In a recent blog post on security in the cloud, Attorney Seaton Daly discusses different approaches that Microsoft and Google are using to gain some security credence in their cloud offerings. As more data breaches continue to make headlines, cloud providers want to ensure customers that their services are secure. Microsoft is looking for legitimacy in the US Federal government and is pursuing the ISO 27001 information security standard. Google is pursuing the Federal Information Security Management Act (FISMA) standards for much the same reason; Microsoft is also pursuing FISMA. There is no agreed upon standard for cloud security, but the ISO 27001 standard remains one of the best security benchmarks available.
Pursuing an ISO certification makes more sense than a US-only standard, since they are widely recognized and accepted internationally. If Google and others want to give their customers a sense of security about their data, this seems logical. As with all technology, the products come before the standards. Companies like to be first out of the gate so they can claim they do it better than their competitors and so they can influence the coming standards. Hopefully a cloud security certification is coming soon.
As go Google and Microsoft, so goes the industry, but customers will ultimately decide. Salesforce.com already has ISO 27001 certification, so maybe they are the leader here. I think the important thing is that cloud providers adhere to security standards to make us all feel better about using their services. Interesting that there isn’t a common on-premise security standard either.