Google has published a paper directly challenging Microsoft over a series of security vulnerabilities in recent months, suggesting that companies and public sector organizations need a more secure alternative.
The tech giant appears to be taking advantage of a difficult year for Microsoft on security grounds after the company suffered a slew of high-profile security failures in its enterprise solutions.
The paper criticizes Microsoft for the “inadequate security culture” found in an investigation by the US Cyber Security Review Board (CSRB) and aims to present itself as a corporate option with a culture that prioritizes security.
The CSRB report specifically focused on the Microsoft Exchange Online breach in the summer of 2023, in which China-linked threat actors known as Storm-0558 were able to access the email accounts of high-ranking US government officials.
The attack was carried out using a stolen signing key that “gave Storm-0558 full access to virtually any Exchange Online account anywhere in the world.”
US lawmakers described a “cascade of security deficiencies” that led to the incident, which together “point to a failure of Microsoft’s organizational controls and governance, as well as its culture around security.”
Google also pointed to another cyber incident that occurred just months later, in which a Russia-linked threat group – Midnight Blizzard – compromised a number of Microsoft corporate email accounts, including those of senior executives as well their security and legal teams.
It highlighted the fact that Microsoft said the attack was still ongoing five months after the initial breach, citing the tech company’s own security update, which did not include a timeline for resolving the incident.
Google smells blood in the water
In terms of specific criticism of Microsoft’s actions, the CSRB paper was particularly damning about the company’s inability to provide details about exactly how the group managed to break into its systems and gain access to this “master key.” .
Google showed that it had no concerns about attacking Microsoft in a similar way, questioning whether Microsoft could ensure that an incident of this kind does not happen again if the company still does not know how Storm-0558 got to the MSA. Key from 2016 arrived.
It ensured that the report’s other two main criticisms were also addressed: Microsoft’s failure to prioritize security and risk management, where the company’s security culture was described as “inadequate”, and its failure to correct inaccurate public statements.
It noted that Microsoft “made the decision not to correct its inaccurate public statements regarding this incident in a timely manner,” noting that the tech giant only planned to issue a correction after repeated questioning by its board.
This response is compared to its own response to a major cyberattack, Operation Aurora, carried out by a state-linked threat actor in 2009, in which the company was the only company to confirm being a victim of a cyberattack and disclose this to the public Certain Gmail accounts have been compromised.
“While no company is immune from being the target of sophisticated attackers, there is clear evidence that Microsoft is unable to protect its systems and therefore its customers’ data,” Google said.
Google says it should be the trusted security partner
Google argued that it had already learned lessons from this event, such as greater transparency around security incidents and some basic do’s and don’ts regarding security architecture.
The paper’s main goal is to make the case for Google’s own enterprise productivity suite, Workspace, which it argues represents a fundamentally different and more secure approach than Microsoft’s.
“We believe Google Workspace is a more secure alternative, with a proven track record of technical excellence, significant investment in cutting-edge defenses, and a transparent culture that views ensuring security for our customers as a profound responsibility,” the company said.
In parallel with this document, the tech giant launched its Secure Alternative Program on May 20, 2024, offering discounted rates on its Google Workspace Enterprise Plus package and Mandiant Incident Response service to organizations making the switch.
This appears to be a direct challenge to Microsoft’s Secure Future Initiative, which the company originally unveiled in November 2023.
Microsoft has outlined plans to overhaul its security practices following the email breach.
ITPro has asked Microsoft for comment.