Google, Telstra get cloud security certification

Google has joined a growing host of cloud providers to receive an ISO 27001 security certification, for its Google Apps for Business product.

The search giant was issued the audit-focussed security certificate from Ernst & Young’s Dutch certification body, CertifyPoint. The Dutch body also certified Amazon Web Services Elastic Cloud Compute, Simple Storage Service and Virtual Private Cloud in 2010.

The certification sees Google Apps for Business join its other consumer web products and some application programming interfaces that boast the security clearance, in addition to audits already undertaken for SSAE 16 / ISAE 3402 and FISMA certifications Google undertakes for US government agencies.

The three-stage ISO 27001 certification requires compliant service companies to undergo annual audits of policy documentation, and security and management processes.

The standard is designed to ensure organisations continually examine and design controls to take account of evolving security threats or vulnerabilities, while having management processes in place to ensure those controls are used where necessary.

Telstra also recently gained complete ISO 27001 certification for its infrastructure-as-a-service platform, following an independent audit of its Sydney and Melbourne facilities for the process.

Mark Pratley, Telstra's general manager of cloud computing, said the data centres had received the certification for the first time, as a result of the audit.

While ISO 27001 is a widely recognised standard, security consultant Alec Muffett told Computerworld UK it was “not at all” a ‘seal of approval‘, but rather an independent verification of security standards set by the certificate applicant.

Those who receive ISO 27001 certification rarely publish what standards they set for themselves. 

Amazon said certificates issued by Ernst & Young's CertifyPoint are recognised in all country members of the International Accreditation Forum. 

Microsoft has relied on independent audits conducted by the British Standards Institute for the ISO 27001 certification applied to Windows Azure. It also received a separate certificate for its Global Foundation Services infrastructure hosting Bing, Hotmail, MSN, Office 365, Xbox Live and Windows Azure.

The company is undergoing the certification process for SQL Azure, Service Bus, Access Control, Caching, and its content delivery network.

Australian data centre operator Equinix, IT services outfit ASG and Telstra's cloud rival Optus all boast the ISO certificate for their respective data centres.

Additional reporting by James Hutchinson.