A more
secure
alternative
In the wake of significant
cybersecurity incidents with
Microsoft, Google Workspace
offers a safer choice.
�Contents
Executive Summary 03
Microsoft’s pattern of security issues 04
How did Microsoft get breached?
Were these just accidents?
A different, safer path with Google Workspace 06
A fundamentally different, more secure approach
A strong, security-focused culture
Deeply embedded zero trust controls for customers
It’s not just the technology; it’s also the research 12
& investment mindset
Innovation that takes us to the future 13
2
�Executive Summary
Microsoft’s ongoing security struggles recently came to a The repeated security challenges with Microsoft call for a
head with a series of high-profile incidents that put its better alternative for enterprises and public-sector
customers at risk. One such incident in the summer of 2023 by organizations alike. We believe Google Workspace is a safer
the group known as Storm-0558 resulted in the compromise alternative, with a proven track record of engineering
of senior U.S. and U.K. government official accounts, including excellence, deep investment in cutting-edge defenses, and a
22 organizations, over 500 individuals, and tens of thousands transparent culture that treats providing security for our
of emails. This prompted the Department of Homeland customers as a profound responsibility.
Security’s Cyber Safety Review Board (CSRB) to issue a
detailed report identifying the company’s “cascade of security This belief is rooted in battle-tested experience. We know that
no organization is immune from highly sophisticated
failures”1 that led to the data breach. The details in this report
adversaries. In fact, these same nation state actors attacked
speak to prolonged systemic issues and a “corporate culture
Google in 2009, and those attacks led us to make
that deprioritized both enterprise security investments and
far-reaching security improvements that were recognized in
rigorous risk management.”2
the CSRB report: “Google also undertook a comprehensive
On the heels of the Storm-0558 compromise, CISA issued overhaul of its infrastructure security.”4
Emergency Directive ED 24-04 in response to a separate
In this whitepaper, we share some of the history of how our
Microsoft data breach that occurred just a few months later in
security strategy has evolved as well as more details about the
November of 2023: “state-sponsored cyber actor known as
controls and security benefits of using Google Workspace,
Midnight Blizzard has exfiltrated email correspondence
including apps like Gmail, Google Drive, Slides, Docs, Meet,
between Federal Civilian Executive Branch (FCEB) agencies
Chat and more.
and Microsoft through a successful compromise of Microsoft
corporate email accounts.”3
Note: This white paper applies to Google Workspace products described at workspace.google.com. The content contained therein is current as of
May 2024 and represents the status quo as of the time it was written. References to forthcoming features are annotated as such and do not
constitute a commitment to a specific release schedule. Google's security policies and systems may change going forward, as we continually
improve protection for our customers. The availability of the product features and capabilities described in this paper are subject to license
availability of various Google Workspace editions product offerings.
3
�Microsoft’s pattern of
security issues
How did Microsoft As the CSRB remarked: “The loss of a signing key is a serious
problem, but the loss of a signing key through unknown means
get breached? is far more significant because it means that the victim
company does not know how its systems were infiltrated and
In the summer of 2023, a state-sponsored adversary whether the relevant vulnerabilities have been closed off.”8
associated with the government of the People’s Republic of This incident represents one of the most consequential data
China, known as Storm-0558, compromised Microsoft’s breaches of a prominent cloud services provider to date. The
environment and stole a signing key that “permitted CSRB referred to the event as the “espionage equivalent of
Storm-0558 to gain full access to essentially any Exchange gold.”9
Online account anywhere in the world.”5 This breach resulted
Just a few months later, in November 2023, another hacking
in unauthorized access to email accounts belonging to senior
group—a Russian state-sponsored adversary known as
U.S. government officials working on matters of U.S. national
Midnight Blizzard—utilized a password spray attack to
security, including the State Department, Department of
compromise Microsoft's corporate email accounts, including
Commerce, House of Representatives, the U.S. Ambassador to
the People's Republic of China, and 22 other organizations and those of senior leaders, security, legal, and other teams.10
500 individuals across the world. This group gained access to email correspondence with U.S.
government officials. In March 2024, Microsoft stated that the
The signing keys that Storm-0558 obtained are “…used for Midnight Blizzard attack that started in November 2023 was
secure authentication into remote systems, [and] are the still ongoing five months later, without a reported timeline for
cryptographic equivalent of crown jewels for any cloud service resolution: “In recent weeks, we have seen evidence that
6 Midnight Blizzard is using information initially exfiltrated from
provider.” The keys are like those master keys that unlock all
the rooms of a hotel. Once obtained, they can provide our corporate email systems to gain, or attempt to gain,
sweeping access. Because Microsoft allowed the same key to unauthorized access. This has included access to some of the
be trusted across different account types, it meant that a company’s source code repositories and internal systems.”11
single compromise impacted consumer, enterprise, and
government accounts alike. “As of the date of this report,
Microsoft does not know how or when Storm-0558 obtained
the signing key.”7
4
�Were these just accidents? Failure to verify the means of key loss
In fact, it’s uncertain whether Microsoft is able to prevent this
The severity of such attacks cannot be underestimated. type of incident from occurring again because the root cause
Foreign adversaries with access to government has not been verified. “At the conclusion of the Board’s
communications and systems may have the ability to commit review, even in the context of Microsoft’s March 12 update,
espionage or attack critical infrastructure in the event of Microsoft has not identified a crash dump that contains the
geopolitical conflict, with potentially severe implications for 2016 MSA key, or any other evidence of the key having been
governments and civilians. moved inappropriately.”17 Furthermore, “the Board assesses
that Microsoft does not know how Storm-0558 obtained the
2016 MSA key.”18
Failure to prioritize security and risk
management While no organization is immune to being the target of highly
sophisticated adversaries, there is a clear pattern of evidence
In the case of the Storm-0558 compromise, the CSRB
that suggests Microsoft is unable to keep their systems and
concluded that “this intrusion was preventable and should
therefore their customers’ data safe.
never have occurred”12 citing “Microsoft’s security culture
was inadequate and requires an overhaul, particularly in light
of the company’s centrality in the technology ecosystem and
the level of trust customers place in the company to protect
their data and operations.”13
Failure to correct inaccurate public statements
The CSRB also noted significant concerns with Microsoft's
handling of the incident, including a “decision not to correct,
in a timely manner, its inaccurate public statements about this
incident”14 until “the Board was concluding its review and only
after the Board’s repeated questioning about Microsoft’s
plans to issue a correction.”15 As a result, “Microsoft’s
customers did not have essential facts needed to make their
own risk assessments about the security of Microsoft cloud
environments in the wake of this intrusion.”16
5
�A different, safer
path with Google
Workspace
6
�A fundamentally different,
more secure approach
Google Workspace is designed to support stringent As an example of Google’s differentiated approach to security,
privacy and security standards based on industry best the CSRB report acknowledged the significant efforts we’ve
practices: taken over time to make our systems and products resilient to
these types of attacks: “Google re-worked its identity system
● A cloud-first, browser-based approach that is
to rely as much as possible on stateful tokens, in which every
constantly updated – no need for local devices, native
credential is assigned a unique identifier at issuance and
apps, or email attachments.
recorded in a database as irreversible proof that the
● Built in controls, encryption, and verification with a
credential Google receives is one that it had issued. Google
Zero Trust approach that enables employees to work
also implemented fully automatic key rotation where possible
from anywhere and eliminates the need for VPNs.
and tightened the validation period for stateless tokens,
● Operating on a global scale to protect your
reducing the window of time for threat actors to locate and
organization’s information from phishing, malware,
obtain active keys. Google also undertook a comprehensive
ransomware, and supply chain attacks – no add-ons
overhaul of its infrastructure security including implementing
required. Gmail blocks more than 99.9% of spam,
Zero Trust networks and hardware-backed, Fast IDentity
phishing attempts, and malware from reaching your
Online (FIDO)-compliant two-factor authentication (2FA) to
inbox. Gmail also detects two times more malware on
average than third-party standard antivirus products protect these identity systems.”19
alone.
● Making everyone safer with secure endpoints
(company-provided or BYOD) that don’t require
patching and strong account takeover protections. —
secure by design, secure by default.
7
�As the CSRB noted, Google leverages stateful tokens as
much as possible. Expanding on this concept a bit
further:
● The Google identity service verifies the user sign-in
and then issues a user credential, such as a cookie
or an OAuth token to the user's device. This
credential is recorded in Google identity credential
storage and considered stateful. Every subsequent
request from the device to our infrastructure must
present that user credential.
● When a service receives a user credential, the
service passes the credential to the identity service
for verification against the list of issued and valid
credentials. If the user credential is verified, the
identity service returns a short-lived user-context
ticket that can be used for remote procedure calls
(RPCs) related to the user's request. From that point
on, for any cascading calls, the calling service can
send the user-context ticket to the callee as a part
of the RPC. Those tickets are only usable internally in
the Google production environment.
Google's secure-by-design stateful identity tokens
safeguard user accounts by preventing credential
forgery. Even if cryptographic keys are compromised,
they cannot be directly used by external attackers to
access user data. Instead, the tokens are verified through
a separate process that checks whether they were issued
by Google before granting access to any user
information.
8
� Conceptual architectural flow of stateful tokens
Data Data Data
3 7 8
Workspace
Workspace Workspace
Actor Backend
End-User Credential Frontend Short-lived Short-lived Storage
Services
Ticket Ticket
Username + End-User End-User Short-lived End-user
Password + 1 Credential Credential 4 Context Ticket
Security (Stateful Token)
Key
Assertion
Validation Success Validation Success
2 5 6
Context
Google Identity Identity Based
Identity Credential Veri cation Access
Service Storage Service Controls
Record End-User Credential End-User Credential
Credential Issued to Validate + Actor’s Context
The adoption of stateful tokens is not the only protection keeping our customers' data safe. Our Google infrastructure
security design whitepaper describes, in detail, the security considerations made at each layer of our stack, from hardware
to client, including physical security and employee controls. This includes BeyondProd, Google’s approach to implementing
zero trust principles in infrastructure—where trust depends on characteristics like code provenance, trusted hardware, and
service identity, rather than the location in the production network, such as IP address or hostname. With BeyondProd,
there is no inherent mutual trust between services, network edge protection isolates workloads from network attacks, and
policy enforcement is consistent across services. We further describe our evolution toward this infrastructure model in our
BeyondProd whitepaper.
9
�A strong, security-focused culture
In 2009, Google was one of the targets of Operation Aurora, a China-backed series of cyberattacks that we link to the
same Storm-0558 group that compromised Microsoft in the summer of 2023: “Industry links Storm-0558 to the 2009
Operation Aurora campaign that targeted over two dozen companies, including Google.”20
The difference between the recent events impacting Microsoft and their customers and the compromise that impacted
Google over a decade ago is that, based on our responsibility for keeping billions of people safe, we fundamentally
changed how we think about cybersecurity.
“Operation Aurora was a series of cyberattacks from China that targeted U.S. private sector companies in 2010. The
threat actors conducted a phishing campaign that compromised the networks of Yahoo, Adobe, Dow Chemical,
Morgan Stanley, Google, and more than two dozen other companies to steal their trade secrets. Google was the only
company that confirmed it was a victim and disclosed to the public that the Gmail accounts of certain Chinese
human rights activists had been compromised. Google also publicly attributed the incident to China, something
companies were reluctant to do for fear of jeopardizing their access to the Chinese market. The incident is viewed as
a milestone in the recent history of cyber operations because it raised the profile of cyber operations as a tool for
industrial espionage. It led Google to cease its operations in China, though it continues to operate a localized version
of its search engine in Hong Kong. As a result of the Gmail compromise, Google began notifying users if it believed
their accounts had been targeted or compromised by a state-sponsored actor. This practice later spread to other
email providers.” 21
Operation Aurora - Council on Foreign Relations
In our blog Transparency in the shadowy world of cyber Specifically, in this case, we launched an internal initiative
attacks, we shared our learnings that “Aurora not only taught called BeyondCorp, which pioneered the concept of zero trust
us the need to embrace transparency, it also taught us a and defense in depth and allowed every employee to work
second, and even more important lesson: What works and from untrusted networks without the use of a VPN. Today,
what doesn’t when it comes to security architecture.”22 organizations around the world are taking this same approach,
shifting access controls from the network perimeter to the
Our approach, which predates CSRB recommendations, individual and the data.
enables customers, organizations, and governments to react
promptly, reducing the window for exploitation by threat
actors. This culture governs how we engage with customers,
prioritize engineering decisions, and determine product
investments.
10
�Deeply embedded zero trust
controls for customers
Taking the concepts of BeyondCorp a step further, Google Workspace enables customers to
configure additional layers of data protection on top of the depth of controls implemented by
Google.These protections were designed to closely align with the CISA Zero Trust Maturity
Model and include:
Passkeys & security keys: Context-Aware Access (CAA) & Strong data controls:
BeyondCorp Enterprise
Combating user credential (Chrome Enterprise): Customers can benefit from tools like
compromise, passkeys are a DLP and data classification to uniquely
passwordless sign-in method that can identify confidential information for
Granular access control security
offer a convenient and secure their organization. Once the risk
policies for apps based on attributes,
authentication experience across profile of the data has been
such as user identity, location, device
websites and apps, allowing users to established, customers can apply the
security status, and IP address. With
sign in with a fingerprint, face appropriate controls (prevent sharing,
CAA, you control user access based
recognition, or other screen-lock downloads) that are required for their
on their context, such as whether their
mechanism across phones, laptops, or workforce.
device complies with your IT policy.
desktops. Security keys provide
hardware-based, phishing-resistant,
two-factor authentication (2FA) to
help protect high-value users.
We partner closely with CISA on their Secure Cloud Business Applications (SCuBA) project, which offers baseline
configuration guides. To learn more about Google Workspace zero trust controls, we encourage you to review our Zero
trust best practices guide for U.S. public sector agencies and the Google Workspace security and trust webpage.
11
�It’s not just the technology;
it’s also the research &
investment mindset
Security is deeply ingrained in the fabric of our operations. Our dedicated security teams include
some of the world's most prolific researchers in the areas of information and application security,
cryptography, network security, and threat modeling. In adherence with leading standards, and in
partnership with regulatory bodies and the scientific community, we develop internal processes that
govern all aspects of how we work.
We have an enterprise-wide approach toward defending our systems and keeping our customers' data safe and secure.
As an example, we leverage Chrome Enterprise controls and require all employees to use security keys for system access.
Google invests significantly in the advancement of security, including a commitment to invest $10 billion over the next 5
years to strengthen cybersecurity, expand zero-trust programs, help secure the software supply chain, and enhance
open-source security.
Our research: Community engagement:
Google Research supports numerous projects on security, In addition to publishing our research for the collective benefit
privacy, and abuse prevention. The research includes of the community, Google’s Security Engineering team runs
23 the Bug Hunter program that engages the external community
publications, such as Building Secure and Reliable Systems,
Security by Design,24
and Develop ecosystems for software in testing for vulnerabilities in Google systems. This program
safety.25 Security researchers at Google also run Project Zero, includes monetary rewards to incentivise community
engagement. The Bug Hunter program Tsunami iis an
a program dedicated to the study of zero-day vulnerabilities in
open-source, general-purpose, network-security scanner with
hardware and software systems. Google’s intelligence and
an extensible plug-in system for detecting high-severity
security teams, including Google Cloud’s Office of the CISO,
vulnerabilities with high confidence. Tsunami is one of
Google’s Threat Analysis Group, Mandiant, and various Google
Google’s many open-source security projects.
Cloud product teams, regularly publish their insights in
Google’s Threat Horizons Report.
As we’ve noted, no organization is immune from being the
target of highly sophisticated and unrelenting adversaries. In
the more than 14 years since Project Aurora, we have
conducted an overhaul of the fundamental architecture of our
platforms, our defense-in-depth approach, and our culture
around core security principles in efforts to protect our
internal systems and customers from such compromises.
12
�Innovation that takes
us to the future
As noted above, several of CSRB’s recommendations are already a core part of Google’s approach to security. In addition,
Google proactively addresses issues that the industry is facing at large and strives to provide industry-first solutions to the
ever-evolving security challenges. Noted below are a couple of examples:
Device-bound session controls: Innovations in AI:
To substantially reduce the impact of cookie theft, Google has Today, Gmail’s advanced AI protections already block more
announced a new open standard to cryptographically bind than 99.9% of spam, phishing attempts, and malware from
web sessions to device hardware. By binding authentication reaching your inbox. With the use of large language models,
sessions to the device, device bound session controls disrupt we’ve further reduced spam in Gmail by an additional 20%
the cookie theft industry because exfiltrating these cookies and can evaluate 1,000 times more user-reported spam in
will no longer have any value. Gmail every day. Recently, we brought the power of large
language models to classify documents through AI
classification, which enables customers to use custom,
privacy-preserving models to identify and protect sensitive
data. We’ll continue to infuse new layers of AI defenses into
our products, with cutting edge technologies to better protect
our customers.
.
How Google Workspace can help
We continue to be laser focused on keeping our customers safe and providing safer alternatives for work. To discover
how you can provide your organization with a more secure way to work, please speak with your customer
representative or start here.
13
�Appendix: Footnotes
Footnotes
Number Source
1 CSRB, Review of the Summer 2023 Microsoft Exchange Online Intrusion, ii, (CSRB, 2024).
2 Ibid., iv
3 CISA, ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System, (CISA, 2024).
4 CSRB, Review of the Summer 2023 Microsoft Exchange Online Intrusion, Page 20, (CSRB, 2024)
5 Ibid., iii
6 Ibid., iii
7 Ibid., iii
8 Ibid., 18
9 Ibid., ii
10 CISA, ED 24-02
Microsoft Security Response Center, Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard,
11
(Microsoft, 2024).
12 CSRB, Review of the Summer 2023 Microsoft Exchange Online Intrusion, Page iii, (CSRB, 2024)
13 Ibid., iii
14 Ibid., iii
15 Ibid., iii
17 Ibid., 16
18 Ibid., 5
19 Ibid., 20
20 Ibid., iii
21 Council on Foreign Relations, Operation Aurora, (Council on Foreign Relations, 2010)
22 Kent Walker, Transparency in the shadowy world of cyberattacks, (Google, 2022)
Heather Adkins, Betsy Beyer, Paul Blankinship, Ana Oprea, Piotr Lewandowski, Adam Stubblefield, Building Secure and Reliable
23
Systems, (O’Reilly Media, 2020)
24 Christoph Kern, Secure by Design at Google (Google, 2024)
25 Christoph Kern, Developer Ecosystems for Software Safety (Google, Feb. 2024)
14
