Don't expect to peer into Google cloud services security

Third-party verification will have to do for practical as well as security reasons, Google says

Customers of Google cloud services who are concerned about security better get used to being unable to check out first-hand how well their data is being protected, a Google spokesman told a high-tech leadership council recently.

Google cloud services who are concerned about security better get used to being unable to check out first-hand how well their data is being protected, a Google spokesman told a high-tech leadership council recently.

Customers of

The technology pro's greatest enemies

Many customers worry about how well cloud providers protect customer data, and there is no satisfactory way for customers themselves to evaluate it, says Adam Swidler, a product marketing manager at Google speaking at the Mass Technology Leadership Council Security Summit.

"We won't let you audit to the degree that you would audit your own infrastructure," Swidler says. "It's never going to be the same as auditing your own infrastructure. You'll have to extend some level of trust to third-party verification."

As a practical matter cloud providers wouldn't have the time to let every customer check out data security, but also providers can't allow their security measures to become public so attackers can figure out how to circumvent them, he says.

The best Google can do is let customers see the control objectives of Google's security, but only after signing a non-disclosure agreement, he says. "It lets you see some of what we do and look at it without violating Google security," he says.

He does say that Google uses proprietary measures that it believes are in the best interests of its customers. Industry-recognized audits such as SAS 70 and compliance with Federal Information Security Management Act (FISMA) requirements could give customers some assurance. But he also acknowledges they aren't ideally suited to evaluating cloud security.

"There really aren't a strong set of cloud security standards," Swidler says. But the guidance set by the Cloud Security Alliance does offer some criteria that customers might want to consider, he says.

During his keynote talk at the security summit, Swidler urged customers to grill cloud providers on how they can get their data out of the provider's network should they decide to switch providers. Knowing ahead of time that it can be done can prevent getting locked in to one provider, he says.

He says Google expects that most businesses won't trust all their data to the cloud, "but we will enable it for those who want to shift." The most reasonable expectation is that there will be a spectrum from users who do entrust all their applications to the cloud to those who trust none of them to the cloud. "Very few will be all in the cloud," he says.

Cost savings and collaboration benefits are the most compelling reasons businesses have for switching to cloud services, he says

Swidler acknowledges that customer service for Google Apps has been a problem for customers. One attendee at the summit says he noted that the more a business relied on Google Apps, the more problems it ran into.

"We have some opportunity to improve the service we give, particularly to small and medium businesses," Swidler says. Those improvements will include better search tools for businesses seeking help and Google supported user communities in which customers can help each other out with problems, he says.

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies