Asked to flash its cloud security credentials at an industry forum, Google pointed to its SAS 70 certification, giving more support to that set of standards as a measure of how well cloud providers lock down customer data.
“We need to prove we are secure,” says Rajen Sheth, the product manager at Google who came up with Google Apps, speaking at a panel on cloud services at the Enterprise 2.0 conference in Boston yesterday.
It is important for service providers to get third-party validation of the efforts they make for security, policy enforcement and authentication in order to land business customers, Sheth says. SAS 70, which predates the popularity of cloud computing, has been pressed into action as validation in the absence of cloud-specific standards.
Statement on Auditing Standards (SAS) No. 70 is a set of auditing standards devised by the American Institute of Certified Public Accountants as a way to measure handling of sensitive data. “A service auditor's examination performed in accordance with SAS No. 70 ("SAS 70 Audit") is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes,” says the sas70.com Web site.
At the Enterprise 2.0 forum, potential cloud services customers questioned Google, IBM and EMC about their cloud offerings as a way to find out how well the providers meet customer needs.
One of the customers on the panel – Doug Cornelius, chief compliance officer for Beacon Capital Partners – says he already believes that the providers serve up security that equals what his firm could put in place itself. “I’m past the security,” Cornelius says. “I assume you’re security has got to be as good as my security.”