The announcement got lost in the pre-weekend shuffle, but Google has announced that both the Google Apps cloud productivity and collaboration suite and the Google App Engine application platform have received the SSAE-16 security certification. If you can get past the alphabet soup, this news could open a lot of doors for Google in the enterprise.
Let's be perfectly clear. SSAE-16 is an evolution of the SAS 70 Type II audit, which Google Apps has recertified for annually since 2008. That means that the certification is essentially old hat for Google Apps and its customers.
But this is the first time Google App Engine has received the stamp of approval from the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), the third party which handles these certifications for cloud hosting companies, credit processing centers, and the like.
And both Google Apps Script and Google Storage for Developers were also included in this auditing cycle, so both of those received SSAE-16 certification, too.
Google claims in the relevant blog entry to be one of the first companies of its kind to receive the updated SSAE-16 certification, which seems to have largely academic changes that bring it in line with the international ISAE 3402 cloud security standard. SSAE-16 only went into effect on June 15th, but due to lengthy testing cycles, several companies were compliant as early as July 1st, 2010.
The certification process, which covers everything from physical security at the data center to making sure that only pre-cleared staff have access to customer data, to evaluating Google's redundancy and incident reporting.
Google took the opportunity to hype its "Security First" approach to the cloud in that same blog entry:
Third party audits are only part of the security and compliance benefits of Google Apps and Google App Engine products. We protect our Apps customers’ data by employing some of the foremost security experts, by executing rigorous safety processes, and by implementing cutting-edge technology.
And the bottom line to all this is that several enterprises require their cloud providers to be compliant with these standards - formerly SAS 70, and now SSAE-16. And this means that Google App Engine is open to a whole new customer base, with confidences bolstered by an authoritative second opinion.