Thursday, December 19, 2013
Most businesses these days rely on technology to get their work done. And anyone who’s responsible for that technology — or even anyone who just follows the news — knows that 2013 was a big year for internet security. Of course, security has been a top priority for Google for over a decade. Millions of businesses trust Google to keep their data safe every day -- a responsibility we take very seriously. We focus on protecting our customers’ data from all unauthorized access, whether from common phishing, sophisticated hacking, or state-sponsored intrusions.
Google employs hundreds of full-time world-class security engineers. We were the first to offer important security tools, like free two-step verification, encrypted connections between your browser and our servers, and a handful of other security innovations. As a company, Google uses the same products and services that we offer to our customers. We run on the same infrastructure, in the same data centers.
Before businesses slow down for the holidays, we wanted to highlight a few of the many investments we’ve made and features we’ve launched in 2013 to help keep our customers — and everyone on the web — safe. Of course, there’ll be much more to come next year.
Offering new security tools for Google Apps administrators:
In addition to protecting our customers, Google also makes it easier for customers to protect themselves. For domain administrators, having visibility into and control over how their users’ accounts are working is a big help.
- Suspicious login alerts: A new feature in the Google Apps Admin Console allows administrators to receive email alerts when our systems detect suspicious or unusual login activity in their users’ accounts. This helps admins stay informed of what’s happening in their domain — to a degree not possible with most email systems — and, when necessary, take swift corrective action.
- Android device management: Organizations can manage smartphones and tablets - including Android and iOS - right from the Google Apps Admin console. The Android device management features include the ability to selectively wipe Google Apps account data without wiping a user’s entire device and require the latest version of the Device Policy app to ensure security policies are enforced across all devices.
- Account recovery: A new account recovery process for super administrators helps keep their accounts more secure by allowing each super admin to specify their own recovery email address and telephone number. And the new mobile Admin app lets administrators quickly accomplish the most critical tasks (like suspending users or resetting passwords) wherever they are, using an Android phone or tablet.
Verifying our practices through third-party certifications and regulatory compliance:
When it comes to security and helping our customers comply with specific industry regulations, you don’t just need to take our word for it. Many of our security practices have been reviewed and verified by third-parties in the form of audits.
- FISMA: The Federal Information Systems Management Act includes a rigorous evaluation of the security processes and data protections, and is required by U.S. federal government customers. Google Apps was the first cloud productivity suite to receive FISMA back in 2010, and we renewed our certification again this year.
- ISO 27001: ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. After earning ISO 27001 for Google Apps in 2012, we renewed our certification again this year for Google Apps and received the certification for Google Cloud Platform.
- SOC2, SSAE 16 & ISAE 3402: Companies use the SOC2, SSAE 16 Type II audit, and its international counterpart ISAE 3402 Type II audit, to document and verify the data protections in place for their services. We’ve successfully completed these audits for Google Apps every year since 2008 (when the audits were known by their previous incarnation, SAS 70) and we did so again this year for Google Apps and Google Cloud Platform.
- HIPAA: This year, we started offering Business Associate Agreements (BAAs) to help our customers who need to comply with the Health Insurance Portability and Accountability Act (HIPAA) while using Google App.
Improving security for everyone on the web:
Our work doesn’t end with providing security for Google products or even Google customers. To keep ahead of the bad guys, we work with researchers and others in the broader security community to make sure the the web is safe for everyone.
- Updated SSL certificates: To keep users safe, we utilize encryption on almost all connections made to Google, but this encryption needs to be updated at times to make it even stronger. This year, we upgraded all of our SSL certificates to 2048-bit RSA, which will help the industry move away from weaker, 1024-bit keys next year.
- Vulnerability rewards: Since introducing our vulnerability rewards programs in 2010, we’ve rewarded (and fixed!) more than 2,000 security bug reports, paid out more than $2 million in rewards, and been recognized for setting leading standards for response time. And to convey our commitment to security and thank researchers for their important work, this year we increased the maximum award from $1000 to $5000.
- Easier recovery for hacked websites: As a site owner, discovering your site is hacked with spam or malware is stressful, and trying to clean it up under a time constraint can be very challenging. We’ve been working to make recovery even easier and streamline the cleaning process — we notify webmasters when the software they’re running on their site is out of date, and we’ve set up a dedicated help portal for hacked sites with detailed articles and videos explaining each step of the process to recovery. This year, we released additional security tools so webmasters can find information about security issues on their site in one place and pinpoint problems faster with detailed code snippets.
Whether it’s creating easy-to-use tools to help organizations manage their information or keeping customer data safe from prying eyes, we’re constantly investing to ensure that Google earns and keeps your trust. Here’s to a happy, healthy, and (most of all) safe 2014.