Google Apps, App Engine Tighten Cloud Services Security With SSAE-16 Compliance

August 10, 2011 Off By Hoofer
Grazed from CRN.  Author: Andrew R. Hickey.

A host of Google (NSDQ:GOOG) cloud services have been deemed secure for enterprise use and have passed the SSAE-16 Type II audit, a security compliance check that examines whether offerings comply with legal requirements like Sarbanes-Oxley…

 

While the security certification may seem relatively mundane, passing the audit creates more opportunities for Google and its cloud computing offerings in the enterprise as cloud security concerns remain a major hindrance to enterprise cloud adoption.

Google this week said its cloud services like Google Apps, Google App Engine, Postini and Google Storage for Developers passed SSAE-16 Type II and the ISAE 3402 Type II certifications. Google boasted that it is among the first major cloud service providers to be certified for compliance under the new cloud security audit standards.

"Over the past few weeks, Google has successfully completed the audit process for the SSAE-16 and ISAE-3402 standards for Google Apps and Postini services," wrote Eran Feigenbaum, Google Enterprise director of security, in a blog post highlighting Google’s new security certifications. "In addition, we expanded the audits to include Google App Engine, Google Apps Script, and Google Storage for Developers. Together with the SAS 70 Type II (covering dates prior to June 15th, 2011), these third-party audits provide additional assurance to customers that their data is well protected."

SSAE-16 evolved out of the SAS 70 Type II standard that assessed the contracted internal controls of a service organization like a hosted data center, insurance claims processor or credit processing company, or a company that provides outsourcing services that can affect the operation of the contracting enterprise. ISAE-3402 Type II is SSAE-16’s international counterpart. The SSAE-16 certification process examines several components of Google’s cloud infrastructure, including physical security at data centers, which Google employees have clearance to access customer data, Google’s redundancy plan and Google’s incident reporting strategy.

While many Google cloud services had been certified and re-certified under SAS 70 since 2008, the recent SSAE-16 certification marks the first time that the Google App Engine cloud development platform has received security approval from the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), the third-party organization that handles security certifications for cloud hosting companies and others, including credit processing companies.

Passing the SSAE-16 audit shows that Google’s cloud services not only comply with the appropriate legal requirements and that its data centers are secure, but it also means Google’s customers aren’t required to perform their own security audits on Google cloud services.

Feigenbaum was quick to point out, however, that third-party audits are just one component of cloud security and compliance for Google Apps and Google App Engine and that the company will continue to add protections to ensure its cloud offerings are locked down. Along with SSAE-16, there are many other security standards to which cloud providers should adhere.

"We protect our Apps customers’ data by employing some of the foremost security experts, by executing rigorous safety processes, and by implementing cutting-edge technology …," Feigenbaum wrote. "We take extensive measures to protect our users’ data and we are constantly innovating to develop new features and capabilities in these areas."