We recently had a conversation with a prospect that has been using Gmail for their corporate Email. It’s a university that with all staff and student accounts has about 200,000 mailboxes.
As with every demo, we first showed our SOC and the live attacks against corporate SaaS (obviously not exposing the specific customer names), how that malware goes through their SaaS - in this case Gmail, and how it is detected and quarantined by Avanan’s policy and the security tools on the Avanan Cloud Security Platform.
The demo went maybe too well because as a result the customer is now evaluating a move to Office 365. I felt we did an injustice to Gmail, because they don’t do worse than Microsoft when it comes to securing their SaaS Email platforms. Measuring by shear number of attacks making it through those platforms, we honestly do not see a major difference. In fact, the widespread Cerber ransomeware attack on Office 365 we reported on recently was actually detected and blocked by Gmail. It’s true that Microsoft does offer their own Sandboxing technology for $2 per user per month, a technology Google doesn’t have, but Microsoft sandboxing provides questionable protection. It might be that it’s because the hackers get a chance to test what Microsoft can catch before they release it and it might be that it’s because they are just not a security company, but the end result is the same - attacks go through to Office 365 as well.
So, now we are a little more sensitive during our demos. Yes, we demonstrate the problem and solution on the customer’s platform - Gmail, Office 365, Box or any other. But we tell them the problem is not unique to this platform. It is somewhat inherent to SaaS services. Those companies are not security companies and as you moved those services from your datacenter to your SaaS, you should not forget your security stack behind. It might not have been obvious for people 2-3 years ago but as SaaS adoption picked so quickly in recent years, so has hacker attention shifted to directed attacks against SaaS services. Whether it's malware, data leakage or user access, unless you don’t care about your IT security, you need security to move with you to the cloud.
Here is a short video that demonstrates the gap in Gmail's security