Tuesday Take-Away: New Security Standards for Cloud Computing

It is common for cloud computing vendors often promote their security credentials, and doing so gives prospective customers valuable information about the vendors’ security operations and capabilities.

If your vendor is still promoting their SAS 70 Type II certifications, however, they are a little bit out of date.

As of June 15, 2011, the American Institute of CPAs replaced SAS 70 with SSAE 16, a much more rigorous standard for service provider security audits and attestations.  SSAE 16 is also in line with a separate, international security audit and attestation standard, ISAE 3402.

If you use Google Apps, Google Postini Services, Google App Engine, and/or Google Apps Script, you are in good shape.  Google is one of the first cloud computing vendors to move to the new, more rigorous, standards.

Google has attained SSAE 16 Type II and ISAE 3402 Type II certifications for these services.  SAS 70 Type II certifications are still valid for audits conducted before June 15, 2011.

While third party audits are part of the security and compliance benefits of Google Apps and Google App Engine products.  Google’s security efforts go well beyond audit requirements.  You can learn more about Google’s security by reviewing the current security white paper and watching this data center video tour.

Want to know more?  Contact us.  We would be happy to discuss your needs.

Friday Thought: 3 More Reasons Google Apps is Secure

In addition to SAS 70 Type II Certification, here are 3 more reasons Google Apps is secure.

  1. Custom Operating System. Google Apps runs on a custom version of the LINUX operating system (OS).  Services and ports that are not needed, a common entry point for hackers, are not simply disabled, they have been removed.  As important, hackers cannot buy a copy of Google’s custom OS and use it to find vulnerabilities.
  2. Data is Unreadable, at least by humans.  When you save data in Google Apps, it is broken into little pieces that are each saved in different servers across multiple data centers.  Each piece is then obfuscated using encryption and other methods.  Even if somebody was able to break in, or a Google employee gained access to your data, they would first need to find all of the pieces and then figure out how to decrypt each piece. In comparison, your MS Exchange administrator can read every email in the system.
  3. Google is the second largest target for Hackers. Only the US Department of Defense has more attacks by hackers.  Google, therefore, has built an extremely robust defense against hackers.  With a security team of thousands on the job, led by some of the foremost security experts in the world, Google has built protection from hackers that greatly exceeds what most businesses can technically do, or even afford to do.

Does this mean your data is perfectly secure?  No!  Security can never be perfect.  It does mean that your chances of losing data in Google Apps is negligible when compared to most businesses’ network security and the actions of their employees (sharing passwords, stolen laptops, lost USB drives, and so on…..).

Friday Thought: What does SAS 70 really mean?

When talking about security of cloud solutions, we often mention that Google Apps is SAS 70 Type II certified.  While it sounds impressive, what does it really mean.

SAS 70 is an accounting audit standard for operational policies and procedures.  To achieve certification, you …

  1. Must have best-practice policies and procedures in place
  2. Must be able to prove that you follow policies and procedures
  3. Must have an independent 3rd party audit your operations on a regular basis to validate the policies and procedures and verify that they are followed.

SAS 70 Type II reflects a level of certification for data center and IT operations that includes:

  • Physical security of buildings and data centers
  • Logical security (network, systems, data, etc)
  • Privacy
  • Incident management and availability
  • Change management
  • Organization (roles and responsibilities)
  • Administration (personnel, documentation, funding, etc.)

So while it sounds impressive, SAS 70 Type II certification really is impressive!

Most businesses cannot or choose not to incur the cost and effort to achieve SAS 70 Type II certification for their internal systems.  With the certification, Google is confirming the security and safety of your data continuously at a level that likely exceeds the security of your in-house networks and systems.

How Secure is YOUR Cloud?

The Microsoft Marketing Machine is in overdrive touting the security of Microsoft Business Productivity Online Suite (BPOS), Exchange Online, and their other online services.  Much of the hype is in response to Google’s recent announcement that Google Apps Premier Edition has received FISMA Certification along with both SAS 70 Type I and II certifications.

As of August 26, 2010, Microsoft’s own FAQs for their online services acknowledges the lack of security certifications.

The Standard version of the Business Productivity Online Standard Suite will be seeking a SAS 70 Type II audit attesting to the effectiveness of Microsoft’s internal controls. While our U.S. datacenters maintain a SAS 70 Type II for the physical controls of each facility, the Services (Live Meeting, EHS, Exchange Online, SharePoint Online and Office Communications Online) themselves do not. Live Meeting maintains both the CyberTrust Service Provider Certification and the CyberTrust Application Certification, which surpasses the control requirements for SOX. The Business Productivity Online Standard Suite Standard implementation is scheduled to undergo the CyberTrust certification within the next couple of months.