Google Meets Security Best-Practices; Most Cloud Providers Fail

Recently, the Electronic Frontier Foundation (EFF) released a survey of how well common cloud providers meet the EFF’s 5 security best practices.

Google Apps and Dropbox are the only two vendors to meet all five standards.  Microsoft, most notably, fails to meet or confirm four of the five standards, as follows.

Encrypt Websites with HTTPS

Both Microsoft and Google support the use of HTTPS to encrypt data between the user’s computer and the web site/service.  As a best practice, Cumulus Global forces HTTPS for all Google services.

Enable HTTP Strict Transport Security (HSTS)

HSTS uses secure communications to prevent certain attacks if a network pretends that the site visited has asked to communicate insecurely.  Google enables HSTS; Microsoft does not.

Encrypt Data Center Links

To prevent somebody with physical access from attacking, this practice encrypts data between a company’s own cloud servers and their data centers.  Google follows this practice; Microsoft does not.

Implement STARTTLS for Email Transfer

STARTTLS encrypts communications between email servers when both servers support the service.  Google uses STARTTTLS and provides users with the ability to utilized Policy-based TLS as well.  Microsoft’s Outlook.com service is non-compliant with this best practice.

Use Forward Secrecy for Encryption Keys

This best practice ensures that should a hacker gain access to a provider’s secret key, they cannot read previously encrypted communications.  Google follows this best practice; EFF was unable to confirm that Microsoft is compliant.

For more information, see the full Gizmodo article here.