Google Cloud security survey is ‘aggressive’ move vs. Microsoft

A brand new survey commissioned by Google Cloud brings pointed criticism in opposition to Microsoft over the safety of its platforms for presidency staff — suggesting that the battle for patrons in cybersecurity is heating up between the 2 cloud giants, safety trade executives informed VentureBeat.

This line of argument — that Microsoft is a elementary a part of the cybersecurity drawback, moderately than the answer — has been made up to now by Microsoft safety rivals similar to CrowdStrike. However the survey seems to be probably the most outspoken critique of this sort in opposition to Microsoft by Google Cloud thus far.

The outcomes of the survey had been launched Thursday in a blog post by Jeanette Manfra, senior director for world threat and compliance. The publish’s headline — “Authorities staff say Microsoft tech makes them much less safe: new survey” — makes it abundantly clear what Google Cloud is aiming to convey, trade executives mentioned in feedback through e-mail on Thursday.

“The ballot itself is a clear try to create a advertising and marketing message in opposition to Microsoft,” mentioned John Bambenek, principal menace hunter at IT and safety operations agency Netenrich. “Whereas meaning taking its conclusions with a grain of salt, it additionally means they’re taking an aggressive strategy to displace Microsoft utilizing methods extra typically seen in political campaigns.”

The language of the publish appears tailor-made to a authorities viewers, as it’s “very a lot at dwelling in Washington, D.C.,” Bambenek mentioned.

‘Extra weak’

The survey’s key discovering associated to Microsoft: 60% of presidency workers who responded mentioned they imagine that “the federal authorities’s reliance on services from Microsoft makes it extra weak to hacking or a cyberattack.” The ballot was carried out by Public Opinion Methods, and surveyed 338 staff employed by the federal, state or native authorities across the U.S.

Primarily based on these findings, “it’s clear that there’s an overreliance on legacy options [in government], regardless of a observe report of cybersecurity vulnerabilities and poor person notion,” Manfra mentioned within the weblog publish.

With this survey, it’s honest to conclude that Google is “taking a direct shot at Microsoft,” mentioned Amit Yoran, chairman and CEO of cybersecurity agency Tenable.

That’s clear provided that Google, very like Microsoft, makes its strikes very intentionally and exactly — notably on the subject of its public feedback, Yoran mentioned.

Finally, this “doesn’t seem to be a random survey, particularly contemplating Google’s acquisition of Mandiant,” Yoran mentioned, referring to Google’s settlement disclosed this month to accumulate outstanding cyber agency Mandiant for $5.4 billion. Earlier, Microsoft had reportedly checked out buying Mandiant, earlier than the talks fell by means of and Google stepped in.

Casey Bisson, head of product and developer relations at code safety options agency BluBracket, mentioned he agreed that this survey is a part of an try by Google to problem Microsoft’s market place. Together with being a dominant supplier of productiveness purposes and now a serious safety vendor in its personal proper, Microsoft Azure additionally ranks because the second-largest public cloud platform by market share (21%) — behind AWS (33%) however forward of Google Cloud (10%), based on Synergy Analysis Group.

With this tactic, Google is taking over Microsoft in safety by “leveraging their legacy in opposition to them,” Bisson mentioned. “Google is following the identical playbook Apple used in opposition to Microsoft within the client house twenty years in the past.”

Microsoft’s response

In a press release, Frank Shaw, company vp for communications at Microsoft, referred to as the Google Cloud survey “disappointing however not shocking” — given a report right this moment a couple of lobbying marketing campaign funded partially by Google, which Shaw claims has been “misrepresenting small companies.”

“It’s also unhelpful to create divisions within the safety group at a time once we ought to all be working collectively on heightened alert,” Shaw mentioned within the assertion. “We’ll proceed to collaborate throughout the trade to collectively defend our prospects and authorities businesses, and we are going to proceed to assist the U.S. authorities with our greatest software program and safety providers.”

Google Cloud declined to remark Thursday on Microsoft’s assertion or the feedback by cybersecurity trade executives.

The brand new survey — which polled a complete of two,600 American staff, together with the 338 authorities workers — builds on a earlier Google Cloud-commissioned survey that discovered 85% market share for Microsoft within the workplace productiveness software program house. The Google Workspace productiveness suite competes with the Microsoft 365 suite of productiveness apps.

Attributable to a lot of elements, together with the near-ubiquity of its platforms, Microsoft “will all the time be a simple goal for rivals on the subject of safety,” mentioned Aaron Turner, vp for SaaS posture at Vectra.

And whereas it’s true that Microsoft has suffered from “vital safety issues these days because of the intensifying assaults on Azure Energetic Listing,” Turner mentioned, Google Cloud has but to show itself as a comparable competitor within the safety house.

Large safety investments

Google seems to be working onerous on it, although: In addition to the deliberate Mandiant acquisition, the corporate made a flurry of different investments lately together with the acquisition of SOAR (safety orchestration, automation and response) agency Siemplify in January and a collection of expansions to its Chronicle safety platform.

In a latest interview with VentureBeat, Sunil Potti, vp and basic supervisor for Google Cloud’s safety enterprise, mentioned the distinction between Google Cloud and Microsoft’s approaches to safety ought to be apparent.

“Microsoft has been very clear that they wish to compete in safety in opposition to all of the companions, and all people,” Potti mentioned. Google, then again, has chosen “just a few markets we imagine a cloud supplier alone ought to drive,” and is providing first-party merchandise simply in these areas, he mentioned.

“However round every of these first-party merchandise, we’ll create an ecosystem that leverages companions,” he mentioned. That, once more, is “not like Microsoft, who needs to the touch every thing,” Potti mentioned.

Trade analysts mentioned that Google most positively had Microsoft in its sights with the deal to accumulate Mandiant. “Microsoft has been dominating the safety trade for the previous a number of years, and this string of acquisitions by Google reveals its curiosity in enjoying an even bigger function within the trade,” Forrester analyst Allie Mellen beforehand informed VentureBeat.

Poor safety practices accountable?

Within the bigger scheme of issues, although, Google’s core argument about Microsoft doesn’t solely maintain up, mentioned Phil Neray, vp of cyber protection technique at cyber agency CardinalOps.

“The fact is that almost all high-profile assaults are the results of poor safety practices moderately than vulnerabilities in workplace productiveness suites,” Neray mentioned.

He pointed to previous incidents such because the federal Workplace of Personnel Administration breach in 2015, attributed to having “inadequate safety monitoring to detect uncommon exercise within the community after attackers stole credentials from a authorities contractor.”

In the meantime, the Equifax breach in 2017 “was the results of poor internet server patching practices. The SolarWinds breach occurred after attackers contaminated software program updates for an IT software that’s broadly utilized in each authorities and civilian organizations. The DNC breach was the results of a phishing assault,” Neray mentioned. “And within the case of the Colonial Pipeline ransomware incident, the attackers exploited the truth that the corporate had a excessive variety of open distant entry ports accessible from the web.”