I recently attended RSA in San Francisco and had the opportunity to speak with numerous commercial IT and cyber security leaders. Based on those conversations, one thing is clear: customers are now openly expressing genuine concerns about putting all of their eggs into a single basket with a single cloud hyperscaler like Microsoft or Google.
While both companies are amazing in their own right – offering industry-leading cloud infrastructure and collaboration services – neither one is anywhere close to perfect. Indeed, a spate of recent breaches at Microsoft is causing people to question the wisdom of relying on a single cloud provider for critical services.
Thus, the need for a “separation of trust” and a “diversified approach” to cloud collaboration has become increasingly apparent. By storing data in Microsoft and/or Google clouds, but also incorporating an additional layer of data-centric security offered by companies like Virtru, customers can embrace a multi-vendor strategy, minimize the risk of a single point of failure, and comfortably "separate trust" from the big tech players. This "separation of trust" involves customers encrypting their own data stored in public clouds, managing their own encryption keys so that they alone can decrypt the data, and defining and enforcing their own policies and access controls on sensitive data shared with others.
Customer concerns are particularly heightened with respect to Microsoft, where a spate of security breaches continue to plague Microsoft Azure Cloud and Microsoft 365. In April, CISA and the CSRB issued a scathing report detailing their review of the summer 2023 Microsoft Exchange Online intrusion. The CSRB found a "cascade of Microsoft's avoidable errors" contributed to an incident where hackers pilfered unclassified emails from 22 organizations and more than 500 victims, including high-profile government officials. The report states, "The board finds that this intrusion was preventable and should never have occurred. The board also concludes that Microsoft's security culture was inadequate and requires an overhaul, particularly in light of the company's centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations."
Furthermore, the situation with Google is also head-scratching.
On one hand, Google is finally getting aggressive and publicly posturing in an attempt to win some government cloud collaboration business away from Microsoft 365. How are they doing this? They publicly warn of "material risks to public-sector customers who blindly use the same vendor for operating systems, email, office software, and security tooling." Specifically, Google is calling on government customers to mitigate risks from a "Microsoft-centric monoculture" and offering special promotional pricing to persuade government customers to leave M365 and switch to Google Workspace. The core of Google’s sales pitch is that Workspace is a more secure, and less expensive, alternative to M365. For the record, it’s an argument that I very much agree with.
On the other hand, the Google Workspace product team is now opening up their client-side encryption (CSE) API so that customers can encrypt Docs, Sheets, Slides, and emails stored in Google Workspace – and then store their encryption keys in the Google Cloud. The irony here is thick because Google's actions are the very definition of promoting a "Google-centric monoculture." To be clear, the whole purpose of Google Workspace CSE is to give customers an added layer of privacy and security by ensuring that data is encrypted before it leaves the user's device, making it indecipherable to Google. However, by making it possible for customers to host their encryption keys in the Google Cloud instead of using a third-party key management service separate from Google, they are undermining the very principle of separating trust.
Microsoft and Google are both amazing companies offering best in class cloud compute and collaboration services. That said, both are very far from perfect. Thus, IT leaders and cyber security professionals are wisely evaluating ways to separate trust, diversify risks, and minimize reliance on a single cloud collaboration provider.
By leveraging data-centric security solutions like those offered by Virtru, customers can maintain control over their data, encryption keys, and access policies, while still benefiting from the scalability and flexibility of public cloud collaboration services. Whether it’s Microsoft or Google, or both – now is the time to break free from the limitations and risks associated with a monoculture approach and embrace a more resilient, secure, and trustworthy multi-vendor strategy for cloud collaboration.
