Posts

Friday Thought: What does SAS 70 really mean?

/in

When talking about security of cloud solutions, we often mention that Google Apps is SAS 70 Type II certified.  While it sounds impressive, what does it really mean.

SAS 70 is an accounting audit standard for operational policies and procedures.  To achieve certification, you …

  1. Must have best-practice policies and procedures in place
  2. Must be able to prove that you follow policies and procedures
  3. Must have an independent 3rd party audit your operations on a regular basis to validate the policies and procedures and verify that they are followed.

SAS 70 Type II reflects a level of certification for data center and IT operations that includes:

  • Physical security of buildings and data centers
  • Logical security (network, systems, data, etc)
  • Privacy
  • Incident management and availability
  • Change management
  • Organization (roles and responsibilities)
  • Administration (personnel, documentation, funding, etc.)

So while it sounds impressive, SAS 70 Type II certification really is impressive!

Most businesses cannot or choose not to incur the cost and effort to achieve SAS 70 Type II certification for their internal systems.  With the certification, Google is confirming the security and safety of your data continuously at a level that likely exceeds the security of your in-house networks and systems.

How Secure is YOUR Cloud?

/in

The Microsoft Marketing Machine is in overdrive touting the security of Microsoft Business Productivity Online Suite (BPOS), Exchange Online, and their other online services.  Much of the hype is in response to Google’s recent announcement that Google Apps Premier Edition has received FISMA Certification along with both SAS 70 Type I and II certifications.

As of August 26, 2010, Microsoft’s own FAQs for their online services acknowledges the lack of security certifications.

The Standard version of the Business Productivity Online Standard Suite will be seeking a SAS 70 Type II audit attesting to the effectiveness of Microsoft’s internal controls. While our U.S. datacenters maintain a SAS 70 Type II for the physical controls of each facility, the Services (Live Meeting, EHS, Exchange Online, SharePoint Online and Office Communications Online) themselves do not. Live Meeting maintains both the CyberTrust Service Provider Certification and the CyberTrust Application Certification, which surpasses the control requirements for SOX. The Business Productivity Online Standard Suite Standard implementation is scheduled to undergo the CyberTrust certification within the next couple of months.

Google Security: Enterprise Tools for Mobile Security

/in

Google recently added new security features for managing mobile users.  Administrators can now:

Remotely wipe all data from lost or stolen mobile devices.
Lock idle devices after a period of inactivity.
Require a device password on each phone.
Set minimum lengths for more secure passwords.
Require passwords to include letters, numbers and punctuation

These features are available for iPhone and most Nokia and Windows Mobile devices.

Want help implementing, contact us.

New Google Apps Security Against an Idle Threat

/in

While security breaches related to Google products make great headlines, the all have one thing in common.  The user’s identity was comprimised.  In some cases, users had passwords that were easy to guess given publicly available information.  In other instances, users downloaded malware from infected web sites that let hackers read the usernames as passwords.

This week, Google provided Google Apps Premier and Education Edition admins a new tool against this threat.

Administrators can now reset sign-in cookies from the Control Panel.  So, even if users have the “Stay signed in” box checked, the next time to open Google Apps, they will be forced to login.  In doing this, Admins can reset the sign-in status of all users and prevent accidental access.

Google Increments Security Settings

/in

Back in January, Google announced that for Gmail, default access would shift to https (using SSL).   This change, impacting all versions of Google Apps, is a welcome move to ensure secure communication data in-transit as well as at-rest.

Our recommendation remains that all Google Apps Premier and Education Edition users force SSL use for ALL Google Apps services.  While this may complication connecting older scanning devices, the additional security is worth the need for the occasional work-around.