Eran Feigenbaum compares Google Apps to a bank in the days when a bank was a new idea.
Just as a bank stores money, Google Apps stores data, and the onus is on Google to convince you and your business that this data is properly protected. "It's very similar to the situation banks were in hundreds of years ago," says Feigenbaum, the director of security for Google's various enterprise products and services, including its Google Apps suite of online business applications. "They had to convince us to give them our money, to take the money out from under the mattress and put it in the bank."
As part of this ongoing effort to convince the world that its online services are as secure as traditional software installed on your own servers -- if not more so -- Feigenbaum and company have announced that Google Apps has been certified as compliant with the ISO 27001 standard, an internationally recognized standard for managing the security of information.
The standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and according to Google, Google Apps was certified by Ernst & Young CertifyPoint, an ISO certification operation backed by the International Accreditation Forum (IAF). This bowl of international alphabet soup doesn't mean much to the Average Joe, but it may go a long way toward convincing some businesses to adopt Google's suite of online services.
"Many of our own processes are ISO certified," Chet Loveland, CISO and global compliance officer of MWV, a global packaging company based in Virginia, said in a canned statement about Google's certification. "I think it's important, find it assuring and are very pleased that Google Apps will be audited and certified to this Information Security Management System ISO standard on an ongoing basis."
Last year, in a similar effort to prove the worth of its suite, Google announced that Google Apps had successfully undergone audits related to the SSAE 16 Type II and ISAE 3402 Type II security standards. And a year before that, the company announced that the suite had been certified as compliant with the Federal Information Security Management Act (FISMA), which covers software applications used by the US government.
In some cases, the certification process is a delicate business. In the spring of April 2011, as part of a court battle with Google, Microsoft accused the search giant of making "misleading security claims" in touting FISMA certification for its Google Apps for Government suite, and what this boiled down to was that after receiving certification, Google changed the name of its suite and restricted certain parts of the suite to data centers located in the U.S.
The situation has since been resolved, and as Feigenbaum indicates, this is just one of the hoops Google must jump through to validate its suite in the eyes of government agencies and businesses used to run their operations with installable software.
"It's always a balance between creating an environment that's secure yet still allows us to innovate rapidly and proving to auditors that we have a secure infrastructure," he says. "A lot of these certifications don't fit into the cloud model. They're thinking of traditional enterprise software that has release dates and release versions, and that's not what the cloud is about. We don't want to change [our model], but we think we can do it in a secure manner."
As it stands, Google says that more than 4 million businesses have adopted Google Apps, though its difficult to tell how many of these are small businesses as opposed to large operations and government agencies.
