Google Announces SSAE-16 Compliance

This post is part of our ReadWriteCloud channel, which is dedicated to covering virtualization and cloud computing. The channel is sponsored by Intel and VMware. Read the white paper about how Intel Xeon processors help organizations get unprecedented levels of performance.

Thumbnail image for Thumbnail image for 150x55google.gifGoogle has announced that its Google Apps, App Engine, Postini and Google Storage for Developers products have passed the SSAE-16 Type II and ISAE 3402 Type II certifications. Sounds great, but what does it actually mean?

Well, the SSAE-16 is actually the “American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 16 (SSAE-16).” Got all that? If you go read the sites related to SSAE-16 and ISAE 3402 linked by Google, you’ll probably come away with a head full of jargon and no better idea of what Google has achieved than before.

According to the End Point blog, it basically means that Google is saying that its products are suitable for customers that need to comply with legal requirements like Sarbanes-Oxley and that its data centers are secure. It also means that individual customers don’t need to perform their own audits of Google’s services – they can use Google’s SSAE-16 report in their own reporting.

The SSAE-16 evolved from a previous standard called SAS 70. What’s the difference? According to Curt Finch of Journyx, SSAE-16 “prohibits the use of prior evidence,” which means that companies can’t roll previous audits into the current certification.

SSAE also differs in that the company’s management is required to attest to “the fair presentation and design of controls.” Previously it was just the auditors that reported on a company’s controls. By the way, one might wonder who performed the audit for Google – but Google declined to publicly disclose who their auditor is.

In short, the SSAE-16 is a good thing to have, but it’s important to understand what it is and isn’t. Essentially, Google sets a series of controls and control objectives, and an auditor verifies that Google meets those practices. The SSAE-16 does not appear to be an objective measure that means that every organization that is SSAE-16 compliant is following the same procedures. (Note that the consensus seems to be that Google should announce “compliance” and not “certification.”)

If you’re really interested in Google’s data center security, they’ve posted a video tour of a Google data center to highlight security and data protections in place, as well as a security white paper that goes into more detail.

Posted in

and tagged with

Tell us about your road to the cloud and win a MacBook Air with an Intel® Core™ 2 Duo Processor. This month’s question:

What are important considerations when managing hundreds of virtual machines?

Google has announced that its Google Apps, App Engine, Postini and Google Storage for Developers products have passed the SSAE-16 Type II and ISAE 3402 Type II certifications. Sounds great, but what does it actually mean?nnWell, the SSAE-16 is actually the “American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 16 (SSAE-16).” Got all that? If you go read the sites related to SSAE-16 and ISAE 3402 linked by Google, you’ll probably come away with a head full of jargon and no better idea of what Google has achieved than before.
Please enable JavaScript to view the comments powered by Disqus.