Google: Aussie cloud needs a compliance test

Google has cloud security "covered", according to a visiting US exec from the search giant, but now needs industry verticals to create compliance tests to give customers piece of mind about pushing applications to Google's cloud.

The search giant, which is investing heavily to become an enterprise software company, devoted one day of a five day Sydney developer conference this week to Google App Engine.

iTnews went along to canvas attitudes to cloud computing with developers [see video below] and also chatted with Google developer advocate Don Dodge.

There was strong interest in the Google Apps session, with a booked out room and 100 developers on the waiting list.

Most developers iTnews spoke to were relaxed about security issues, trusting that Google's army of engineers could do a better job of securing their application than they could.

But a developer for the Reserve Bank gave iTnews a perspective more typical of enterprise customers.

"The scalability and elasticity is a really big thing, but at the same time we worry about security," he said. "Everything we [developers] do, we are asked, is that going to be secure enough? If data is to be stored off-site, that's a major security issue. The bank is not going to adopt this technology for that particular reason."

Dodge, a developer advocate at Google, told iTnews that the Silicon Valley giant can allay most concerns organisations have about transferring their apps to the cloud.

An oft-cited impediment in Australia is our sheer isolation and the resulting network latency when connecting to cloud services hosted overseas. But Dodge brushed off these concerns.

"The web is global," Dodge said. "Google owns a significant amount of dark fibre, we can move around data better than anyone else on earth."

He was similarly relaxed about data sovereignty issues.

"Data sovereignty is an issue in some countries," he said. "We comply with any Government's laws where they require data to be stored in-country. But we also say that this is not the optimal way to do business.

"Data sovereignty gets to the central issue of security and compliance. And we feel we have security and compliance issues solved."

The real problem, he said, is that customers don't have third parties to rely on to audit security and compliance in the cloud.

"Regulatory agencies, accounting and consulting films, they don't yet have a standard set of tests or audits worked out to certify that a service is secure and compliant," he said.

Dodge highlighted efforts some American verticals have forged to offer such tests. The U.S.health industry, for example, has to abide by privacy and security standard set out in the Health Insurance Portability and Accountability Act or 'HIPPA', whilst the U.S. financial services industry must abide by measures introduced by the Financial Accounting Standards Board.

As reported in iTnews last month, the rules for Australian financial services organisations considering cloud computing are not so black and white.

"Once there are a standard set of compliance tests in any given industry, issues of where data resides goes away," Dodge said.  

"In the future we'll have compliance tests for each industry, and I hope it happens soon."

Gunning for the enterprise

Dodge also responded to concerns some iTnews readers have expressed about whether Google provides adequate support for apps hosted in the cloud.

"We need to make a distinction between consumer services and business services," Dodge said. "Consumer services are free, ad-supported and only feature help from the web. But business customers get 24 x 7 technical support by telephone and email.

"The larger the business, the more support you get - there are different levels of support to choose from.

"Google is primarily known as a consumer search company, but we are moving to be an enterprise software company. We have over 1000 people in Google Enterprise alone."