Google claims; Microsoft is Putting Your Data at Risk
Google has recently released a paper, "A More Secure Alternative," which directly challenges Microsoft's security practices. This follows recent discoveries of major weaknesses in Microsoft's products, sparking worries regarding the safety of user information.
The technology corporation seems to be taking advantage of what has been a tough year for Microsoft regarding cybersecurity. This comes after the company was plagued by numerous high-profile security failures in its business products.
The article condemns Microsoft for the "deficient security culture" identified in an investigation by the US Cyber Security Review Board (CSRB). It aims to position itself as the enterprise option with a culture prioritizing security.
Specifically, the CSRB report focused on the Summer 2023 Microsoft Exchange Online Breach, where China-linked hackers known as Storm-0558 were able to access the email accounts of top US Government officials.
The attack was carried out using a stolen signing key, granting the hackers unrestricted access to all Microsoft Exchange Online email accounts around the globe.
Government officials characterized this security lapse as the culmination of a series of oversight failures within Microsoft’s organizational infrastructure and corporate culture with respect to cybersecurity.
Google also highlighted a subsequent cyberattack just months later, where Russian cybercriminals known as Midnight Blizzard infiltrated numerous Microsoft business email accounts, including those belonging to high-ranking executives as well as members of their security and legal departments.
It highlighted the fact that Microsoft stated the attack was still ongoing five months after the initial breach, citing the tech firm’s own security update that failed to give a timeline for the incident to be resolved.
The CSRB paper was particularly critical of Microsoft's inability to provide specifics on how the group infiltrated its systems and obtained the 'master key.' Questioning if Microsoft would be able to prevent this type of incident from recurring if it still does not understand how Storm-0558 got the 2016 MSA key.
Google made sure to also highlight the other two main criticisms from the report regarding Microsoft's failure to prioritize security and risk management, which described the company's security culture as 'inadequate,' and its failure to correct inaccurate public statements.
Microsoft was found to have made a "decision not to correct, in a timely manner, its inaccurate public statements about this incident," noting it was only after repeated questioning from the Board that the tech giant planned to issue a correction.
Contrasting this to its own response to a major cyber attack, Operation Aurora carried out by a state-linked cybercriminal group in 2009, in which it was the only company to confirm it was a victim of a cyber attack and disclosed to the public that certain Gmail accounts had been compromised.
"While no company is immune to being targeted by highly sophisticated adversaries, there is a clear pattern of evidence suggesting Microsoft is unable to keep their systems and therefore their customers' data safe," Google said.
Google contended that it has already learned important lessons from the email security incident, such as being more transparent about security issues and establishing fundamental best practices for security architecture.
The main purpose of the paper is to advocate for Google's own enterprise productivity suite, Workspace, which Google argues takes a fundamentally different and more secure approach compared to Microsoft.
"We believe Google Workspace is a safer choice, with a proven history of engineering excellence, substantial investment in cutting-edge defenses, and a transparent culture that treats protecting our customers' security as an utmost responsibility," the company stated.
Alongside this paper, Google launched its Secure Alternative Program on May 20, 2024, which will provide discounts on its Google Workspace Enterprise Plus package and Mandiant incident response service to organizations that switch over.
This appears to be a direct response to Microsoft's Secure Future Initiative, which was initially announced in November 2023. With Microsoft outlining plans to overhaul its security practices following the email security breach.
This is a wake-up call for the entire tech industry. It underscores the need for robust security measures and continuous vigilance against cyber threats. As consumers, we should be aware of these vulnerabilities and take steps to protect ourselves.
While Google's paper might be a strategic move, it also sheds light on important security issues. By staying informed and employing good cyber security practices, we can all be better prepared to defend ourselves in the digital age.
댓글