Attitudes towards cloud security are gradually changing. What started as concern is slowly becoming confidence. “The reason for this shift,” says Google Enterprise director of security Eran Feigenbaum, “is that businesses are beginning to realize that companies like Google can invest in security at a scale that's difficult for many businesses to achieve on their own.”
But belief and confirmation are two different things. Chet Loveland, CISO and global compliance officer at MWV, is a believer. He “already knew, through due diligence about Google Apps - that the technology, process and infrastructure offers good security and protection for the data that I store in Google Apps.” But belief alone is not necessarily enough for highly regulated and security conscious organizations such as government and finance – confirmation is required.
Google has now provided that confirmation in the form of ISO 27001 certification for Google Apps for Business. ISO 27001 is confirmation that Google has a formal, recognized and auditable information security management system for Google Apps; and adds to the growing belief that cloud can add rather than detract from security. “I am thrilled that Google Apps, our core communications platform, is also now ISO certified with its recent ISO 27001 certification. This certification validates what I already knew,” says Loveland.
It is important to remember, however, that certification alone doesn’t guarantee complete security. ISO 27001 was designed for organizations where users and infrastructure belong to the same company. This doesn’t apply to the cloud: your users, their infrastructure. Ed Macnair, CEO of SaaSID, points out that “Within the ISO 27001 certification, under ‘Major Control Objectives and Control Activities Covered’ it includes the objective that ‘Organization and administration controls provide reasonable assurance that management provides the infrastructure and mechanisms to track and communicate initiatives, monitor compliance within the company and provide security training...” Google can only do that for Google; it cannot do it for its users.
Security in the cloud is therefore a partnership. Google has upheld its side of the bargain with ISO 27001, but users must also do their part. This remains a problem, for while users can ‘secure’ their own systems, their remains the ‘pipe’ between the customer and the provider. “The sharing enabled by cloud-based applications is still prone to data loss and IP theft by authorized users of the app,” comments Macnair, “because executives who are charged with maintaining compliance lose visibility when applications are accessed over the browser.” Full compliance, he adds, “requires much more granular control of browser-based applications.”