How Google Secures Its Cloud

Cloud-based software and infrastructure has emerged this year as a viable solution for CIOs tasked with helping their organizations drive innovation while simultaneously cutting costs. But the aura of cloud has been punctured lately by a series of high-profile security problems, raising questions about whether CIOs can entrust corporate email and documents to cloud providers like Google, Microsoft’s biggest competitor in this space.

In order to allay some of these fears, Google, which says about 5 million businesses use Google Apps and 425 million people use Gmail, detailed its security practices to CIO Journal.

According to Eran Feigenbaum, director of security for Google Apps, Google’s 300-member cybersecurity team regularly practices drills in response to simulated security incidents. To illustrate how unusual this practice is, Feigenbaum told CIO Journal he regularly asks prospective corporate customers the last time they practiced a drill and the response, he says, “is like deer in the headlights.”

Other security practices include notifying customers when their accounts come under suspected attack from state-sponsored hackers. Google also allows customers to opt into a two-step authentication system, which involves entering a random code Google sends them via text or voice message upon signing in. Two-factor authentication is not new in and of itself, but Feigenbaum says, “the innovation here is making this free and available and easy to turn on…If you make it easy for users to do the right thing, they tend to do it,” he says.

Google also solicits help from its huge user base. The Google Vulnerability Reward Program pays rewards to anyone who successfully identifies security flaws in Google’s system and reports it privately to the company. So far Google has paid out more than $460,000 in rewards to 200 people. In April, Google upped the top award to $20,000 for vulnerabilities that will allow malware to execute on its production systems.

Finally, the company adheres to a slew of security standards. Browser sessions for Apps users are automatically encrypted using secure sockets layer (SSL) encryption. On May 28, Google Apps for Business earned ISO 27001 certification – an internationally recognized independent security standard – for its systems, technology, processes and data centers, after an audit by Ernst & Young CertifyPoint. Google Apps has also been certified compliant with the Federal Information Security Management Act (FISMA) which defines security requirements for all federal government information systems. The company also meets the SSAE 16 Type II auditing standard by which a third-party auditor evaluates the controls in place for physical and logical security, privacy, and incident response, Google says.

Write to

Share this post

Leave a comment

By submitting this form, you accept the Mollom privacy policy.