• Get IT Insights in your Inbox:
< back to Blog Index

Office 365 vs Google Apps: A Free Guide

Posted by on Friday, July 15, 2016

A Look at Security, Privacy, and Compliance

Different organizations are going to have a multitude of various security, privacy, and compliance concerns- some of which are too specific to cover in this context. Here, we’ll address some of the most frequent concerns we’ve heard expressed regarding the protection offered by Google Apps vs. Office 365.

Security Features

Both platforms offer a similar set of security features, with some minor differences. Features that are included in both platforms include support for two-factor authentication and built-in mobile device security. Office 365 mobile device security is handled by Exchange ActiveSync (EAS), which is supported in varying degrees by most modern smartphones. Google Apps requires a separate mobile application to take full advantage of mobile device security features, however this also allows for more consistent application of policies across devices.

Organizations that require end-to-end encryption of email for the purposes of sending credit card information or other sensitive data will require an add-on in either platform. Microsoft offers Office 365 message encryption for an additional fee, while Google Apps customers can choose from several third-party providers of email encryption to satisfy their requirements.

Microsoft provides customers with an option to store usernames and passwords solely in their own premises or data center. This is in some ways antithetical to Google’s “pure cloud” approach, and so Google Apps for Business does require that user credentials be stored on Google’s infrastructure, with an option to also synchronize to local on-premise infrastructure. This may be a concern for organizations with specific regulatory compliance concerns surrounding the location of their users’ credentials.

Privacy Policies

There are many misconceptions surrounding Google’s privacy policy as it relates to Google Apps. Thankfully, Google’s privacy policy is written in very clear, plain English.

Perhaps the largest misconception behind Google’s handling of customer data has to do with the automated scanning of email. One of the key differences between the free, consumer version of Gmail and the Gmail component of Google Apps for Business is that Google does not scan the contents of email for the purposes of displaying advertisements to business users. Both Google and Microsoft do scan customer data for the purposes of providing better service and security. The scanning in both cases is automated and employees of Google and Microsoft are not permitted to view customer data without consent.

For organizations concerned about US government inquiries, realize that both Google and Microsoft are under legal obligation to comply with federal law with regard to how they handle government requests for customer data. There doesn’t seem to be a significant difference in how either handles customer data in this regard.

Enterprise Considerations for Cloud Security

Even before Edward Snowden sent a richter scale sized shockwave across our perception of privacy and visibility regarding personal and corporate data, protecting our intellectual property and corporate communications has been at the forefront of considering cloud technologies -or any third party technology for that matter.

Consider a Wall Street Journal interview with Mary Galligan, Director with the Cyber Risk Services practice of Deloitte & Touche LLP who previously served as special agent in charge of cyber and special operations in the Federal Bureau of Investigation’s New York office.  She described there “are two areas that often surprise executives and boards when we talk about cyberthreats.” In order appreciate the risk, understand what already can and is being accessed, “At least 40% of all cyber security breaches are identified by a third party, such as a law enforcement agency, a financial institution or a telecom carrier.” Most executive boards are likely to assume breaches are internal discoveries that can be silenced before surfacing to the public.  

Gilligan’s second point was that executives are surprised how quickly a breach from a cyberattack can evolve into a “business altering experience.” Law enforcement will request access to the infrastructure and then involve legal process. Bare in mind that while “working on these efforts,  organizations have the ongoing tasks of complying with varying state data breaching laws and communicating with shareholders and the public, as well as and operating the business.”

Notably, former SEC chair Mary Schapiro comments on the importance -or rather responsibility for organizations to buckle down and tighten security measures by saying, “we also know that technology has pitfalls. And when it doesn’t work quite right, the consequences can be severe. Just imagine what can happen if an automated traffic light flashes green rather than red, if a wing flap on a plane goes up rather than down, if a railroad track switches and sends the train right rather than left.”

More troubling (although more complicated for the general public to understand) was Heartbleed. This hack exposed an OpenSSL vulnerability that potentially allowed attackers to extract 64 kilobyte batches of memory at random. What’s most alarming was the unknown. As pointed out by Internet Security evangelist and CEO of LastPass (a highly successful one password for all encryption program) Joe Siegrist said, “You don’t know what exactly was in the payload of those Heartbleed messages: It could be usernames and passwords. It could be financial data. It could be the SSL certificate, which is especially bad.”

It’s this type of unknown that is the reality of cyber security. Breaches are going to happen. A Kaspersky report highlights that “77% of web sites that contain malicious content are completely legitimate web sites that have been compromised by cybercriminals.” It’s the commitment to being preventative, encrypting and having a disaster recovery plan that gets overlooked. This is precisely why both Google and Microsoft are at the forefront of this by providing enterprise class security offering expansive SLA’s, two-factor authentication, and multi-tenant, distributed environments such as pointed out by Google in their Security Whitepaper. Hardened security, encrypted data, and disaster recovery is built into their systems to minimize service interruption and protect your data from such attacks. Consider all of the above as a significant, if not devastating, business cost to consider and why working with cloud giants such as Google and Microsoft becomes increasingly cost effective.  

Want more? Download the entire guide below:

Free Guide to Comparing Google Apps to Office 365

Which solution is right for your organization? Get a comprehensive comparison of the two leading cloud email and collaboration suites.

* Required Field
We respect your privacy in accordance with our Privacy Policy.

Thank You!

Keep up with all things Profound Cloud by checking out our Blog