There are, of course, not many "major cloud productivity services." In fact, you'd be hard pressed to come up with "major" contenders beyond Microsoft and Google. There are certainly major companies like IBM and Cisco that offer cloud productivity options, but they aren't really challenging Microsoft Office head-on like Google Apps. Thus Microsoft's dismissal of browser-based apps can be read as a critique of Google, the company that would have you believe Microsoft's hybrid approach, with local and cloud apps, is archaic and inefficient.
"Developing cloud-based productivity tools that meet the needs of European businesses means more than simply building apps in a browser," said Jean-Philippe Courtois, president of Microsoft International, in a statement. "Microsoft has a more complete approach to European data protection and security laws than any other company, and we're proud of the work we've done to ensure the widest range of organizations can move to the cloud with confidence--or choose an equally functional on-premises option."
Microsoft's claim might be best boiled down to something like, "Office 365 is more compliant than Google Apps." There's some truth in that, but also some posturing.
Microsoft says that it will abide by not only European Union model clauses, rules that certify compliance with the European Commission's Data Protection Directive and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S., but also by local data regulations in the 27 EU member states.
[ Even small businesses can afford cloud-based tools. See 10 Essential Cloud Apps For SMBs. ]
Google hasn't fully embraced the model clauses, let alone all the unique member state rules. One reason might be that the model clauses require data processors to make their data processing facilities available to client or government auditors. Given how many clients Google has, the company might be wary of offering data center tours on demand for reasons of security and practicality.
Microsoft says that it's the first major cloud-based productivity service to be certified under ISO/IEC 27001, a data security management benchmark. Google Apps isn't ISO/IEC 27001 certified at the moment but it is certified under the Federal Information Security Management Act (FISMA)--despite Microsoft's claim to the contrary--and certain FISMA requirements can be mapped to ISO/IEC 27001 requirements. So by complying with FISMA, Google Apps is more or less in line with the expectations set forth in ISO/IEC 27001.
Microsoft also cites the online services it has developed for Office 365 that provide safeguards necessary for HIPAA compliance. Yet HIPAA regulates the use of information services in organizations rather than in the service providers themselves. So it's not as if Office 365 is HIPAA compliant and Google Apps isn't. Both companies provide resources to help their customers use their services under HIPAA.
Microsoft says it believes it’s the only cloud productivity service that includes a HIPAA Business Associate Agreement (BAA) to customers covered by HIPAA. The BAA establishes contractual requirements between the customer and Microsoft related to the customer’s HIPAA obligations.
Google points out that compliance isn't everything, an assertion affirmed by the number of companies that have complied with security rules and still suffered data breaches.
"Certifications help communicate certain assurances to customers, but they only tell part of the story," a Google spokesperson said in an email. "Most were not developed with cloud infrastructure in mind. Google Apps has secured several important certifications while developing our own security technology specific to cloud computing."
In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).