Certification: Could It Nail Cloud Security?

Peter Judge

Google is certifying its Apps to ISO27001. While that may sound boring, without certification, you might as well play Russian Roulette with a nailgun, says Peter Judge

Today, Google has bounded up to us, wagging its tail in enthusiasm, eager to inform this publication that its Google Apps cloud service has achieved ISO27001 certification.

We are normally skeptical about ISO certifications – we remember the scads of releases around the ISO 9000 “quality”  mark, and the ISO27001 specification, brought out in 2005, looks like more similar red tape – another set of hoops for a company to jump through, and another shiny certificate to put on the website.

Better than sticking nails in your head?

However, the news arrived in a blog post by Google Enterprise’s director of security, Eran Feigenbaum, a man who plays Russian Roulette with nailguns (pictured in a grainy still from a Youtube video of his stage act). If he is excited about ISO 27001, maybe we should look into it.

The blog post is actually choke-full of the kind of bureacratic speak that sends us running. Google was assessed by Ernst & Young CertifyPoint, which is accredited in Holland, and the certificate will be recognised in every country that is a member of the International Accreditation Forum.

What does the certificate prove? That Google has a management structure (an Information Security Management System) in place, designed to ensure security, and that this structure will be regularly audited.

News, in other words, so dull that we nearly reached for our own nailgun.

Listen to TechWeekEurope's Cloud Security Panel on BrightTalk

But the big issue in IT security is trust. Since we’ve known him, Eran has been arguing that the public cloud is MORE secure than in-house IT , because it is looked after by specialists, and because it is built from the ground up for the real world – the one where mobile devices take data everywhere – not the firewalled boxes that your in-house specialists may still believe we inhabit.

Despite evidence to the contrary, people still believe that the cloud is not secure, and that they can keep it out of their organisation – two fallacies that need correcting.

“In fact, ISO 27001 is the most widely requested security certification,” Eran’s colleague Adam Swidler, product marketing manager for Google Apps for Business told us on the phone. Particularly in Europe, businesses are crying out for certification, to justify and support a move to the cloud.

Other cloud providers also have ISO 27001, but Google has gone further, certifying its apps and its people, as well as its data centres, said Swidler.

So Google is on the right track in reaching for a security certification. However, I tend to think that ISO27001 is likely to be massively general, as it was created years before cloud computing was widely marketed.

Last week, I chaired a webinar on cloud security, that tried to focus on the practical side of moving to the cloud. As it turned out, the discussion did focus on the procedure: getting contracts agreed, and making sure that your provider has the right structures in place to deliver a secure cloud service, avoiding issues like the “dirty disk” vulnerability, where one cloud customer can read back data from a previous user of his or her disk space.

It may even be possible – the people in this panel said – to charge more for a really secure cloud service. Now, that could be of interest to cloud providers. And it would justify significant expense in making a certification programme that works.

As well as ISO 27001, Google Apps is certified under SSAE-16 – a US government certificate roughly equivalent to ISO 27001, and  to FISMA – a US based certification in which vendors specify what will be audited. ISO 27001 is more objective, and a better fit for Europe, Swidler told me.

And the panel also heard of a security certificate specifically designed for cloud. The Cloud Security Alliance has published a framework, and hopes that its members will fill in the details, first self-certifying, and then eventually being certified and continuously audited by third parties.

Google is a member of the CSA, said Swidler, “and we have looked at the specification”. At this stage of development, users are not asking for it, but it could be very interesting in future.

In other words, we haven’t yet nailed cloud security, but certification may make it less of a game of Russian Roulette.

Can you look after your personal data online? Take our quiz!