Google App Engine now officially secure

Google App Engine now officially secure

Summary: With a new SSAE-16 cloud security certification, Google App Engine is opening its doors to more enterprise customers.

TOPICS: Cloud, Apps, Google

The announcement got lost in the pre-weekend shuffle, but Google has announced that both the Google Apps cloud productivity and collaboration suite and the Google App Engine application platform have received the SSAE-16 security certification. If you can get past the alphabet soup, this news could open a lot of doors for Google in the enterprise.

Let's be perfectly clear. SSAE-16 is an evolution of the SAS 70 Type II audit, which Google Apps has recertified for annually since 2008. That means that the certification is essentially old hat for Google Apps and its customers.

But this is the first time Google App Engine has received the stamp of approval from the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), the third party which handles these certifications for cloud hosting companies, credit processing centers, and the like.

And both Google Apps Script and Google Storage for Developers were also included in this auditing cycle, so both of those received SSAE-16 certification, too.

Google claims in the relevant blog entry to be one of the first companies of its kind to receive the updated SSAE-16 certification, which seems to have largely academic changes that bring it in line with the international  ISAE 3402 cloud security standard. SSAE-16 only went into effect on June 15th, but due to lengthy testing cycles, several companies were compliant as early as July 1st, 2010.

The certification process, which covers everything from physical security at the data center to making sure that only pre-cleared staff have access to customer data, to evaluating Google's redundancy and incident reporting.

Google took the opportunity to hype its "Security First" approach to the cloud in that same blog entry:

Third party audits are only part of the security and compliance benefits of Google Apps and Google App Engine products. We protect our Apps customers’ data by employing some of the foremost security experts, by executing rigorous safety processes, and by implementing cutting-edge technology.

And the bottom line to all this is that several enterprises require their cloud providers to be compliant with these standards - formerly SAS 70, and now SSAE-16. And this means that Google App Engine is open to a whole new customer base, with confidences bolstered by an authoritative second opinion.

Topics: Cloud, Apps, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • If Google is secure, it's not because of SSAE 16

    At first, I thought it was a sarcastic title. Now, I realize people will laugh at this article, not with it. This post should be removed due to it's gross inaccuracies, which include:<br><br>1) Claiming completion of an SSAE 16 examination proves a company is secure. (ref. recent Gartner report on the error of these types of statements - <a href="" target="_blank" rel="nofollow"></a>)<br><br>2) All references to SSAE 16 as a certification (also ref. recent Gartner report on the error of these types of statements)<br><br>3) Reference to Google having the ASB's stamp of approval which is completely false given that the ASB doesn't know and doesn't care about Google's SSAE 16 and SSAE 16 reports are issued by CPA firms, not the ASB.<br><br>4) The "second opinion" referred to is actually the primary opinion and is the opinion of the CPA firm. It's not authoritative. It's merely the opinion of a CPA firm formed during the course of an SSAE 16 examination.<br><br>5) ISAE 3402 is a cloud security standard??? You clearly know nothing about that standard. Also, see the AICPA website on SOC reporting which speaks to the fact that SOC 2 and not SOC 1 (aka SSAE 16) is the proper standard for cloud security topics.<br><br>6) There is no such thing as SSAE 16 "compliance". If you read the standard, you will see that there are no prescribed requirements. Making these types of claims is misleading, at best.
  • 1

    @CPAbyTrade Thanks for the detailed analysis from an auditor's perspective. Self-funded audits where you specify your own criteria to be audited against are next to meaningless. <br><br>As far as the technology itself, Until App Engine has a meaningful SLA with remunerative penalties, enterprises will not widely adopt it for business critical systems.
    Your Non Advocate
  • RE: Google App Engine now officially secure

    SSAE 16 reports are not meaningless when used for their intended purposes. They are, in fact, the best method of auditor to auditor communication that exists in the financial audit world, which is the only place SSAE 16 reports are supposed to be utilized.

    The very first sentence of the standard states that it is to be applied when reporting on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting. It does not claim to be, and is not, an assessment of security. It's irresponsible articles like this one that lead people to believe it serves other purposes that give SSAE 16 / SOC 1 reporting a bad name.