​Google goes public with security audits to ease corporate concerns

The tech titan makes available to the public for the first time two independent security audits, as it works to prove its commitment to customer data protection.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read

Google security audit awards. Google

Google is taking unprecedented steps to show its cloud, business, and education customers that data protection is its top priority.

To prove its commitment, Google is making the details of an independent security audit and of a security compliance certificate available to the public for the first time on its Google Enterprise security site. The SOC 3 Type II audit report and updated ISO 27001 certificate denote security approval for Google Apps for Business, Google Apps for Education, and Google Cloud Platform.

Security and data centers are both big business. Google currently employs more than 450 full-time security engineers, and a Gartner study projects that companies will spend nearly 8 percent more on security this year than they did last year.

The SOC 3 report and the ISO certificate that Google made public are widely accepted, internationally recognized security compliance standards. The SOC 3 is essentially a shorter report from the same audit as the longer SOC 2, while the ISO certification covers organizational and logical security.

By opening itself up to public scrutiny, Google is potentially making its practices easier to criticize. But Eran Feigenbaum, Google App's security director, told CNET that Google isn't worried.

"This is a big step forward in increasing our transparency," Feigenbaum said. The goal is to help Google's customers "understand who is protecting [their] data, how [we're] doing that," he said.

The move comes in the aftermath of the documents leaked by former National Security Agency contractor Edward Snowden showing that the US government conducts ongoing, in-depth spying operations against its citizens and Silicon Valley tech firms. Google, along with Yahoo, Facebook, Microsoft, and others, has become bolder about confronting the US government as reports of businesses fleeing US tech companies have circulated.

The SOC and ISO audits now include Google Hangouts and Google+, an expansion of previous coverage.

Such reports take about three months to complete and cover a full calendar year, Feigenbaum said. They must be re-certified annually, he said, and noted that they cover four main areas: security, availability, process integrity, and confidentiality. Those categories cover topics such as preventing unauthorized access to data, adhering to service-level agreements such as data center downtime, and ensuring that customer data is only used in approved ways.

"It's important [for enterprise customers] to see the scope that it covers, and see the assurance behind a data center," Feigenbaum said.

Publishing the audits may not be a silver bullet to beat back the legitimate fears of its business customer. But in conjunction with its annual multifaceted Transparency Report, this helps Google build a case that it is highly concerned with protecting customer data. Whether businesses buy that is another issue entirely.