Google’s Security Compliance Audit Report Is Now Public

Google today announced that its cloud platform has received both a new ISO 27001 certificate and that it has completed its latest SOC 2 and SOC 3 Type II audits. Before you start yawning, it’s worth remembering that these reports certify Google’s compliance with standard security practices that are meant to keep the data on its Cloud Platform safe. That includes products like Cloud Platform, but also Google Apps for Business and Education.

The new reports and certificates now cover Google+ and Hangouts, which is nice, but the real news here is that Google is making both its ISO 27001 certificate and SOC 3 audit report easily available to anybody who wants to take a look. The SOC 3 report is about a 10-page document that summarizes the audit’s finding and lists the services that the auditors inspected. By default, this report is meant to be made public. The SOC 2 report is significantly more in-depth and runs a few hundred pages, but sadly Google isn’t making that one public.

As Google’s director of security for Google Apps Eran Feigenbaum told me, this is all about transparency and gaining trust. “Security, privacy and ultimately trust is one of the key points people still have with the cloud,” he said. “When you give your data to a vendor in the cloud, you want to understand what they do with it. A key point for gaining that trust is transparency.”

Until now, you could only get your hands on these reports after you went through a number of formalities and signed an non-disclosure agreement. Even with all of this bureaucracy, Google handed out “hundreds” of copies of its SOC 2 report every year — but only to its own customers.

Still, as Feigenbaum noted, that meant that if you were using App Engine for your product, you couldn’t give the report to any of your own customers because you were under NDA and your customers couldn’t get it because they didn’t work with Google directly.

It’s worth noting that Google isn’t the only company to make these documents public. Amazon publishes its SOC 3 report, for example, as does Microsoft (though I was only able to track down a copy from 2012).