Google Apps security director discusses compliance within the cloud

In this exclusive video from RSA Conference 2011, Google Apps Security Director, Eran Feigenbaum discusses compliance within the cloud, including his thoughts on emerging cloud security standards.

Be sure to also watch this Eran Feigenbaum video:

Eran Feigenbaum on data security within the cloud

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact  

Google Apps security director discusses compliance within the cloud

Marcia Savage: This is Marcia Savage, with
We are here today with Eran Feigenbaum, he is the Director of Security
at Google Apps. Thank you for joining us today, Eran.

Eran Feigenbaum: Thank you for having me.

Marcia Savage: Compliance is obviously a major concern for enterprises.
How can enterprises prove regulatory compliance when they work with a
cloud service provider?

Eran Feigenbaum: Compliance means different things to different organizations,
depending on what industry you are, where you are located, what regulatory
requirements you have to deal with. I do not think any provider can tell a
customer what regulatory requirements they have. It is really incumbent
upon a customer understanding their regulations and go with that as
requirements to their provider to accompany, like Google. We can be
transparent about which controls we meet and which controls we cannot meet.
We cannot let somebody come and audit us, so if that is an absolute requirement,
is probably not a good fit for our environment. If they need to ensure that passwords
stored in a certain manner, maybe we can meet that. A great way for that is the
SaaS 70, for example, is providing our customers and their auditors a copy of an
independent assessment result of that. Indeed, we do have many customers in
highly regulated industries, companies, like Genentech, for example, or financial
services or government entities that all have to meet various regulatory requirements
using our services.

Marcia Savage: There are a lot of cloud security standard efforts going on,
such as those by the cloud Security Alliance. Any thoughts on those?

Eran Feigenbaum: As a cloud provider, nothing would make me happier
than to have a single cloud security standard that would come and do
assessment, audit, provide an accreditation or certification, and be done
with it. To get some kind of score, being able to rank and compare different
cloud providers, one to the other, and when a customer had security questions,
you just gave that certificate. The reality is that we are not there yet, as an
industry. Maybe in a couple years we will be there. We have worked with
several of those Cloud bodies, including CSA, ENSA in Europe, the Federal
Government and the FedRAMP project. I think for now, it is really tough for
a cloud provider to determine which one is going to win and to put all of their
eggs behind a specific certification. I think that is why they are sticking to
some of the more open, non-cloud certifications that have been around
a little bit longer, such as, the SaaS 70, FISMA, such as ISO and waiting for
that to shape up a little bit more.

Marcia Savage: Can you describe the information security culture at Google
and perhaps talk about some of the employee security-awareness programs
that you have?

Eran Feigenbaum: Information security is really part of our culture at
Google, both in the security group and outside, in all of our engineering
culture. We really understand that, both in the consumer space and in the
enterprise space, people are trusting us with one of their most critical assets,
their data. We wake up every morning trying to earn that trust and re-earn
that trust, making sure that their data stays secure and private. Looking at
it from a people process and technology perspective, looking at: Do we
have the right people in the places that we need to? Do we have the best
experts that we can have to do those tasks? How do we engineer processes
to make it easier for people to do the right thing, that is, the secure thing,
than it is to do the wrong thing? and testing those processes.

From a technology perspective; do we have the technology to support those
processes? For example, one of the benefits that Google has is we have a very
homogeneous environment. All of our machines look, basically, the same which
allows you to respond to an incident or to a patch in a much more rapid manner
when there is a vulnerability out there, as opposed to most organizations today
that have a heterogeneous environment with different flavors of different
operating systems, different applications running on them, and they have to
start running around and figuring out what is going to break. It is that concept
of people-process technology and into our culture. We understand that we have
a very critical asset, and we need to protect that.

Marcia Savage: Thank you for joining us today, Eran.

Eran Feigenbaum: Thank you for having me.

Marcia Savage: For information on this topic and others, please visit

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.