Google Apps Clears Key Security Hurdle

Google Apps for Business wins ISO 27001 certification, potentially opening the door to wider adoption in government and regulated industries.
Google Drive: 10 Alternatives To See
Google Drive: 10 Alternatives To See
(click image for larger view and for slideshow)
Google said Monday it had received ISO 27001 certification for Google Apps for Business, a recognition of its information security practices that will make its cloud services more palatable for use in government and other regulated industries.

Back in 2007, when Google first introduced a version of Google Apps for Business--under the name "Google Apps Premiere Edition"--worries about security made many companies reluctant to migrate from on-premises IT to cloud computing.

Since then, Google has addressed those concerns, where warranted, through features like the integration of Postini's enterprise message services, support for two-factor authentication, and the launch of FISMA-certified Google Apps for Government.

Eran Feigenbaum, director of security for Google's enterprise group, says that security is now a reason that organizations are adopting Google Apps rather avoiding it.

"The reason for this shift is that businesses are beginning to realize that companies like Google can invest in security at a scale that's difficult for many businesses to achieve on their own," he said in a blog post.

[ Read Microsoft Accuses Google Of Lying About Security Certifications. ]

In the past five years, Google has managed to convince a number of high-profile businesses and government agencies to utilize its cloud services. It's been a long haul, but cloud computing is no longer exotic. With plenty of companies committed to cloud computing and Microsoft pitching Office 365, businesses considering a move to the cloud no longer have to play the role of pioneer. They can look to their peers for examples of the benefits and potential pitfalls.

Google's ISO 27001 certification, granted by Ernst & Young CertifyPoint, further cements the legitimacy of Google Apps as a business tool. The certification requires that management carefully examine organizational security risks, designs and deploys reasonable security controls to address those risks, and adopts a management process to maintain organizational security controls.

"This certification validates what I already knew, through due diligence, about Google Apps--that the technology, process, and infrastructure offers good security and protection for the data that I store in Google Apps," said Chet Loveland, CISO and global compliance office of MeadWestvaco, in a statement.

Google Apps for Government is FISMA certified and a number of Google services have passed SSAE 16 / ISAE 3402 / SAS 70 audits. These include: Gmail, Google Talk, Google Calendar, Google Docs (documents, spreadsheets, presentations), Google Sites, iGoogle, Control Panel (CPanel), Google App Engine, Google Apps Script, Google Storage for Developers, and Google Postini Services (Google Message Security and Google Message Discovery).

Geared specifically toward the federal government, its agencies, and third parties, FISMA is a set of requirements aimed at establishing a baseline level of computer and network security. In our FISMA Lifts All Compliance Boats report, we show that when you reach FISMA compliance, you'll likely be compliant with just about every security mandate out there. (Free registration required.)