Security continues to be a hot topic for public cloud vendors as concerns around meeting regulatory demands, and securing data against breaches remain a core consideration around whether or not to move to the cloud.
As vendors such as Microsoft create more cloud-based services it is necessary for them to prove the security of them. Both Microsoft and Google have received boosts in this area by achieving certifications for security and privacy standards.
Microsoft for starters, has revealed that its Azure ML service for predictive analytics with machine learning has achieved the standard ISO 27001 and the EU Model Clauses, as well as others.
Azure ML, which was launched a couple of years ago as a way of tapping into to a growing interest for analysing large datasets, now meets the certification levels for security and privacy with the US HIPAA, ISO 27001, ISO 27018, and the EU Model Clauses which relate to transferring of personal data to countries outside Europe.
Google has achieved similar recognition of its security and privacy standards with the renewal of ISO 27001 for the fourth year in a row, while increasing its coverage from 34 to 60 products. Google Apps for Work and Google Cloud Platform have also been certified for ISO 27017 for cloud security and ISO 27018 for privacy.
The significance for both vendors is that it increases the enterprise appeal of the cloud products, potentially going some way to reducing business fears about data control and cloud adoption.
"Compliance certifications provide assurance to customers that the security of these services has been verified by independent auditors," said Krishna Anumalasetty, Microsoft’s principal programme manager for Azure.
The certifications apply to several different areas; ISO 27001 is an information security standard that specifies best practices for documentation, security, auditing and other areas. It also includes specifications for information security management systems that are designed to keep information secure.
ISO 27018 is an addition to ISO 27001 that represents a combined code of practice for protecting personal data in the cloud. ISO 27018 provides guidance to cloud service providers on how to assess the risks involved with processing personally identifiable information, while also providing a guideline on how to implement controls for protecting it.
For Google ISO 27018 basically means that the company lets the user delete and export their data and that the company is transparent about where the data is stored.
This is particularly important for meeting the requirements set out in the EU General Data Protection Regulation, which specifies that users have the right to remove vendor access to their data.
Really what all of this appeals to will be those businesses that work in highly-regulated industries, are a large enterprise company and are government organisations.
For Google this is an important boost to its strategy of trying to appeal more to enterprise customers with its cloud offerings.
The company is lagging behind Amazon Web Services and Microsoft Azure when it comes to both enterprise adoption and overall market share. The certifications could help to break down the barriers to cloud adoption for both companies.
ISO 27017 is particularly significant because it basically certifies that Google’s virtual networks are as secure as its physical networks. This is something that cloud vendors have been saying for a while, that cloud is at least as secure as any on-premises deployment.
It should be noted that AWS already offers similar certifications and Microsoft has also been ahead of Google in achieving these. This may highlight that Google hadn’t previously investing too much of its energy into going after the enterprise customer.
However, now that the company has changed its tune somewhat and admitted that it both wants to grow its cloud business and also go after enterprise customers, these certifications become vital to success.
Microsoft’s growing certifications play a similar role to that of Google’s, in that they make its cloud offerings more appealing to enterprise customers. For Microsoft though the latest certification means that its operations are more compliant within European laws.
This is a topic that has been rumbling on for many years and looks like it will continue to as the EU GDPR and Privacy Shield come into force. The problem for the likes of Google is that it is simply levelling the playing field a little bit. Unless it achieves certification standards that the two leading cloud players don’t have, then it is isn’t too much of a game changer.