It amuses us when we encounter the occasional prospect that brings up the old “Them vs. Google” when dealing with security. You may have fallen into that boat at one point too. You know the type. They usually say something along the lines of “We don’t want our important information at Google. It is safer on OUR servers, in our data center”. Granted, you have to give credit where credit is due, so if you’re a company like Microsoft, or Yahoo, Amazon, etc…. They may have a leg to stand on. The cost to truly ‘secure’ data is INSANE so you need to have the budget to do pull it off. But let’s be real for a second; the vast majority of companies are NOT those big guys. They are small and medium sized companies, like yours for example. So with that in mind, let me really break down the facts behind these statements and why, sadly, it does amuse us a bit.
First, it would be really easy for us, and we usually do, to simply point out that the requirements of many of Google’s customers are CERTAINLY more demanding than most companies. Consider the City of Los Angeles, or the Colorado state government. Can you imagine what their demands on data security must be? Ok, let’s pull out of the public sector for a minute and consider companies like Delta Hotels, Motorola Wireless or National Geographic. These are companies with budgets to meet the demands of data security. They are under regulations by the SEC to adhere to data security requirements. Companies such as these have already looked at the requirements and deemed that the ability to meet the high demands is as simple as putting their data with Google. As you can see, in many cases just pointing this out should be example enough; but interestingly enough, sometimes it isn’t and people still feel that their data is more important and can’t be trusted in Google data centers.
Very well, so let’s get down to the underlying points. Let’s start with an audit. In terms of data security, an audit is a way of verifying that specific security requirements are met. The security requirements are often outlined by various ‘authorities’ who aim to setup a standard for data security for a specific segment of businesses. Many people are familiar with HIPAA, which is the standard to which Medical Care industries must comply by law. Another well known standard is Sarbanes Oxley, which dictates how publicly traded companies in the United States must secure data (well, it is technically more about reporting the data, which in turn relates to data protection so that it can be assured that data is properly reported…. but that is for another article). But what many people aren’t aware of is that there are often underlying requirements that either roll-up into these well known standards and/or deal with specific industry niches within and around the well known requirements. One great example is an SSAE-16 Audit. Let me start by saying that I am NOT an expert in SSAE-16, but with any luck, you’ll get the gist of my message; to pass this audit is INSANELY cool and daunting.
For example, the essence of the SSAE-16 Audit (and in turn the underlying requirements of the security guidelines) is summarized by ssae16guide.com:
- “The primary reason for the SSAE 16 (SOC 1), SOC 2 and SOC 3 audits is to provide assurance to a third party and their auditors that a Company providing an outsourced service is doing so with proper controls in place to prevent financial misstatements and provide an appropriate level of security, availability, processing integrity, confidentiality, and/or privacy.”
In plain English: If you are a company that is going to secure data for someone else than passing an SSAE-16 Audit is proof that you can do it safely. These audits can only be executed by an independent CPA firm that is listed with the American Institute of Certified Public Accountants (AICPA). Look at just SOME of the hundreds of requirements to pass this audit:
- Evaluations of daily operations
- Management and supervisory activities
- Internal audit functions
- System checks and balances | Manual checks and balances
- Communication with third party entities
- Additional safeguards, controls, processes, procedures, and oversight activities that assist in monitoring a service organization’s system.
Did Google pass this very important Audit? Yes; as well as many others. Yes, I said many others. If this is just ONE audit that Google has passed, imagine the time, money, effort and more that Google has put in to instill confidence with their clients that their data is secured. Here is just a short list of some of the other audits that Google has passed (you can click each one for more details):
- SAS 70 type II
- ISAE 3402 Type II (This is an international audit)
- Safe Harbor
- FISMA
- ISO 27001
So let’s come back full circle. We still have a prospective client who, even after these two points (a: companies with more stringent requirements than yours, and b: independent audits) still feels that they can do a better job protecting their data simply because it is on premise. Explaining to the prospect what we have explained here is not the part that amuses us, it is the idea that on-site is better than off-site because…… Well, they don’t usually give us a good point, so we often provide them with one, such as “Because you can take the data home with you?” They often nod and confess that really, that is all that it amounts to.
The days of ‘replacing your tapes’, and ‘taking one home with you’ does in fact have SOME merit. If you’re running a legacy system, that you cannot get into the ‘cloud’, in truth; what options do you really have? But what about the data that you CAN move to the cloud? Email, documents, contacts, contracts…. Is it better to have your risk minimized to a hypothetical 20%, instead of holding on to processes that keep your risk at 80% (Yes, I’m using those numbers based on 21 year educated guess). The point is, security is really the exercise of minimizing risk. Minimize risk, your data is more secure.
So let’s wrap this up. If there is one thing that we at Futurity understand, it is the struggle of small business as it relates to Information Technology, especially when you’re an organization that is not in the Technology field. One of the easiest and most cost effective ways to minimize risk is to simply move your data to a company such as Google that can do a better job and allow YOU to do what you do best. If you can do it while simultaneously saving a lot of hard earned cash, all the better. Seriously, Google almost gives it away at $50.00 per year / per user! Enough said, Google wins..
Established in 2011, Futurity is an authorized Google Apps for Business reseller and solutions partner with Gaslamp Media.. Along with the sale of Google Apps for business licenses on behalf of Google, Inc. to an international client base, Futurity provides integration, change management, organizational readiness, training and cloud services consultation services to their client base throughout the Southwest United States