Microsoft Office 365 Vs. Google Apps: Compliance Clash - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Software as a Service
News
12/14/2011
06:48 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Office 365 Vs. Google Apps: Compliance Clash

Microsoft dials up the rhetoric and says take that, unidentified competitor whose name begins with the letters "Google."

Office 365 Vs. Google Apps: Top 10 Enterprise Concerns
Office 365 Vs. Google Apps: Top 10 Enterprise Concerns
(click image for larger view and forslideshow)
Microsoft on Wednesday declared that Office 365 is the "first and only major cloud productivity service to comply with leading EU and U.S. standards for data protection and security."

There are, of course, not many "major cloud productivity services." In fact, you'd be hard pressed to come up with "major" contenders beyond Microsoft and Google. There are certainly major companies like IBM and Cisco that offer cloud productivity options, but they aren't really challenging Microsoft Office head-on like Google Apps. Thus Microsoft's dismissal of browser-based apps can be read as a critique of Google, the company that would have you believe Microsoft's hybrid approach, with local and cloud apps, is archaic and inefficient.

"Developing cloud-based productivity tools that meet the needs of European businesses means more than simply building apps in a browser," said Jean-Philippe Courtois, president of Microsoft International, in a statement. "Microsoft has a more complete approach to European data protection and security laws than any other company, and we're proud of the work we've done to ensure the widest range of organizations can move to the cloud with confidence--or choose an equally functional on-premises option."

Microsoft's claim might be best boiled down to something like, "Office 365 is more compliant than Google Apps." There's some truth in that, but also some posturing.

Microsoft says that it will abide by not only European Union model clauses, rules that certify compliance with the European Commission's Data Protection Directive and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S., but also by local data regulations in the 27 EU member states.

[ Even small businesses can afford cloud-based tools. See 10 Essential Cloud Apps For SMBs. ]

Google hasn't fully embraced the model clauses, let alone all the unique member state rules. One reason might be that the model clauses require data processors to make their data processing facilities available to client or government auditors. Given how many clients Google has, the company might be wary of offering data center tours on demand for reasons of security and practicality.

Microsoft says that it's the first major cloud-based productivity service to be certified under ISO/IEC 27001, a data security management benchmark. Google Apps isn't ISO/IEC 27001 certified at the moment but it is certified under the Federal Information Security Management Act (FISMA)--despite Microsoft's claim to the contrary--and certain FISMA requirements can be mapped to ISO/IEC 27001 requirements. So by complying with FISMA, Google Apps is more or less in line with the expectations set forth in ISO/IEC 27001.

Microsoft also cites the online services it has developed for Office 365 that provide safeguards necessary for HIPAA compliance. Yet HIPAA regulates the use of information services in organizations rather than in the service providers themselves. So it's not as if Office 365 is HIPAA compliant and Google Apps isn't. Both companies provide resources to help their customers use their services under HIPAA.

Microsoft says it believes it’s the only cloud productivity service that includes a HIPAA Business Associate Agreement (BAA) to customers covered by HIPAA. The BAA establishes contractual requirements between the customer and Microsoft related to the customer’s HIPAA obligations.

Google points out that compliance isn't everything, an assertion affirmed by the number of companies that have complied with security rules and still suffered data breaches.

"Certifications help communicate certain assurances to customers, but they only tell part of the story," a Google spokesperson said in an email. "Most were not developed with cloud infrastructure in mind. Google Apps has secured several important certifications while developing our own security technology specific to cloud computing."

Indeed, compliance might not be everything, but it's significant enough that it can be used to attempt to thwart the competition.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll