Cloud // Software as a Service
News
12/14/2011
06:48 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Microsoft Office 365 Vs. Google Apps: Compliance Clash

Microsoft dials up the rhetoric and says take that, unidentified competitor whose name begins with the letters "Google."

Office 365 Vs. Google Apps: Top 10 Enterprise Concerns
Office 365 Vs. Google Apps: Top 10 Enterprise Concerns
(click image for larger view and forslideshow)
Microsoft on Wednesday declared that Office 365 is the "first and only major cloud productivity service to comply with leading EU and U.S. standards for data protection and security."

There are, of course, not many "major cloud productivity services." In fact, you'd be hard pressed to come up with "major" contenders beyond Microsoft and Google. There are certainly major companies like IBM and Cisco that offer cloud productivity options, but they aren't really challenging Microsoft Office head-on like Google Apps. Thus Microsoft's dismissal of browser-based apps can be read as a critique of Google, the company that would have you believe Microsoft's hybrid approach, with local and cloud apps, is archaic and inefficient.

"Developing cloud-based productivity tools that meet the needs of European businesses means more than simply building apps in a browser," said Jean-Philippe Courtois, president of Microsoft International, in a statement. "Microsoft has a more complete approach to European data protection and security laws than any other company, and we're proud of the work we've done to ensure the widest range of organizations can move to the cloud with confidence--or choose an equally functional on-premises option."

Microsoft's claim might be best boiled down to something like, "Office 365 is more compliant than Google Apps." There's some truth in that, but also some posturing.

Microsoft says that it will abide by not only European Union model clauses, rules that certify compliance with the European Commission's Data Protection Directive and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S., but also by local data regulations in the 27 EU member states.

[ Even small businesses can afford cloud-based tools. See 10 Essential Cloud Apps For SMBs. ]

Google hasn't fully embraced the model clauses, let alone all the unique member state rules. One reason might be that the model clauses require data processors to make their data processing facilities available to client or government auditors. Given how many clients Google has, the company might be wary of offering data center tours on demand for reasons of security and practicality.

Microsoft says that it's the first major cloud-based productivity service to be certified under ISO/IEC 27001, a data security management benchmark. Google Apps isn't ISO/IEC 27001 certified at the moment but it is certified under the Federal Information Security Management Act (FISMA)--despite Microsoft's claim to the contrary--and certain FISMA requirements can be mapped to ISO/IEC 27001 requirements. So by complying with FISMA, Google Apps is more or less in line with the expectations set forth in ISO/IEC 27001.

Microsoft also cites the online services it has developed for Office 365 that provide safeguards necessary for HIPAA compliance. Yet HIPAA regulates the use of information services in organizations rather than in the service providers themselves. So it's not as if Office 365 is HIPAA compliant and Google Apps isn't. Both companies provide resources to help their customers use their services under HIPAA.

Microsoft says it believes it’s the only cloud productivity service that includes a HIPAA Business Associate Agreement (BAA) to customers covered by HIPAA. The BAA establishes contractual requirements between the customer and Microsoft related to the customer’s HIPAA obligations.

Google points out that compliance isn't everything, an assertion affirmed by the number of companies that have complied with security rules and still suffered data breaches.

"Certifications help communicate certain assurances to customers, but they only tell part of the story," a Google spokesperson said in an email. "Most were not developed with cloud infrastructure in mind. Google Apps has secured several important certifications while developing our own security technology specific to cloud computing."

Indeed, compliance might not be everything, but it's significant enough that it can be used to attempt to thwart the competition.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
8 Steps to Modern Service Management
8 Steps to Modern Service Management
ITSM as we know it is dead. SaaS helped kill it, and CIOs should be thankful. Here’s what comes next.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.