Google Pitches Workspace as Microsoft Email Alternative, Citing CSRB Report – Source: www.darkreading.com

Source: monticello via Shutterstock

Google is using a recent report from the US Cyber Safety Review Board (CSRB) that was critical of Microsoft’s security practices to make a case for its own Google Workspace suite of cloud-hosted email and office productivity apps.

In two separate blogs — and without once referring to Microsoft by name — company executives cited the CSRB report as reason why enterprise organizations should consider moving away from Microsoft Exchange Online hosted email to Google Workspace.

The company has launched a new Secure Alternative Program with special pricing on its Google Workspace Enterprise Plus offering and on Mandiant’s incident response service for organizations that make the switch. Google will also offer migration and change management support for enterprises that need help transitioning from Exchange Online to Workspace.

The Risks of a Monoculture

“For years, security experts have warned of the risks of government overreliance on a single technology vendor,” Google Cloud senior director of global risk and compliance Jeanette Manfra and Charley Snyder, the company’s head of security policy, wrote this week. “The recent U.S. Cyber Safety Review Board (CSRB) report detailing significant security failures and systematic weaknesses in a longstanding vendor reaffirms these risks.”

The report that Google has brandished in its new campaign is based on the CSRB’s investigation of two incidents over the past year where two separate nation-state actors breached Microsoft’s Exchange Online environment. One of the intrusions happened last June and involved Chinese cyberespionage group Storm-0558 gaining access to email accounts belonging to some 25 entities. The victims included several senior US government officials managing US-China relations, prompting the CSRB to describe the attackers as striking the “espionage equivalent of gold.”

The second intrusion happened last November and involved Russia’s “Midnight Blizzard” gaining access to email accounts belonging to Microsoft executive leadership and also to some source code repositories and other internal systems. Microsoft disclosed the email breach in January and the source code leak two months later in March.

Cascade of Security Failures

The CSRB report blamed a “cascade of security failures” at Microsoft for the breaches, concluding that “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.” In response, Microsoft has promised to make sweeping organizational changes and hold senior leadership directly accountable for meeting cybersecurity goals.

A Microsoft spokesman pointed to that effort in response to a Dark Reading request for comment. “Microsoft is making security our top priority, above all else,” the spokesman said in an emailed comment. “Our Secure Future Initiative (SFI) brings together every part of Microsoft to advance cybersecurity protection across our platforms and products, benefiting customers around the world, including commercial and government enterprises, small businesses and individuals.”

Rik Turner, an analyst with Omdia, perceives Google’s new offering as a bid to try to wean customers away from Microsoft while memories of the CSRB report are still fresh. “This move by Google is an opportunistic one on the coattails of the CSRB’s report, and why not?” Turner asks. “While Google has some very good and often innovative technology, the fact is the company still is not the obvious choice for enterprise organizations on many fronts, and certainly not in office productivity,” he adds. “So why not grab some of the media attention on what the CSRB has said, and potentially even drive some more?”

An Opportunistic Move

Google’s pitch to customers with its new campaign is that Workspace offers a safer alternative to Microsoft’s email because it is cloud native and architected with modern threats in mind, and that organizations won’t have to deal with desktop clients and instances of on-premises software that they need to patch and maintain. “This means a smaller attack surface and less work for your IT teams,” Google vice president of product management Yulie Kwon Kim said. “The fully cloud hosted model also means organizations do not have to worry about securing emails and files stored on end user devices.”

Omdia’s Turner says the general market perception is that Google has garnered some success with its Google Workspace offering. But most of that success has largely been confined to the cloud-native start-up community rather than mainstream corporate America. Google will find that market harder to crack because of Microsoft’s near ubiquity in that segment and the fact that it has been there for decades.

There’s also the issue of Google having its own security problems, Turner says, pointing to a security vendor’s report last year on a design weakness in Workspace that Google denied was a weakness. “It’s too early, in my opinion, to gauge how effective the combination of the CSRB report and this Google initiative will be in prising major customers away from Microsoft, but I am somewhat skeptical,” he notes.

Guy Rosenthal, vice president of product at DoControl, says that Google’s arguments about the risks associated with using a single vendor for operating systems, email, office productivity tools, and security has merit. But that’s a risk organizations take when using many major technology vendors. “Take, for example, a company utilizing Google’s ecosystem,” Rosenthal says. “They might use Google Chrome to access all Google services, effectively creating a monoculture similar to Microsoft’s environment.”

At the same time, he says Google’s claim of a more secure-by-design offering, leveraging AI-based defenses and robust threat data analytics, is compelling. The reduced need for on-premises software indeed minimizes the attack surface, he admits, but adds, “However, it is essential to consider that no system is impervious. Both Google and Microsoft have experienced security incidents, and both invest heavily in securing their environments.”