Google Apps for Business has been awarded ISO 27001 certification, which the company hopes will reassure enterprises about security in its cloud.
After a six-month audit, the company was awarded the security certification for the systems, processes, datacentres and technology used to delivery the cloud-based apps, Google said in a blog post on Monday.
Google hopes that by meeting the demands of the security standard, it should make it easier to sign up large, tightly overseen organisations — think public sector and financial institutions — into using Docs, Gmail and other services.
The certification "really serves to validate some of the stuff we tell customers about how we secure data in Google Apps, but coming from a neutral third party," Adam Swidler, a senior manager for Google Apps for Business, told ZDNet UK, referring to the audit by Ernst & Young CertifyPoint. "This is going to reduce the amount of due diligence they have to do."
"It will help our penetration into some of the more-regulated industries, especially here in Europe where ISO is more looked-for," he added.
Security high jump
According to security consultant Alec Muffett, though, the certification is not a "seal of approval", as it permits a vendor to set its own benchmarks to be measured against. "In sporting metaphor, a vendor, in this case, Google, gets to design their own high-jump bar, document how tall it is and what it is made of, how they intend to jump over it and then they jump over it," Muffett told Computerworld UK. Swidler responded by saying while he agreed there is no such thing as a 100 percent security guarantee, he took issue with the idea that Google laid out its own benchmarks for the ISO certification. "This notion of vendors specifying the controls they are having to look at is more applicable to the SSAE 16 / ISAE 3402 audit that we do," Swidler said. "That is a case where we, Google, say, 'Here are the security controls'." "In the case of ISO 27001, it's a much more proscribed set of industry controls," he said, noting that the specified controls are public for anyone to see. Swidler also pointed out that while some vendors gain certification only for their datacentres and perhaps their infrastructure, Google has gone through the process also for its software, code processes and personnel — "everything that's relative to customers has been looked at", he said. While the certification is for Google Apps for Business only, there is some benefit to users of Gmail and the free standard edition of the cloud suite, according to Swidler. "There is a tremendous amount of overlap at the core technology layer, though there are some pieces of technology only available in Google Apps for Business," he said.