customizability needed for a holistic SaaS app management tool at the mid-market and enterprise levels.‍
• Burdensome user interface: Some customers report that it takes time to learn how to navigate the Bettercloud platform. Given the ongoing cybersecurity workforce gap, with 3.5 million unfilled roles year over year, time is not a luxury most security teams can afford.

Looking for something better? Try Nightfall instead.

Nightfall AI is the security tool of choice for securing corporate data in Google Drive. The Nightfall platform provides smart, accurate, and automated data protection for PII, PCI, PHI, secrets, and IP in Google Cloud and beyond. Whether you're looking to prevent data sprawl, stop data exfiltration, or just generally strengthen your SaaS security posture, Nightfall consolidates all your tasks into a single pane of glass.

Nightfall at a glance

Protect sensitive information from a single platform

• Scan for sensitive data: Nightfall's generative AI-powered engine is 2x more accurate, and has 4x fewer false positives, while scanning apps like Google Drive for sensitive data. This leads to 4x lighter workloads for security teams—and that's before we factor in additional time savings from automation.  
• Get real-time visibility: Nightfall provides hi-res visibility into Google Drive, Gmail, Slack, Teams, and other business-critical SaaS apps. This empowers security teams to track sensitive data sharing, download activity, and more.
• Apply automated actions: Nightfall can automatically quarantine, delete, and redact sensitive data. It can also apply automated actions based on your established Google Drive labels. 
• Support compliance: Nightfall enforces compliance with industry standards like PCI-DSS, GDPR, HIPAA, and CCPA, just to name a few.
• Create a culture of security: Educate employees with custom notifications to let them know how they violated company policy rules. But that's not all; you can also encourage them to remediate their own violations with Nightfall's "Human Firewall" feature. The best part? It's all in real time.

SaaS DLP Showdown: Final thoughts

Who mitigates risk the most effectively?

In addition to staples in your security program (think access controls, business continuity, disaster recovery, and incident response), the best approach to protecting sensitive assets is to either 1) Remove them or, 2) Make them unusable to bad actors.

Nightfall built its platform on the philosophy of keeping sensitive data in places where it's unusable to threat actors. We do this by redacting sensitive data, encrypting it, or using cryptographic hashing. After all, if there isn't any data floating around in Google Drive, data theft becomes a moot point. As it turns out, this risk mitigation strategy is extremely effective if you're using a mature, AI-native detection engine that can pinpoint sensitive data both historically and in real time.

While Metomic has followed Nightfall's lead into next-gen SaaS DLP, it still has some work to do on its AI model, and may be better suited for organizations with plenty of time to handle false positives—like an enterprise with dozens of security analysts who might have the time to manually sift through logs.

Bettercloud, on the other hand, is designed more as a SaaS inventory management and compliance tool that also happens to have security features. This approach is best suited for organizations that have already invested in robust next-gen SaaS DLP capabilities, have an in-house SOC, and don't need to automate response actions.

Who's the best for responding rapidly to threats?

As attack types, data types, and data usage methods continue to evolve, it's important to have a SaaS DLP tool that can learn and grow with your business. This sets both Nightfall and Metomic apart for their ability to support custom policies and rules.

Bettercloud falls short in its ability to respond to new threats, but to be fair, that's not really what it was designed to do. It's limited in its ability to perform asset discovery because it doesn't give customers the opportunity to self-define the data they want to protect (unlike Nightfall and Metomic).

Who's the best for enforcing compliance with regulations?

When it comes to meeting complex and ever-changing compliance requirements, you're going to want the most powerful, customizable, AI-powered SaaS DLP engine on the market. For that, we rank these competitors as follows: Nightfall first, Metomic second, then Bettercloud third.

Who has a better UI?

Nightfall AI scores highest for UX, but Metomic's customer reviews are certainly above average in the user interface department. Bettercloud did not score well with users on overall navigability and user experience. However, if admins are willing to put in the time to learn the tool inside and out, they may find it much easier to use.

Who has the most customizable policies?

Nightfall AI and Metomic set themselves apart with customizability for policy rules, data types, and more. As established, this is fundamental to future-proofing your DLP investments.

Nightfall has one key advantage though: Top-notch customer support. Nightfall considers each customer a partner in developing our product further, whether it means adding new integrations, detectors, or data types. This kind of support and functionality will ensure you meet regulatory requirements – regardless of data format.

Bettercloud has different product goals than customizability, making it better suited for organizations who are likely always going to be concerned with unchanging datasets and critical assets.

Who integrates seamlessly with existing cloud environments and security platforms?

Once you secure your Google Drive, you may find that other applications emerge in the future where you need a point solution. It's always good to use a single tool for multiple functions where you can in order to reduce tech sprawl.

With 70+ integrations, Bettercloud is definitely designed for comprehensive management over SaaS DLP. This robust list of integrations probably appeals greatly to technology leaders who are overwhelmed with vendor management and tool management tasks.

Metomic and Nightfall AI have both taken the approach of focusing integrations on applications where organizations experience the greatest gaps in SaaS DLP, each of which is listed below.

Nightfall SaaS integrations:

• Google Drive
• Slack
• ChatGPT & GenAI
• Jira
• Confluence
• Salesforce
• GitHub
• Gmail
• Asana
• Zendesk
• Notion
• Microsoft OneDrive
• Microsoft Teams
• Microsoft Exchange
  

Metomic SaaS integrations:

• Box
• ChatGPT
• Confluence
• Dropbox
• GitHub
• Google Drive
• Jira
• Linear
• Notion
• Salesforce
• Trello
• ZenDesk

Pricing at a glance

According to analysts at Vendr, Metomic comes in slightly lower than Nightfall, with a 16% difference in price. Given the time and investment each organization has put into its AI model, however, it feels appropriate that Metomic is slightly cheaper.

Bettercloud comes in at the lowest cost of the three. If you're not concerned with protecting sensitive data in Google, have dozens of other SaaS apps to manage, and only want to apply policies to prevent a handful of risky user activities, this is a great option for you. Of course, it won't help you remediate sensitive data living openly in places it shouldn't be, but we're going to assume that Bettercloud users already have a next-gen SaaS DLP solution for Google Drive and aren't buying it for that purpose.

Which SaaS DLP solution has the best value and ROI?

When it comes to deriving value from security tools, it's good to consider your motivators:

If you're using Google Drive as a corporate workspace, you're probably a forward-thinking company that's priming itself to scale. Chances are high that you're a startup reaching for the mid-market or small enterprise growth stage. (In other words, you still care about saving money.)

If you're primarily concerned about saving money and are less worried about time spent on alerts, reliable SaaS DLP, or costs associated with a breach, Metomic's cost benefits will be appealing for your use case. Plus, it's not like your investment will yield nothing. You're sure to discover and remediate some sensitive data along the way.

If you're looking to build a solid SaaS security strategy using a solution you can truly "set and forget" without losing a wink of sleep, Nightfall is a great fit for your cloud security infrastructure use case. You can rest assured knowing that:

1. Your data is safe, because Nightfall is going to do what you need it to do across your SaaS attack surface. Period.
2. When you're ready to add DLP for other SaaS apps after Google Drive, you can. This allows for pain-free scalability across all your business-critical SaaS apps.
3. You can use the Nightfall console as a centralized place to manage DLP across your SaaS apps, email, endpoints, and more. (Let's make portal fatigue a thing of the past, shall we?) Nightfall also integrates seamlessly with Slack, Teams, Jira, Gmail, and your SIEM of choice for easy, actionable alerting.
4. You want a reliable provider you can be confident will still be growing and adding features year over year with a robust product roadmap, top-tier engineering, and amazing customer support.

Who has the best technical support?

In this category, you are going to have a pretty even tie. Bettercloud, Metomic, and Nightfall AI all have stellar reviews for their technical and customer support programs.

Who has the best documentation and resources?

Bettercloud offers a Developer Portal with a robust set of documentation around integrations, which is incredibly convenient and speaks to the main goal of the platform: self-managing massive quantities of SaaS data across your Google Cloud environment.

Metomic offers important and helpful technical documentation for its users and some guides. This is important, though they may be leaning more heavily on customer support managers while building up their documentation repository.

Nightfall AI offers a developer test environment, dozens of how-to videos, written guides, walk-throughs, and more. If this is the one thing that might tip the scale for you between two very similar products, Nightfall AI is the better choice. You can know that your tool admins will have everything they need from day one.

FAQs

What is cloud DLP, and how is it different from SaaS DLP?

Cloud DLP protects data your organization is storing or sharing in cloud environments. SaaS DLP protects sensitive data within cloud-based applications. The tools reviewed in this article are SaaS DLP-related.

Which SaaS DLP solution is best for combined security tool efficacy and cost efficiency?

We're a little biased, but we believe Nightfall is the best choice of SaaS DLP solution for getting security ROI on your investment.

What's the best way to secure customer email addresses using SaaS DLP?

The last thing you need this year is to find out you accidentally leaked your company or customer data. Naturally, you will need SaaS security measures to prevent potential data breaches in your CRM. Additionally, you will want AI-driven SaaS DLP to discover and remediate instances of customer data being added to or used in places where it shouldn't be. If you don't have time to watch every employee work every minute of every day, our money is on Nightfall.