We recently had a conversation with a prospect who has been using Gmail for their corporate email. It’s a university that, with all staff and student accounts, has about 200,000 mailboxes.
As with every demo, we first showed our SOC and the live attacks against corporate SaaS, how that malware goes through their SaaS (in this case, Gmail), and how it is detected and quarantined by the policy and security tools on the Avanan Cloud Security Platform.
The demo went maybe too well because the customer is now evaluating a move to Office 365. I felt we did an injustice to Gmail, because they don’t do worse than Microsoft when it comes to securing their SaaS email platforms. Based on the shear number of attacks making it through those platforms, we honestly do not see a major difference. In fact, the widespread Cerber ransomeware attack on Office 365 we reported on recently was actually detected and blocked by Gmail. It’s true that Microsoft does offer their own Sandboxing technology for $2 per user, per month, a technology Google doesn’t have, but Microsoft sandboxing provides questionable protection. It might be that it’s because the hackers get a chance to test what Microsoft can catch before they release it and it might be that it’s because they are just not a security company, but the end result is the same: attacks go through to Office 365 as well.
So, now we are a little more sensitive during our demos. Yes, we demonstrate the problem and solution on the customer’s platform (Gmail, Office 365, Box, or any other), but we tell them the problem is not unique to the platform. It is somewhat inherent to SaaS services. Those companies are not security companies; as you moved those services from your datacenter to your SaaS, you should not forget your security stack behind. It might not have been obvious for people 2-3 years ago, but as SaaS adoption rose so quickly in recent years, hacker attention has shifted to directed attacks against SaaS services. Whether it's malware, data leakage, or user access, unless you don’t care about your IT security, you need security to move with you to the cloud.
Here is a short video that demonstrates the gap in Gmail's security:
