Microsoft has traditionally been the leader on office application and productivity technology. A 2021 Omdia study pegged Microsoft’s market share at 85% for global office productivity offerings, and 60% for global email and calendaring offerings. Google lagged significantly behind on everything except file storage offerings.
But the times may be a-changin’, due to the major breaches Microsoft has experienced over the past year.
Security concerns prompt transition from Microsoft 365 to Google Workspace
In June 2023, a China-linked group called Storm-0558 compromised email accounts on Microsoft’s Exchange Online hosted email service. Compromised accounts included those used by senior US State Department officials. The success of the attack was attributed to Microsoft’s insecure key rotation practices and laxity in other security controls.
But that’s not all. 2024 saw ongoing attacks on Microsoft’s systems by hacker group Midnight Blizzard. First detected in late 2023, Microsoft took months to clear its systems from threat actors, and was still dealing with fallout to its customers in mid-2024.
For any party using or considering using Microsoft’s offerings, this is off-putting, to say the least. The UK Cabinet office, for example, took a step back from their planned migration to Microsoft - although they may still intend to migrate.
Google has used the opening to convince the market they should move over to the “more secure” Google offerings. And despite Microsoft’s recent efforts to harden their cybersecurity, it’s possible that the concern is just a little too strong to sway some customers back to Microsoft.
Other reasons to switch away from Microsoft 365 to Google Workspace
Of course, reasons to migrate to Google Workspace have existed since long before last year’s Microsoft breaches. Common motivations for a switch include:
- Google’s advantage when it comes to real-time collaboration tools - if it is important to your business workflow to have multiple people working on content (e.g. documents, spreadsheets, presentations) simultaneously, Google Workspace provides a smoother experience than Microsoft 365.
- Mergers and acquisitions - there is a distinct advantage to having all branches of a company on the same office management software platform. So if a company that uses Google Workspace acquires a company that uses Microsoft 365, there is a good chance that the acquired company will be migrated off their old system.
- Lowering operational costs - neither Microsoft 365 or Google Workspace is hands-down less expensive. Costs vary according to users, plans, contract terms and special offers. But if a business’s circumstances and needs make one significantly less expensive than the other, that may be a reason to switch.
And security itself was a concern for Microsoft 365 corporate users, even before details on the breaches surfaced. In Gartner’s 2023 Microsoft 365 survey, 59% of respondents cited oversharing and data loss as among the three biggest risks to their organization’s M365 deployment.
Whether or not your reasons for a migration to Google Workspace include security, however, you certainly don’t want it to be less secure than when you used Microsoft 365.
In order to avoid a decrease in security level, you need to be aware of the areas during and post-migration where things can go wrong and negatively impact security:
- Permissions
- Asset metadata
- Identity management
- Data protection regulations
- Connected apps
Let’s take a closer look at all five of the areas, how to avoid a drop in security when migrating from Microsoft 365 to Google Workspace, and how to take advantage of the migration to make your systems even more secure. We’ll also show you how to leverage DoControl to boost your Google Workspace security beyond what you can get with Google Workspace’s built-in capabilities.
Permissions during and post-migration
Access permissions are the heart of your SaaS data security. In order to make sure your Microsoft 365 data access governance settings are migrated to Google Workspace intact, you need to first appreciate the difference in access levels. The difference is mainly in the terminology, as both Microsoft 365 and Google Workspace have three basic access levels (unlike Box, for example, which has seven).
Microsoft’s access levels are termed Owner, View and Edit. Google’s access levels are termed Manager, Viewer and Editor.
Make sure you migrate all the root level and inner level sharing from Microsoft 365 to Google Workspace: on user accounts, files and folders. Also remember to migrate the sharing permissions for external third-party users.
A migration is an excellent time to weed through your permissions and check that they are still relevant (and, if not, remove!). This is especially the case for third-party permissions, public sharing or organization-wide sharing.
DoControl can identify and automatically remediate different permutations of permission and assets characteristics:
- Publicly-shared assets that contain PII? Remove the public sharing links.
- Externally-shared assets that were shared over a year ago? Remove the shares with any external parties.
- Assets shared with fourth parties by your third-party contractors? Send a message to the owner of the asset to confirm that these shares are authorized.
- Assets shared organization-wide that contain sensitive financial figures? Restrict access to members of the financial department only.
These are just a few examples of potential workflows. DoControl enables granular workflows that integrate myriad asset characteristics, identity elements and surrounding business context. By implementing DoControl’s built-in or customized workflows, your organization can benefit from exponentially tighter access security.
Asset metadata during and post-migration
Metadata is the data about your data. Asset metadata includes information like version history, in-line comments, timestamps, identities that made the changes, etc. for each individual file being migrated.
Asset metadata is important for SaaS data security because it can be leveraged by SSPM (SaaS security posture management) solutions for rapid detection of potential data exposure issues. The ease of asset sharing on SaaS can move data out of your organization’s control very quickly. Your detection and remediation of exposure needs to move just as quickly, while not bogging down data flow or workflow. Asset metadata provides critical clues to data sensitivity, enabling data protection even before more lengthy DLP (data loss prevention) scans can complete.
So when moving from Microsoft 365 to Google Workspace, make sure that your migration tool will preserve and move all existing asset metadata into the new environment. Simultaneously, check that you have a SSPM that can leverage the power of asset metadata to enhance your Google Workspace security. DoControl, for example, uses asset metadata to rapidly provide business context to asset shares, then contain potential issues before they can balloon into runaway security problems.
Identity management during and post-migration
User identities and credentials are the key to SaaS asset and application access. You can prove you have an identity with the right access permissions? Okay, you’re in. (Even if you somehow faked the ‘proof’.)
For this reason, user identity management is key to comprehensive SaaS security. If you are moving from Microsoft 365 to Google Workspace, user mapping is a critical part of the planning. Which new Workspace user corresponds to the old Microsoft user? Have all permissions and settings been transferred?
A migration is an excellent time to investigate and reduce identity sprawl in your SaaS ecosystem:
- Weed through all identities that exist in your Microsoft 365 environment.
- Identify duplicate identities and consolidate.
- Identify risky identities and remediate.
DoControl’s Identity Threat Detection and Response tools can be of help in this effort. DoControl creates a cross-SaaS identity posture for each user identity within your Google Workspace ecosystem. Each posture profile aggregates information from multiple sources, including applications, activity, and corporate and private identities, to create a continually updating identity profile with associated risk score.
Data protection regulatory compliance during and post-migration
Many industries have strict data protection and privacy regulations, with financial and legal consequences for violation. When planning for a migration to Google Workspace, make sure that your migration service provider adheres to the data protection laws of your organization’s region and industry - both while your data is in transit, and when it is at rest.
When your data has been completely transferred into its new Google Workspace environment, you’ll need to ensure that your Google Workspace security configurations conform to industry requirements - and that they stay that way. (Configurations have a tendency to drift with updates, app installs, or other system changes.)
DoControl’s SaaS misconfiguration management tool will compare your Google Workspace configurations to industry standards and best practices, such as CIS, and then offer guided remediation for any detected misconfigurations.
Connected apps during and post-migration
One of the major draws of SaaS environments is the availability of official and third-party apps that add functionality and efficiency to the built-in applications. If your organization has spent time using Microsoft 365, your users are likely used to certain functionalities and will want them to be present in the new Google Workspace environment. There is no shortage of available apps and add-ons in the Google Marketplace, but make sure you have a way of determining if the new apps are as secure as your old Microsoft apps.
You will also have to decide how much leeway you are going to give your users in adding Google Marketplace apps to Workspace. On the one hand, one-size-fits-all policies that only allow company-whitelisted apps can limit and frustrate users. On the other hand, permissiveness can let malicious or risky apps sneak in and wreak havoc. To get the most out of Workspace connected apps while maintaining security, you’re going to need a way to effectively identify and analyze all connected apps according to multiple security factors.
With DoControl’s Shadow App Discovery and Remediation, one-size-fits-all app policies can be replaced with smart policies that use user input and business context (e.g. why this app is needed) and actual app usage data (e.g. permission scopes, activity, geolocation) to determine app risk and take steps, if needed, to remediate.
Be careful about what mergers and acquisitions add to your SaaS ecosystem
A word to the wise: sometimes additions subtract.
If you are adding a new company, with a new SaaS environment, to your own, a thorough security analysis of that environment should be a top priority. Fail to do so, and you run the risk of ending up like hotel giant Marriott, who inherited a lurking hacker when it acquired the Starwood chain back in 2016 - and didn’t become aware of it until 2018. Marriott found themselves on the other end of a class-action suit and some steep fines for violating GDPR.
A migration is just the beginning
Like the immigrants who made their way from Europe to the New World, the trip to your new environment is just the start of your journey.
To maximize the benefit of your transition from Microsoft 365 to Google Workspace, ensure that your Microsoft access permissions and user identities have been transferred accurately to Google. Take advantage of the transition to weed out any unnecessary or risky permissions or identities. Make sure your asset metadata is preserved and that you know how to leverage it for security evaluations. Stay on top of your Google Workspace configurations and your third-party OAuth apps.
Feeling secure? Good. If you’ve done all that, you probably are.
And if you need some extra support to reach that level of security, that’s why DoControl exists.