Google is utilizing a current report from the US Cyber Security Evaluate Board (CSRB) that was vital of Microsoft’s safety practices to make a case for its personal Google Workspace suite of cloud-hosted e-mail and workplace productiveness apps.
In two separate blogs — and with out as soon as referring to Microsoft by title — firm executives cited the CSRB report as cause why enterprise organizations ought to contemplate shifting away from Microsoft Alternate On-line hosted e-mail to Google Workspace.
The corporate has launched a brand new Safe Various Program with particular pricing on its Google Workspace Enterprise Plus providing and on Mandiant’s incident response service for organizations that make the swap. Google can even supply migration and alter administration assist for enterprises that need assistance transitioning from Alternate On-line to Workspace.
The Dangers of a Monoculture
“For years, safety consultants have warned of the dangers of presidency overreliance on a single expertise vendor,” Google Cloud senior director of world danger and compliance Jeanette Manfra and Charley Snyder, the corporate’s head of safety coverage, wrote this week. “The current U.S. Cyber Security Evaluate Board (CSRB) report detailing important safety failures and systematic weaknesses in a longstanding vendor reaffirms these dangers.”
The report that Google has brandished in its new marketing campaign is predicated on the CSRB’s investigation of two incidents over the previous yr the place two separate nation-state actors breached Microsoft’s Alternate On-line setting. One of many intrusions occurred final June and concerned Chinese language cyberespionage group Storm-0558 getting access to e-mail accounts belonging to some 25 entities. The victims included a number of senior US authorities officers managing US-China relations, prompting the CSRB to explain the attackers as putting the “espionage equal of gold.”
The second intrusion occurred final November and concerned Russia’s “Midnight Blizzard” getting access to e-mail accounts belonging to Microsoft government management and in addition to some supply code repositories and different inner methods. Microsoft disclosed the e-mail breach in January and the supply code leak two months later in March.
Cascade of Safety Failures
The CSRB report blamed a “cascade of safety failures” at Microsoft for the breaches, concluding that “Microsoft’s safety tradition was insufficient and requires an overhaul, significantly in mild of the corporate’s centrality within the expertise ecosystem and the extent of belief prospects place within the firm to guard their information and operations.” In response, Microsoft has promised to make sweeping organizational modifications and maintain senior management instantly accountable for assembly cybersecurity targets.
A Microsoft spokesman pointed to that effort in response to a Darkish Studying request for remark. “Microsoft is making safety our prime precedence, above all else,” the spokesman mentioned in an emailed remark. “Our Safe Future Initiative (SFI) brings collectively each a part of Microsoft to advance cybersecurity safety throughout our platforms and merchandise, benefiting prospects all over the world, together with industrial and authorities enterprises, small companies and people.”
Rik Turner, an analyst with Omdia, perceives Google’s new providing as a bid to attempt to wean prospects away from Microsoft whereas recollections of the CSRB report are nonetheless recent. “This transfer by Google is an opportunistic one on the coattails of the CSRB’s report, and why not?” Turner asks. “Whereas Google has some superb and sometimes modern expertise, the actual fact is the corporate nonetheless shouldn’t be the apparent alternative for enterprise organizations on many fronts, and positively not in workplace productiveness,” he provides. “So why not seize among the media consideration on what the CSRB has mentioned, and probably even drive some extra?”
An Opportunistic Transfer
Google’s pitch to prospects with its new marketing campaign is that Workspace provides a safer various to Microsoft’s e-mail as a result of it’s cloud native and architected with fashionable threats in thoughts, and that organizations will not need to take care of desktop purchasers and cases of on-premises software program that they should patch and preserve. “This implies a smaller assault floor and fewer work on your IT groups,” Google vp of product administration Yulie Kwon Kim mentioned. “The totally cloud hosted mannequin additionally means organizations should not have to fret about securing emails and information saved on finish person units.”
Omdia’s Turner says the final market notion is that Google has garnered some success with its Google Workspace providing. However most of that success has largely been confined to the cloud-native start-up group slightly than mainstream company America. Google will discover that market more durable to crack due to Microsoft’s close to ubiquity in that phase and the truth that it has been there for many years.
There’s additionally the difficulty of Google having its personal safety issues, Turner says, pointing to a safety vendor’s report final yr on a design weak point in Workspace that Google denied was a weak point. “It is too early, for my part, to gauge how efficient the mixture of the CSRB report and this Google initiative might be in prising main prospects away from Microsoft, however I’m considerably skeptical,” he notes.
Man Rosenthal, vp of product at DoControl, says that Google’s arguments in regards to the dangers related to utilizing a single vendor for working methods, e-mail, workplace productiveness instruments, and safety has benefit. However that is a danger organizations take when utilizing many main expertise distributors. “Take, for instance, an organization using Google’s ecosystem,” Rosenthal says. “They could use Google Chrome to entry all Google companies, successfully making a monoculture much like Microsoft’s setting.”
On the identical time, he says Google’s declare of a extra secure-by-design providing, leveraging AI-based defenses and strong menace information analytics, is compelling. The diminished want for on-premises software program certainly minimizes the assault floor, he admits, however provides, “Nonetheless, it’s important to contemplate that no system is impervious. Each Google and Microsoft have skilled safety incidents, and each make investments closely in securing their environments.”
