Google has published a paper directly challenging Microsoft over a series of security flaws in recent months, showing that businesses and public sector organizations need a more secure alternative.
The tech giant looks to take advantage of what has been a tough year for Microsoft from a security perspective, after the company suffered a litany of high-profile security flaws affecting its enterprise solutions.
The article criticizes Microsoft for the “inadequate security culture” identified in a study by the US Cyber Security Review Board (CSRB), aiming to present itself as the enterprise option with a culture that prioritizes security.
The CSRB report focused specifically on the Microsoft Exchange Online Breach in summer 2023, in which China-affiliated threat actors known as Storm-0558 were able to gain access to the email accounts of top US government officials.
The attack was carried out using a stolen signature key that allowed “Storm-0558 to gain full access to virtually any Exchange Online account anywhere in the world.”
US lawmakers described a “cascade of security failures” that led to the incident, which taken together “point to a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security.”
Google also pointed to another cyber incident that occurred just a few months later, in which a Russia-linked threat group – Midnight Blizzard – compromised a range of Microsoft corporate email accounts, including those of senior leaders, as well as their security and legal teams .
It highlighted the fact that Microsoft stated that the attack was still ongoing five months after the initial breach, citing the tech company’s own security update that gave no timeline for resolving the incident.
Google smells blood in the water
In terms of specific criticism of Microsoft’s actions, the CSRB article was particularly scathing about the company’s inability to provide details on how exactly the group was able to infiltrate its systems and gain access to this “master key.”
Google showed that it had no qualms about attacking Microsoft in a similar manner, and wondered whether Microsoft could ensure that these types of incidents don’t happen again if it still doesn’t know how Storm-0558 affected the MSA obtained key from 2016.
It also raised the other two major criticisms of the report regarding Microsoft’s failure to prioritize security and risk management, which described the company’s security culture as ‘inadequate’, and inability to correct inaccurate public statements.
Microsoft appeared to have made a “decision not to timely correct its inaccurate public statements about this incident,” only noting after repeated questions from the Board of Directors that the tech giant planned to make a correction.
In contrast to this response to its own response to a major cyber attack, Operation Aurora was carried out in 2009 by a state-affiliated threat actor, where it was the only company to confirm that it had been the victim of a cyber attack and disclose to the public that certain Gmail accounts had been hacked.
“While no organization is immune from being targeted by highly sophisticated adversaries, there is a clear pattern of evidence indicating that Microsoft is failing to keep their systems, and therefore their customers’ data, secure,” Google said.
Google says it should be the trusted security partner
Google argued that it has already learned lessons from this event, such as being more transparent around security incidents, as well as some basic do’s and don’ts regarding its security architecture.
The primary purpose of the article is to make a case for Google’s own business productivity suite, Workspace, which the company claims offers a fundamentally different and more secure approach than Microsoft’s.
“We believe Google Workspace is a more secure alternative, with a proven track record of technical excellence, deep investments in advanced defenses, and a transparent culture that views providing security for our customers as a profound responsibility,” it said company.
The tech giant launched its Secure Alternative Program on May 20, 2024 alongside this document, which will offer organizations that make the switch discounted rates on its Google Workspace Enterprise Plus package and on its Mandiant incident response service.
This appears to be a direct challenge to Microsoft’s Secure Future Initiative, which it initially unveiled in November 2023.
Microsoft outlined plans to overhaul its security practices in the wake of the email security breach.
ITPro has reached out to Microsoft for comment.