Google has announced that its Google Apps, App Engine, Postini and Google Storage for Developers products have passed the SSAE-16 Type II and ISAE 3402 Type II certifications. Sounds great, but what does it actually mean?
Well, the SSAE-16 is actually the “American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 16 (SSAE-16).” Got all that? If you go read the sites related to SSAE-16 and ISAE 3402 linked by Google, you’ll probably come away with a head full of jargon and no better idea of what Google has achieved than before.
According to the End Point blog, it basically means that Google is saying that its products are suitable for customers that need to comply with legal requirements like Sarbanes-Oxley and that its data centers are secure. It also means that individual customers don’t need to perform their own audits of Google’s services – they can use Google’s SSAE-16 report in their own reporting.
The SSAE-16 evolved from a previous standard called SAS 70. What’s the difference? According to Curt Finch of Journyx, SSAE-16 “prohibits the use of prior evidence,” which means that companies can’t roll previous audits into the current certification.
SSAE also differs in that the company’s management is required to attest to “the fair presentation and design of controls.” Previously it was just the auditors that reported on a company’s controls. By the way, one might wonder who performed the audit for Google – but Google declined to publicly disclose who their auditor is.
In short, the SSAE-16 is a good thing to have, but it’s important to understand what it is and isn’t. Essentially, Google sets a series of controls and control objectives, and an auditor verifies that Google meets those practices. The SSAE-16 does not appear to be an objective measure that means that every organization that is SSAE-16 compliant is following the same procedures. (Note that the consensus seems to be that Google should announce “compliance” and not “certification.”)
If you’re really interested in Google’s data center security, they’ve posted a video tour of a Google data center to highlight security and data protections in place, as well as a security white paper that goes into more detail.