Friday, November 22, 2024

Google Takes the Gloves Off, Calls Out Microsoft’s Security

Must read

Google is taking off the gloves, calling out Microsoft’s security and touting itself as a more secure alternative.

Microsoft has taken significant heat for its security lapses, with the lawmakers, CEOs, and a government review board saying the company’s security was inexcusably lax, putting individuals, corporations, and government agencies in danger. In response, Microsoft has re-committed to putting security first, even tying executive’s bonuses to the company’s efforts.

Read More: Security Firm CEO Blasts Microsoft’s ‘Grossly Irresponsible’ Azure Security

Google is adding to Microsoft’s troubles, releasing a white paper calling the company out for its lapses and positioning itself as the more secure alternative. Entitled A More Secure Alternative, Google opens by highlighting Microsoft’s recent troubles:

Microsoft’s ongoing security struggles recently came to a head with a series of high-profile incidents that put its customers at risk. One such incident in the summer of 2023 by the group known as Storm-0558 resulted in the compromise of senior U.S. and U.K. government official accounts, including 22 organizations, over 500 individuals, and tens of thousands of emails. This prompted the Department of Homeland Security’s Cyber Safety Review Boards (CSRB) to issue a detailed report identifying the company’s “cascade of security failures” that led to the data breach. The details in this report speak to prolonged system issues and a “corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

On the heels of the Storm-0558 compromise, CISA issued emergency Directive ED 24-04 in response to a separate Microsoft data breach that occurred just a few months later in November 2023: “state-sponsored cyber actor known as Midnight Blizzard has exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft through a successful compromise of Microsoft corporate email accounts.”

See Also: Sen. Wyden: ‘Hold Microsoft Responsible for Its Negligent Cybersecurity Practices’

Google then contrasts its own security and history, noting that it began experiencing nation-state attacks in 2009, prompting it to make “far-reaching security improvements,” improvements that were acknowledged by the CSRB and that continue to benefit customers to this day.

As an example of Google’s differentiated approach to security, the CSRB report acknowledged the significant efforts we’ve taken over time to make our systems and products resilient to these types of attacks: “Google re-worked its identity system to rely as much as possible on stateful tokens, in which every credential is assigned a unique identifier at issuance and recorded in a database as irreversible proof that the credential Google receives is one that it had issued. Google also implemented fully automatic key rotation where possible and tightened the validation period for stateless tokens, reducing the window of time for threat actors to locate and obtain active keys. Google undertook a comprehensive overhaul of its infrastructure security including implementing Zero Trust networks and hardware-backed, Fast IDentity Online (FIDO)-compliant two-factor authentication (2FA) to protect these identity systems.”

Google then goes on describe some of the technical aspects of its security measures, as well as its security-focused corporate culture. The company outlines how its cloud-first approach is designed to provide industry-leading security, while simultaneously offering the benefits of being constantly updated and improved.

Conclusion

As we stated in our coverage of Microsoft’s security issues, the company suffers from a number of issues, including the fact that it started out in the desktop space before transitioning to cloud-based services. In contrast, Google and AWS have the benefit of their products and services being cloud-first, with the necessary security built-in from the ground up.

Microsoft also suffers from “missed-out syndrome” after missing out on several significant trends in the tech industry, potentially causing it to rush into businesses without being properly prepared.

Google clearly believes it can take advantage of Microsoft’s mistakes and, to be fair, the company may be better poised now than ever before to take advantage of Microsoft’s missteps. In years past, the choice between Microsoft and Google came down to a choice between local and cloud-based computing.

Recently, however, Microsoft has been blurring the line between desktop and the cloud, especially with Microsoft 365 and its efforts to integrate AI into Windows. As a result, the choice is no longer as distinct as it once was, increasingly giving Google an advantage among users how may have initially been reluctant to rely on cloud-based options.

One thing is clear: Microsoft needs to deliver on its promise to revamp its security or it will continue to lose business to its more secure rivals.

Latest article