Google slams Microsoft for sloppy security record on enterprise apps

Has been updated Google has scored a victory after a major breach of Microsoft’s systems, arguing that businesses should ditch Exchange and OneDrive in favor of Gmail and Google Drive.

Google’s argument can be summarized as follows: white paper [PDF] In the article, released today and titled “A Safer Alternative,” the search giant says it spends 14 pages explaining everything that’s wrong with Microsoft’s approach to security.

It relies primarily on the findings of the U.S. government’s Cyber ​​Security Review Board (CSRB). be familiar with Microsoft’s response to the June 2023 Exchange Online attack.

CSRB was not impressed, but Criticize How and when were Chinese Storm-0558 attackers able to obtain the security keys that allowed them to break into email services hosted by Redmond’s Exchange Online and attack people’s inboxes? The Windows giant lacked knowledge as to why keys created in 2016 were still usable. It becomes effective after 7 years.

Google also picks up Uncle Sam’s Cybersecurity and Infrastructure Security Agency (CISA) report on another attack Involved By Midnight Blizzard in November.

In fact, for the most part, the advertising industry has let the CSRB and CISA do the talking, continuing to cite the CSRB report on the June 2023 data breach a total of 16 times. When Google had its own comments, Google itself I accidentally deleted my Australian Pension Fund cloud subscription Earlier this month, he said he didn’t see the need to take a hard line, talking about “Microsoft’s ongoing security battles” and saying “Microsoft is unable to protect its own systems and therefore cannot protect its customers’ data.” “We cannot keep it safe.”

Aside from the fact that it’s unclear how Storm-0558 obtained the keys used in the attack, Google cited Microsoft’s security priorities and that the keys were obtained from a hypothetical crash dump. It also criticizes inaccurate public statements, such as theories, but the keys were later ignored by Microsoft itself. march.

One company’s infringement is another company’s promotional opportunity.

Of course, Google isn’t just kicking a struggling rival for fun; it’s also using this opportunity to beef up competing enterprise software. In the second part of the paper, we will discuss in detail the advantages of Workspace over the Microsoft ecosystem from Google’s perspective.

Google highlighted a CSRB document that pointed to Google’s cybersecurity practices as an example of what Microsoft should have done first. The CSRB praised how Google rotated keys and shortened key lifetimes, and of course the search giant devoted an entire page to this.

The whitepaper also draws on the breach that Google experienced in 2009 as part of Operation Aurora, and explains how the tech giant used it as a change to fix the security issue.

The white paper comes with: blog Post It was also released today. While these blog posts thankfully don’t mention Microsoft by name, there’s still a lot of talk about Workspace’s apparently superior security.

Google pointed this out to try to capture some of Microsoft’s customers. register represented 85% of US public sector In 2021, the Chrome giant is launching a new promotion. Agencies that employ at least his 500 employees receive a discount on the Workspace Enterprise Plus plan when they sign up for a 3-year agreement, plus he can add an extra year for free.

This is fine for now, but since Google prides itself on its excellent security, the risk will definitely increase if Google also falls victim to a cyberattack. ®

Added and updated

“Our Secure Future Initiative (SFI) brings together all parts of Microsoft to advance cybersecurity protections across our platforms and products, including commercial enterprises, government agencies, small businesses, and individuals,” a Redmond spokesperson said in a statement. We are benefiting customers around the world.”

“In addition to the recently announced SFI milestone, Microsoft is committed to engaging the entire cybersecurity community, including signing CISA’s Secure by Design pledge and sharing threat intelligence about advanced nation states and cybercriminal actors with the security community. We continue to work closely with them.”