Google Apps: Security First
Dedicated to keeping your data safe, secure and private
Built with security and reliability in mind
Google operates one of the most robust networks of distributed datacenters in the world. The protection of the data and intellectual property on these servers is our top priority, with extensive resources dedicated to maintaining data security. Protected around the clock and monitored by a dedicated security team, our facilities are held to extremely high standards of scrutiny every moment of the day.
● The controls, processes and policies that protect data in our systems have successfully completed a SAS 70 Type II audit.
● Google Apps offers a 99.9% Service Level Agreement*, so you can be confident that employees will have access whenever they need it.
● Google Apps is the first cloud based messaging and collaboration suite to achieve FISMA (Federal Information Security Management Act) certification, indicating that the General Services Administration has reviewed and certified our security processes and documentation.
New! 2-step verification
2-step verification allows users to add an additional layer of protection to their Google Apps accounts. This feature is available for Google Apps for Business, for Education, and for Government versions and is coming soon to the free version of Google Apps.
Google Apps is designed to provide you with a secure and reliable platform for your data, bringing you the latest technologies and some of the best practices in the industry for datacenter management, network application security, and data integrity.
Google has created a secure, reliable cloud based computing environment with collaboration technology that can’t be matched by other systems today.
– Jason Ruger, Director of IT Strategy Motorola Mobile Devices
Three main components ensure the reliability of our security practices:
● People – Google employs a full-time information security team including some of the world’s foremost experts in information, application, and network security. This team is responsible for the company’s perimeter defense systems, security review processes, and customized security infrastructure, as well as for developing, documenting, and implementing Google’s security policies and standards.
● Process – Security is part of Google’s DNA, built into each application from day one. Google applications go through multiple security reviews as part of the Secure Code development process. The application development environment is closely restricted and carefully monitored to maximize security. External security audits are also regularly conducted to provide additional assurance.
● Technology – To reduce exploit risks, each Google server is custom-built with only the necessary software components, and the homogeneous server architecture enables rapid updates and configuration changes across the entire network when necessary. Data is replicated in multiple data centers for redundancy and consistent availability.
Who owns the data that organizations put into Google Apps?
To put it simply, Google does not own your data. We do not take a position on whether the data belongs to the institution signing up for Apps, or the individual user (that’s between the two of you), but we know it doesn’t belong to us!
The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.
2. We keep your data as long as you require us to keep it.
3. Finally, you should be able to take your data with you if you choose to use external services in conjunction with Google Apps or stop using our services altogether.
Where is my organization’s data stored?
Your data will be stored in Google’s network of data centers. Google maintains a number of geographically distributed data centers, the locations of which are kept discreet for security purposes. Google’s computing clusters are designed with resiliency and redundancy in mind, eliminating any single point of failure and minimizing the impact of common equipment failures and environmental risks.
Access to data centers is very limited to only authorized select Google employees personnel.
Is my organizations data safe from your other customers when it is running on the same servers?
Yes. Data is virtually protected as if it were on its own server. Unauthorized parties cannot access your data. Your competitors cannot access your data, and vice versa. In fact, all user accounts are protected via this virtual lock and key that ensures that one user cannot see another user’s data. This is similar to how customer data is segmented in other shared infrastructures such as online banking applications.
Google Apps has received a satisfactory SAS 70 Type II audit. This means that an independent auditor has examined the controls protecting the data in Google Apps (including logical security, privacy, Data Center security, etc) and provided reasonable assurance that these controls are in place and operating effectively.
What does a Google Apps SAS70 Type II audit mean to me?
An independent third party auditor issued Google Apps an unqualified SAS70 Type II certification. Google is proud to provide Google Apps administrators the peace of mind knowing that their data is secure under the SAS70 auditing industry standard.
The independent third party auditor verified that Google Apps has the following controls and protocols in place:
● Logical security: Controls provide reasonable assurance that logical access to Google Apps production systems and data is restricted to authorized individuals
● Privacy: Controls provide reasonable assurance that Google has implemented policies and procedures addressing the privacy of customer data related to Google Apps
● Data center physical security: Controls provide reasonable assurance that data centers that house Google Apps data and corporate offices are protected
● Incident management and availability: Controls provide reasonable assurance that Google Apps systems are redundant and incidents are properly reported, responded to, and recorded
● Change management: Controls provide reasonable assurance that development of and changes to Google Apps undergo testing and independent code review prior to release into production
● Organization and administration: Controls provide reasonable assurance that management provides the infrastructure and mechanisms to track and communicate initiatives within the company that impact Google Apps
Can my organization use our own authentication system to provide user access to Google Apps?
Google Apps integrates with standard web single sign-on systems using the SAML 2.0 standard. Organizations can do the integration themselves, or work with a Google partner to accomplish this.
What is FISMA?
The Federal Information Security Management Act of 2002, or “FISMA”, is a United States federal law pertaining to the information security of federal agencies’ information systems. FISMA applies to all information systems used or operated by U.S. federal agencies — or by contractors or other organizations on behalf of the government. If you want to learn more about FISMA, there is a very thorough entry on Wikipedia.
Visit our Help Center for more Security and Privacy FAQs..
* The 99.9% uptime SLA for Google Apps is offered to organizations using Google Apps for Business, as described in the Google Apps for Business Terms of Service..