Security professionals should not worry where their data is located in cloud computing models, according to Google.
Chief security officer for Google Apps, Eran Feigenbaum, told SC Magazine Australia that popular concerns over data sovereignty in outsourced environments were unwarranted.
“It is an old way of thinking”, Feigenbaum said. “Professionals should worry about security and privacy of data, rather than where it is stored."
He cited a meeting in Europe where he had tracked an email sent within an office as it bounced through five countries. In this circumstance, Feigenbaum said, security trumps data sovereignty.
It is a point buoyed by Michael Cloppert, a security intelligence analyst with a US Defence contractor. "I'm not convinced that the data location issue is a problem - after all, packets are routinely routed around the world irrespective of the export status of their content," he wrote in a blog.
But the comments would likely grate with security professionals spooked about global cloud models where, for example, under US laws their corporate data could be seized by law enforcement.
Gartner analyst Andrew Walls told a Sydney confernce last year that customers have little control over what happens to outsourced data.
"Google are not going to give you a physical inspection of their data centres," he said. "The only thing you have is a contract. But if you look at the standard contracts, they have plenty of get out of jail cards in there."
Google's endorsement of cloud computing isn't unexpected: Its empire is built on a hosted model, and it has campaigned hard to sell its corporate Apps service.
It is also keen to spruik its attention to security.
A key selling point is its SAS 70 audits which it supplies to customers under non-disclosure agreements.
Analyst firm Gartner has previously criticised SAS 70 audits, saying it is no proof of security and that it "should be a matter of suspicion when a vendor insists that it is".
Feigenbaum also moved to allay customer fears of inappropriate access to client data.
He said customer data can only be accessed on a need-to-know basis, and less than two per cent of Google staff had entered its top secret data centres.
Customer data is split into chunks, each piece duplicated in redundant data centres around the world making it difficult to be seen by prying eyes, Feigenbaum said.
Google also stamped each hard drive with unique barcodes that allowed the company to track the lifecycle of data stored on each disk.
But it did not encrypt data at rest, and had no immediate plans to introduce the protection. Feigenbaum said this is because of the vulnerabilities in key management.
"It is a false sense of security. Crypto people do a good job at cryptography, but a really bad job at key management."
He said that Google had built its own servers from scratch, and removed non-essential functions such as serial ports and video cards to reduce the potential avenues of attack.
He downplayed security concerns that arose from a series of high-profile attacks on Google, and said the types of attacks are "nothing new". He pointed to its two-factor authentication mechanism which can be used on mobile devices.
"Web mail accounts are acceptable to the same vector of attack, and two factor authentication makes that harder."
Cloud computing vendors should be rated according to security credentials, according to a document released today by a group of 280 companies which hold the most financial muscle in the cloud computing market.