Microsoft Office 365 Vs. Google Apps: Compliance Clash

Microsoft dials up the rhetoric and says take that, unidentified competitor whose name begins with the letters "Google."

Thomas Claburn, Editor at Large, Enterprise Mobility

December 14, 2011

4 Min Read

Office 365 Vs. Google Apps: Top 10 Enterprise Concerns

Office 365 Vs. Google Apps: Top 10 Enterprise Concerns

Office 365 Vs. Google Apps: Top 10 Enterprise Concerns (click image for larger view and forslideshow)

Microsoft on Wednesday declared that Office 365 is the "first and only major cloud productivity service to comply with leading EU and U.S. standards for data protection and security."

There are, of course, not many "major cloud productivity services." In fact, you'd be hard pressed to come up with "major" contenders beyond Microsoft and Google. There are certainly major companies like IBM and Cisco that offer cloud productivity options, but they aren't really challenging Microsoft Office head-on like Google Apps. Thus Microsoft's dismissal of browser-based apps can be read as a critique of Google, the company that would have you believe Microsoft's hybrid approach, with local and cloud apps, is archaic and inefficient.

"Developing cloud-based productivity tools that meet the needs of European businesses means more than simply building apps in a browser," said Jean-Philippe Courtois, president of Microsoft International, in a statement. "Microsoft has a more complete approach to European data protection and security laws than any other company, and we're proud of the work we've done to ensure the widest range of organizations can move to the cloud with confidence--or choose an equally functional on-premises option."

Microsoft's claim might be best boiled down to something like, "Office 365 is more compliant than Google Apps." There's some truth in that, but also some posturing.

Microsoft says that it will abide by not only European Union model clauses, rules that certify compliance with the European Commission's Data Protection Directive and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S., but also by local data regulations in the 27 EU member states.

[ Even small businesses can afford cloud-based tools. See 10 Essential Cloud Apps For SMBs. ]

Google hasn't fully embraced the model clauses, let alone all the unique member state rules. One reason might be that the model clauses require data processors to make their data processing facilities available to client or government auditors. Given how many clients Google has, the company might be wary of offering data center tours on demand for reasons of security and practicality.

Microsoft says that it's the first major cloud-based productivity service to be certified under ISO/IEC 27001, a data security management benchmark. Google Apps isn't ISO/IEC 27001 certified at the moment but it is certified under the Federal Information Security Management Act (FISMA)--despite Microsoft's claim to the contrary--and certain FISMA requirements can be mapped to ISO/IEC 27001 requirements. So by complying with FISMA, Google Apps is more or less in line with the expectations set forth in ISO/IEC 27001.

Microsoft also cites the online services it has developed for Office 365 that provide safeguards necessary for HIPAA compliance. Yet HIPAA regulates the use of information services in organizations rather than in the service providers themselves. So it's not as if Office 365 is HIPAA compliant and Google Apps isn't. Both companies provide resources to help their customers use their services under HIPAA.

Microsoft says it believes it’s the only cloud productivity service that includes a HIPAA Business Associate Agreement (BAA) to customers covered by HIPAA. The BAA establishes contractual requirements between the customer and Microsoft related to the customer’s HIPAA obligations.

Google points out that compliance isn't everything, an assertion affirmed by the number of companies that have complied with security rules and still suffered data breaches.

"Certifications help communicate certain assurances to customers, but they only tell part of the story," a Google spokesperson said in an email. "Most were not developed with cloud infrastructure in mind. Google Apps has secured several important certifications while developing our own security technology specific to cloud computing."

Indeed, compliance might not be everything, but it's significant enough that it can be used to attempt to thwart the competition.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights