Google has added security compliance standards to its cloud platform, a critical step toward greater inroads with...
the enterprise market.
Google last week added International Organization for Standardization (ISO) 27017 certification for cloud security and ISO 27018 certification for personally identifiable information stored in the cloud, in addition to its existing ISO 27001 certificate that's been renewed for the fourth year. The standards basically serve as an assurance to customers that Google has taken specific internal measures to secure its users' data.
The certifications already had been received by Amazon Web Services (AWS), Microsoft Azure and IBM SoftLayer, among others.
A few years ago, security was a primary concern for enterprises, but cloud adoption continued at a rapid pace, mostly around testing the platforms. That's changed, as enterprises are more comfortable with the idea of workloads in public clouds and the benefits of asset management on those platforms, said Adrian Sanabria, senior security analyst at 451 Research.
"It's being seen as a foregone conclusion," Sanabria said. "Everybody is using cloud, and the only question is, how much are they going to use it and what are they going to use it for?"
Still, enterprises need to see certain regulations and standards before they can put anything in the cloud. "You can't even talk with a business if they're required to have those certifications and you don't have them," Sanabria said.
ISO 27017, which first became available late last year, centers on Google cloud security roles and ensuring networking is in place so that unauthorized parties can't access customers' data. It also requires the vendor to provide customers with adequate monitoring tools.
ISO 27018 focuses on privacy practices for customer data and compliance. It prevents the vendor from using data for advertising and provides protection from third-party requests.
Third-party scrutiny and protection of data sets is a hot-button issue, and customers will need these kinds of assurances before adopting big data services, said Renee Murphy, principal analyst with Forrester Research. It's a positive step for Google, which is usually the last to comply with security certifications.
"If you want to get into the cloud space and want to do enterprise cloud, you should at least be able to prove you're compliant," Murphy said.
Typically, Google doesn't act until it reaches a critical mass of customer demand, she added. It's also far from being ready to take on deeper compliance structures, such as FedRAMP -- Google Cloud Platform is not FedRAMP-compliant, but Google App Engine is.
"They definitely let demand push them in that direction," Murphy said. "They don't go out there to create demand the way AWS does."
Google Cloud Platform services covered by these certifications include Cloud Dataflow, Cloud Bigtable, Container Engine, Cloud Dataproc and Container Registry. Compute Engine, App Engine, Cloud SQL, Cloud Storage, Cloud Datastore, BigQuery and Genomics, which were previously audited as part of ISO 27001 compliance, will be part of the additional certifications as well.
Though it's important to businesses, ISO standards can't truly be certified in the same way some others are, Sanabria pointed out. There is no certification body to assess against those standards, so it doesn't go beyond the third-party audit.
Trevor Jones is a news writer with TechTarget's data center and virtualization media group. Contact him at firstname.lastname@example.org.
Google updates Container Engine security features
The biggest Google cloud updates of 2015
Networking issue causes latest Google cloud outage
What you should know about Container Engine for orchestration