No Magic Bullets: Filling the Gaps in Native Security

Spend any time on industry forums or LinkedIn and you’ll hear some variations of the same complaints about today’s leading cloud office providers over and over again. Google builds its products with such a great security foundation, but it only builds the tools about 70% and then just… stops. 

But then at the other end of the spectrum, Microsoft’s enterprise security has so many dials and switches that you need a savant to configure them correctly, after you’ve spent a small fortune purchasing all of the various licenses and options… and even then, underlying foundational cracks in Microsoft security can put you at risk.

This isn’t a new observation, and it’s a persistent one. The reality underlying observations like this creates a real dilemma for organizations today. To set their security stack up exactly as needed for their operations, customers of both Google Workspace and Microsoft 365 often need to turn to third-party vendors (ahem).  

The Google Workspace dilemma: a solid foundation without operational flexibility 

Google’s underpinnings are undeniably robust, but the operational tooling for security teams leaves much to be desired–or built in-house. For many organizations, particularly those running lean security teams, that leaves significant gaps in day-to-day SecOps needs.

First, let’s give credit where it’s due. Google’s underlying infrastructure is one of the most secure on the planet. The scale, resilience, and baked-in protections are incredibly impressive. The problem organizations have with Google is never its fundamentals: it’s the tooling built on top of it–or lack thereof.

The native controls in Google Workspace lack the granularity and operational efficiency needed for day to day security.

• Data loss prevention (DLP) can be very blunt and noisy, making it difficult to tune policies that meaningfully protect sensitive data without disrupting business workflows.
• Alerting and investigation tools in Security Center are a start, but correlating events and tracking an attack path can be a frustrating, manual exercise that usually demands exporting logs to other systems.
• Remediation and response is between cumbersome and impossible. Manually clawing back a phishing email from hundreds of inboxes is far from the best use of an analyst’s time.

The platform provides the basic building blocks. And there is something to be said for the peace of mind that comes with the underlying soundness of the platform itself. But it demands your team do the heavy lifting of making them work as a cohesive security system.

Is the grass greener in Redmond?

The conventional wisdom for those organizations with more complex SecOps, then, is to turn to Microsoft 365. If Google’s approach is minimalist, Microsoft’s is maximalist. It offers a dizzying array of security products, settings, configurations, and an alphabet soup of acronyms all its own to go along with it. 

Surely, the answer to even the most niche security need lies somewhere in the sprawl of E5, right? Not so fast. 

• The most effective tools are typically bundled in the highest, most expensive license tiers like E5. Getting access to the full suite requires a massive financial commitment that many smaller and mid-size organizations simply can’t justify.
• And simply owning the license is only the beginning: effectively deploying, configuring, integrating, and maintaining the Microsoft security stack requires its own deep specialization and certifications. And the false sense of security that goes along with an unwittingly-misconfigured tool can be worse than no tool at all.
• Even with every feature bought and paid for, expertly configured and maintained by an army of FTEs and consultants, fundamental gaps remain. Data discovery and protection can still be an issue, sophisticated attacks can still bypass its phishing protection, and account takeovers are still incredibly difficult to detect–not to mention the occasional security failings of the infrastructure itself. 

Third party security is a feature, not a bug

The point of this post isn’t to criticize Google or Microsoft, it’s to take a realistic appraisal of the state of both modern cybersecurity and the market that supports it. 

No two organizations are the same. Of course, we all follow the same best practices, we all have the same basic needs, we’re all fighting against countless variations of the same threats. But we all have unique footprints, operations, goals, and obstacles–and our security programs need to account for all of that and much, much more.

Even with the resources available in Mountain View and Redmond, no single provider can be everything to everyone. It’s simply an impossible task. The sheer size and diversity of the cybersecurity market isn’t a sign that the platform players have failed: it’s a sign of a healthy, mature market serving a mind-rendingly complex ecosystem.

The existence of specialized third-party vendors, like Material, is a feature of this landscape. It allows for:

• Focus: a company dedicated to solving a single, difficult problem will almost always build a better solution than a company trying to solve a thousand problems at once.
• Flexibility: every organization has a unique threat model, risk appetite, and budget. A vibrant market provides a range of choices that allow each organization to address their exact needs without paying for a monolithic suite you don’t need.
• Innovation: specialized vendors are nimble. They can work more closely with customers and respond to emerging issues and threats far faster than a massive platform can change its roadmap. That’s not to minimize the innovation coming out of the big players: but smaller vendors can respond to the needs of their user base with much greater efficacy.

We built Material because we saw a persistent critical problem that was being ignored not just by the major platforms, but by the entire market: sensitive data in email and cloud office platforms was an incredible liability that was routinely exploited… and nobody was building tools to effectively solve that problem. So we did.

Building pragmatism and practicality into the security stack

The goal shouldn’t be to try to find one vendor that does it all. That search will only end in disappointment… and even if you can find one vendor that does most of what you need, that creates its own problems, tying your security program to their roadmap.

A more pragmatic approach is to identify the priorities of your organization and weigh the security, flexibility, customizability, and complexity of each cloud office provider. Pick the platform that most closely aligns with your business, leverage the core strengths of whichever platform you choose, and augment it with the specialized tools that address your most significant risks. Identify the gaps in the native offerings that represent the most real threat to your organization, and find the solutions that best fill them.

We won’t pretend this doesn’t come with its own tradeoffs. Identifying and evaluating vendors and ultimately implementing and maintaining their solutions certainly takes time and effort… which needs to be taken into account when evaluating vendors. 

This isn’t a compromise: it’s a strategic decision to build a security stack that is more effective, efficient, cost-effective, and resilient than any single vendor could ever provide.

If you’d like to learn how Material extends and augments the native capabilities of both Google and Microsoft, talk to us today.