This is the 3rd of a 3-part series on Google Cloud Security. You can read the first part here, and the second part here

When I talk to customers, we get past the security conversation pretty quickly. 

When I explain to them how Google does things, they have lots of independent verification, your rate, you can test Google, they buy the security very quickly.  

The problem now is people worry more about what’s happening to their data. 

It quickly goes from a security conversation to, “No, no, I believe Google’s security is better than ours,” to a conversation more like, “I want to know what happens to my company’s data within Google’s hands.”  

What happens to your company data in Google?

Now, there’s a lot of misinformation about this.  

So, how does Google think about data protection? They think about it two ways. I always like to start this talk with security, because without security, you’re not going to have data protection.

The other component is privacy. If you don’t have a solid privacy policy and policy practices in place, you’re not going to have it either. 

The number one piece of misinformation is that people confuse Google’s consumer services (the ones that Google offers for free) with the services they offer to companies, businesses, schools, and nonprofits. 

They’re completely different offerings. Just to be clear, for that free Gmail account that you sign up for, yes, they’re using that data for advertising. Yes, there’s profiling. Yes, there’s scanning.  

But for all the products that they offer to businesses, schools, nonprofits, that’s not the case. In that case, in the original case, you guys own the data. Google is simply considered the data processor.  

Google can only use the data in the way in which you’ve instructed them. Let me go into a bit more detail here… This has three big components, like three legs in a stool, really.  

1. Transparency

What transparency means is that they’re going to tell you what they’re doing with your data. And it’s about being transparent before you’re a customer, without having to sign some sort of magical, special agreement.  

So, I mean sharing things like where their data center locations, Google’s security reports, their SOC 3 reports, their ISO reports. All of their contracts are public. Meaning their data processing and who their subprocessors are, all these components, all of their commitments on data deletion, information on what data can be used for… this is all publicly available. 

You can look it up now. It’s on the web.

And what it comes down to is what can Google use the data for?

We can use the data for absolutely nothing but what you instruct us to do.  -Google

So just to be clear, Google cannot use your data for advertising. They cannot mine your data for any purpose whatsoever, even to improve their own product; they’re simply not allowed to do so. And this is part of their business contract with companies.  

The intellectual property of the data is yours. You get the idea: Google literally has zero rights on your data. They own the rights to their service.  

So, as long as you don’t try to reverse-engineer Gmail, you’re going to be OK.

They’re also extremely portable. 

You could literally take your entire organization’s data and shift it into Google over the weekend. And you could change your mind next week, and move everything out Google. You can do that too.  

There’s no penalty. It comes out in usable file formats. It works so well, Google’s competitors have built tools around it to quickly expedite the movement of data in and out of their platform.  

2. Strong Contracts

All of Google’s contracts are written in a way that’s European-centric language. It’s not because they’re a European company. It’s just that the standards there are very, very specific when it comes to data.  

So there, you’re the data controller and the data owner. You give Google instructions, they’re the data processor. They can only do what you tell them. They have a global data privacy policy that applies to businesses, schools, and non-profits

It’s different from the one that if you look up “Google Privacy Policy,” it’s not that one. That’s for consumers.  

This one is publicly available and they update this all the time. Because they’re constantly getting feedback from data protection authorities in the US, in Europe, in Asia and our position is that they will only strengthen their commitments, not weaken them. So one of the more recent ones is they put an SLA on data deletion. Google made ongoing commitments to maintain compliance with their security audits and data privacy audits, which I’ll talk to you about here in a moment.

These sorts of things, this is all available, which is very useful for a business.  

So if you’re a parent, and you want to know what’s happening to your children’s data, you can just go and read it. There’s no advertising. There’s no scanning. It’s not some secret contract that each company has their own thing agreed upon.

They build on it. Google tells you what they’re going to do, they’re transparent. They legally commit.

But how do you really know what they’re doing? Google’s perspective is that you should trust them, but verify yourself.

3. Auditing

The problem in the past is that all of Google’s audits had been very, very focused on security. They start with security. Security’s strong. They have all the ones you’d expect– ISO 27001, SOC 2, SOC 3, SSAE in 16, ISAE 3402.  

These are all independent security audits. But again, we get past that security conversation pretty quickly and it goes into data usage. People don’t argue about security. They know what good security is.  

They argue about data usage, and how data should be protected.

Should it be transferred internationally? How does all that work?

So, what did Google do? They went and worked with their buddies over at ISO, their Swiss friends, Google’s standard-setting organization. And they worked with them to develop a new standard.

The new standard is called ISO 27018. This is about data privacy, the processing of personally identifiable information by public clouds, which is Google.

It’s exactly what Google’s looking for.

The next thing Google did is work with their auditor to be able to audit them against this new standard. So remember their infrastructure, everything I talked about being completely customized?  

Google can’t run an audit sending a college kid in with a clipboard saying, “Oh, there’s my blade server, and what’s my patch level?” 

It doesn’t work that way.  

At Google, everything is customized. They have to embed their auditors with their engineering teams. It takes a long time. It took over a year for the auditors to be trained on Google’s platform, and then be able to conduct an audit afterwards.

But the good news here is that they’ve adopted the standard, and they’ve had this since September.

Google announced it almost a year to the date after the standard had been released. Just so you understand how important this is, let me talk a little bit about how these standards work, if you’re not familiar with them.  

ISO 27001 is a family of standards.  

The first level is around security. There’s 114 security controls, which goes back to our story. You have to have security before you can have privacy. After you’ve gone through, and we talk about all these different controls that are in place for Google’s platform, you’ll learn that ISO 27018 is built on top of it.

You have to have security before you can have data protection and these are looking at different things. This is asking if Gmail is secure? Is it locked down? Are all those controls in place?  

And the next one is looking at the question: what’s that data being used for? Is it guaranteed that it’s not being used by other systems? What’s out there? How is this being protected? 

This is what’s important.  

So now, for the first time, you have independent, third-party, audited verification on what’s happening to your data.

This is something that you can take to your board. This is something you can tell your users about. But what makes it interesting, when we start talking about things like data privacy, is that it just doesn’t apply to services like security.  

So security on Gmail, Drive, and all of those products are covered. But, data is different; you can get to that from all kinds of different ways.

For Google’s privacy standard, yes, it had to cover the applications. But it had to cover every way that you could get to the data, so all the APIs, all the SDKs, or the software development kits, and tools that you might want to run on top of them.

So all these have been included as well.  

Another benefit of working with a company like Google who operates around the world is that they operate around the world. And that means that different countries and regions have different standards relating to data privacy.  

And for Google, they always have to take the strictest one.  

International Security Compliance

Sometimes it’s Europe, sometimes it’s Korea, and sometimes it’s the US. And these sorts of things, knowing that they have to meet all of these strict standards, you can have peace of mind that this is something that’s important to them, and that they’re going to be on the leading edge of what’s happening with data protection around security and data privacy.

Google has a very, very large team, both in DC, in Brussels, in Singapore, working with governments, who focus on working with data protection authorities because this is an evolving thing.

In Europe, there’s a lot of change happening right now. Google is compliant with everything that’s happening there now. They work very, very closely with them. But this is something that is constantly developing and because Google has such a vested interest in all these markets, it’s in their interest to be compliant and to be a leader.

And this is something that they’re really trying to bring home to the US. So when you talk about moving to the cloud, now, you can think about the abilities, but it does this increase the risk for what you’re doing on a day-to-day basis at your business?  

We think that you should look at it as a risk assessment. We talk about having extraordinarily strong, world-class, leading-edge security. That’s great, but it’s only part of the problem.  

You have to understand how that data is being used and know what systems there are.

Having all this information available, it’s fun to share with you guys extraordinarily detailed security audit reports to back all these claims up.

You can run your own penetration testing. Having strict, bulletproof contracts about what your data can and cannot be used for and having very, very strong enforcement mechanisms for them there. 

Don’t look at Google’s platform as being the same as you have on your personal accounts, or being equivalent. It’s 10 times better.