Google takes shots at Microsoft for shoddy security record with enterprise apps – Source: go.theregister.com

Updated Google has taken a victory lap in the wake of high-profile intrusions into Microsoft’s systems, and says businesses should ditch Exchange and OneDrive for Gmail and Google Drive.

Google’s arguments are laid out in a white paper [PDF] released today titled, “A more secure alternative,” which takes 14 pages to outline everything wrong with Microsoft’s approach to security according to the search giant.

It largely relies on the findings of the US government’s Cyber Safety Review Board (CSRB), which last month detailed Microsoft’s handling of the June 2023 attack on Exchange Online.

The CSRB was not impressed, criticizing the Windows titan’s lack of knowledge on how and when China’s Storm-0558 attackers were able to obtain a security key that allowed the crew to break into Redmond’s Exchange Online hosted email service and rifle through people’s inboxes, or why a key created in 2016 would still be valid seven years later.

Google also brings up Uncle Sam’s Cybersecurity and Infrastructure Security Agency’s (CISA) report on a separate attack committed in November by Midnight Blizzard.

In fact, for the most part the ad biz just let CSRB and CISA do the talking, quoting and citing the CSRB’s report on the June 2023 breach a total of 16 times. When it had comments of its own, Google, which itself accidentally deleted an Australian pension fund’s cloud subscription earlier this month, didn’t feel the need to pull its punches, speaking of “Microsoft’s ongoing security struggles,” and saying “Microsoft is unable to keep their systems and therefore their customers’ data safe.”

Aside from not knowing about how Storm-0558 obtained the key used in the attack, Google also criticizes Microsoft’s security priorities and inaccurate public statements, such as the theory that the key came from a hypothetical crash dump, which was later discounted by Microsoft itself in March.

One corporation’s breach is another’s advertising opportunity

Of course, Google isn’t kicking its rival while it’s down just for fun, and is taking the opportunity to boost its competing enterprise software. The second half of the paper details, in Google’s view, what makes Workspace better than Microsoft’s ecosystem.

Google highlighted the CSRB paper pointing out Google’s cybersecurity practices as an example of what Microsoft should have done in the first place. The CSRB praised how Google rotated its keys and shortened the length they were valid for, and of course the search giant dedicated a full page to this.

The whitepaper even takes advantage of the 2009 breach Google experienced as part of Operation Aurora, and uses it to illustrate how the tech giant used it as a change to fix security issues.

Accompanying the white paper is a pair of blog posts that were also published today. These blog posts mercifully don’t mention Microsoft by name, though there’s still plenty of talk about Workspace’s apparently superior security.

To try to snag some of Microsoft’s customers, which Google pointed out to The Register represented 85 percent of the US public sector in 2021, the Chrome giant is launching a new promotion. Agencies employing at least 500 workers can get their Workspace Enterprise Plus plan discounted and obtain an extra year for free if they sign up for a three year contract.

While this is all fine in the moment, Google’s bragging about its amazing security certainly does raise the stakes if it too falls victim to a successful cyber attack. ®

Updated to add

“Our Secure Future Initiative (SFI) brings together every part of Microsoft to advance cybersecurity protection across our platforms and products, benefiting customers around the world, including commercial and government enterprises, small businesses and individuals,” a Redmond spokesperson told us.

“In addition to the SFI milestones we recently announced, Microsoft continues working closely with stakeholders across the cybersecurity community, including signing CISA’s Secure by Design pledge and sharing threat intelligence with the security community on sophisticated nation state and cybercrime actors.”