We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – August 3. Join AI and data leaders for insightful talks and exciting networking opportunities. Learn more about Transform 2022
A new survey commissioned by Google Cloud brings pointed criticism against Microsoft over the security of its platforms for government workers — suggesting that the battle for customers in cybersecurity is heating up between the two cloud giants, security industry executives told VentureBeat.
This line of argument — that Microsoft is a fundamental part of the cybersecurity problem, rather than the solution — has been made in the past by Microsoft security rivals such as CrowdStrike. But the survey appears to be the most outspoken critique of this kind against Microsoft by Google Cloud so far.
The results of the survey were released Thursday in a blog post by Jeanette Manfra, senior director for global risk and compliance. The post’s headline — “Government workers say Microsoft tech makes them less secure: new survey” — makes it abundantly clear what Google Cloud is aiming to convey, industry executives said in comments via email on Thursday.
“The poll itself is a transparent attempt to create a marketing message against Microsoft,” said John Bambenek, principal threat hunter at IT and security operations firm Netenrich. “While that means taking its conclusions with a grain of salt, it also means they are taking an aggressive approach to displace Microsoft using techniques more often seen in political campaigns.”
The language of the post seems tailored to a government audience, as it is “very much at home in Washington, D.C.,” Bambenek said.
The survey’s key finding related to Microsoft: 60% of government employees who responded said they believe that “the federal government’s reliance on products and services from Microsoft makes it more vulnerable to hacking or a cyberattack.” The poll was conducted by Public Opinion Strategies, and surveyed 338 workers employed by the federal, state or local government around the U.S.
Based on these findings, “it’s clear that there’s an overreliance on legacy solutions [in government], despite a track record of cybersecurity vulnerabilities and poor user perception,” Manfra said in the blog post.
With this survey, it’s fair to conclude that Google is “taking a direct shot at Microsoft,” said Amit Yoran, chairman and CEO of cybersecurity firm Tenable.
That’s clear given that Google, much like Microsoft, makes its moves very deliberately and precisely — particularly when it comes to its public comments, Yoran said.
Ultimately, this “doesn’t seem like a random survey, especially considering Google’s acquisition of Mandiant,” Yoran said, referring to Google’s agreement disclosed this month to acquire prominent cyber firm Mandiant for $5.4 billion. Earlier, Microsoft had reportedly looked at acquiring Mandiant, before the talks fell through and Google stepped in.
Casey Bisson, head of product and developer relations at code security solutions firm BluBracket, said he agreed that this survey is part of an attempt by Google to challenge Microsoft’s market position. Along with being a dominant provider of productivity applications and now a major security vendor in its own right, Microsoft Azure also ranks as the second-largest public cloud platform by market share (21%) — behind AWS (33%) but ahead of Google Cloud (10%), according to Synergy Research Group.
With this tactic, Google is taking on Microsoft in security by “leveraging their legacy against them,” Bisson said. “Google is following the same playbook Apple used against Microsoft in the consumer space two decades ago.”
In a statement, Frank Shaw, corporate vice president for communications at Microsoft, called the Google Cloud survey “disappointing but not surprising” — given a report today about a lobbying campaign funded in part by Google, which Shaw claims has been “misrepresenting small businesses.”
“It is also unhelpful to create divisions in the security community at a time when we should all be working together on heightened alert,” Shaw said in the statement. “We will continue to collaborate across the industry to jointly defend our customers and government agencies, and we will continue to support the U.S. government with our best software and security services.”
Google Cloud declined to comment Thursday on Microsoft’s statement or the comments by cybersecurity industry executives.
The new survey — which polled a total of 2,600 American workers, including the 338 government employees — builds on a previous Google Cloud-commissioned survey that found 85% market share for Microsoft in the office productivity software space. The Google Workspace productivity suite competes with the Microsoft 365 suite of productivity apps.
Due to a number of factors, including the near-ubiquity of its platforms, Microsoft “will always be an easy target for rivals when it comes to security,” said Aaron Turner, vice president for SaaS posture at Vectra.
And while it’s true that Microsoft has suffered from “significant security problems lately due to the intensifying attacks on Azure Active Directory,” Turner said, Google Cloud has yet to prove itself as a comparable competitor in the security space.
Big security investments
Google appears to be working hard on it, though: Besides the planned Mandiant acquisition, the company made a flurry of other investments recently including the acquisition of SOAR (security orchestration, automation and response) firm Siemplify in January and a series of expansions to its Chronicle security platform.
In a recent interview with VentureBeat, Sunil Potti, vice president and general manager for Google Cloud’s security business, said the contrast between Google Cloud and Microsoft’s approaches to security should be obvious.
“Microsoft has been very clear that they want to compete in security against all the partners, and everybody,” Potti said. Google, on the other hand, has chosen “a few markets we believe a cloud provider alone should drive,” and is offering first-party products just in those spaces, he said.
“But around each of those first-party products, we’ll create an ecosystem that leverages partners,” he said. That, again, is “unlike Microsoft, who wants to touch everything,” Potti said.
Industry analysts said that Google most definitely had Microsoft in its sights with the deal to acquire Mandiant. “Microsoft has been dominating the security industry for the past several years, and this string of acquisitions by Google shows its interest in playing a bigger role in the industry,” Forrester analyst Allie Mellen previously told VentureBeat.
Poor security practices to blame?
In the larger scheme of things, though, Google’s core argument about Microsoft doesn’t entirely hold up, said Phil Neray, vice president of cyber defense strategy at cyber firm CardinalOps.
“The reality is that most high-profile attacks are the result of poor security practices rather than vulnerabilities in office productivity suites,” Neray said.
He pointed to past incidents such as the federal Office of Personnel Management breach in 2015, attributed to having “insufficient security monitoring to detect unusual activity in the network after attackers stole credentials from a government contractor.”
Meanwhile, the Equifax breach in 2017 “was the result of poor web server patching practices. The SolarWinds breach occurred after attackers infected software updates for an IT application that’s widely used in both government and civilian organizations. The DNC breach was the result of a phishing attack,” Neray said. “And in the case of the Colonial Pipeline ransomware incident, the attackers exploited the fact that the company had a high number of open remote access ports accessible from the internet.”
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.