Wrong certification for Google App cloud security

By | May 29, 2012
What exactly does an ISO 27001 certification for google apps mean? In my opinion, not enough.

Cloud computing is an area in which you have to trust the cloud platform, infrastructure host, and app developer. So the certification means that the platform is probably okay, but that doesn't make apps based on it any less susceptible to attacks. You're still left to the uncertified whim of the app developers, and whatever they do with the data once it leaves the app engine from the other end. In other words, you can't say anything conclusive about the security of anything based on google apps as a result.

Further, a ISO certification is a purely technical certification. Cloud security has as much to do with policy as it does with technicalities. ISO won't protect you from government, or judicial, inquiries.

That makes for a rather useless certification, don't you say?

/via +Jon Mallin 

Google Apps receives ISO 27001 certification
In the early days of the cloud, security concerns were often at the top of business minds as they considered moving to Google Apps. More recently, though, security has become a major reason businesses…

7 thoughts on “Wrong certification for Google App cloud security

  1. Sophie Wrobel

    +Kristian Köhntopp thanks for the background and the correction. Will correct th epost later as I can't correct posts via mobile, only comments. (Who at Google thought up that logic?)

    +Ryo Cook I doubt there will ever be 100% security. But I do find it annoying that things are marketed as secure – in particular when dealing with an interplay of technology and procedure – when 'security' is so difficult to measure, and even if you do measure it, it is difficult to determine how meaningful the measurement is.

  2. Ryo Cook

    Are you looking for 100% security? That isn't happening. But it might be safer than your local harddrive if you don't use encrypted Linux Filesystems.

  3. Kristian Köhntopp

    For the public, only a very general statement has been prepared:


    The section "Major control objective and control activities covered" explains which control objectives of ISO 21k have been adressed, and that Google passed with flying colors, but does not go into detail.

    The contents of that section make it clear, though, that ISO 21k is about process and procedure, and not primarily about tech.

  4. Kristian Köhntopp

    ISO 27k is about the definition of an Information Security Management System (ISMS). That is not about technical security at all, but about process and procedure.

    Arguably, the certification still just certifies compliance and not a certain level of security, but defining actual metrics for security is very extremely hard, because you are trying to measure the absence of a thing (see the Thesis of Andreas Rauer).

    In order to better understand what actually has been certified, one would need to have a look at the scoping documents for this particular evaluation. Usually a certified party is willing to make these available to a customer that is purchasing services and has ISO 27k requirements that need to be met in order to authorize the service purchase.


Leave a Reply

Your email address will not be published.