Microsoft floats Cloud for Sovereignty
More transparency or just the cost of doing business? For customers whose data must remain
Microsoft is previewing a cloud service in acknowledgement of customers' demands that at least some of their data crown jewels remain within the region in which they operate.
Sovereignty is a thorny area, and while the dream of the public cloud might initially have been a case of storing and processing data without regard for physical location, reality has bitten hard and the tech giants are facing the fact that both governments and citizens around the world want more control.
Microsoft already intends to implement an EU Data Boundary by the end of 2022, intended to allow customers to store and process all data within the EU as well increase EU customer support staff. Google is going in a similar direction, and the implementation is a requirement to continue doing business with EU institutions.
The Microsoft Cloud for Sovereignty is aimed at public-sector customers and meeting the obligations of governments around GDPR (General Data Protection Regulation) while still offering the services of Microsoft's cloud.
Microsoft has split its Cloud for Sovereignty into four distinct layers, starting with Data residency. It does, after all, have an awful lot of Azure regional data centers and more than 60 cloud regions. "Customers today can meet many regulatory requirements and implement policies to contain their data and applications within their preferred geographic boundary," the company said.
The word "many" is key here, and Microsoft does have more to do. However, the EU Data Boundary may smooth some ruffled lawmaker feathers.
Microsoft also has sovereign controls on tap to protect and encrypt sensitive data. "These capabilities span the entire Microsoft Cloud from cloud infrastructure, platform services and Software as a Service (SaaS) offerings like Microsoft 365, Dynamics 365 and Power Platform," it said. Microsoft added that data is secured at rest, in transit, and in use.
Then there is governance and transparency. While many an open-source project might snort, this is Microsoft's attempt to build trust via controlled access to its source code as well giving signed-up customers "confidential security information" and the rights to check out Azure's compliance processes after signing a non-disclosure agreement or two. Microsoft's Government Security Program (GSP) includes over 45 countries and more than 90 agencies of international organizations.
Finally there is expertise, which is where Microsoft sees its partners playing a role.
- Oracle planning sovereign cloud regions for the EU
- Moscow court fines Pinterest, Airbnb, Twitch, UPS for not storing data locally
- Spain, Austria not convinced location data is personal information
- Digital sovereignty gives European cloud a 'window of opportunity'
The company's critics have been less than impressed, with Nextcloud's CEO, Frank Karlitschek, describing the announcement as "false marketing."
"Microsoft is misusing the term sovereignty," he said. "Digital sovereignty means that people or organisations are in full control of their data, applications, privacy and digital life." He listed some requirements:
- It needs to be possible for everyone to run the Cloud Infrastructure where and how they want.
- The source code needs of the cloud application must be auditable to make sure there are no backdoors.
- It needs to be possible that security patches can be provided from different parties and not only the service provider.
- It needs to be possible to check and verify which patches are applied to to system.
"The Microsoft Cloud for 'Sovereignty' doesn't fulfill these requirements," he concluded.
Microsoft's take on sovereignty comes on the heels of concessions made in May by the software giant regarding its licensing policies following sueballs flung by the likes of OVHcloud and Nextcloud that called for a level playing field.
At the time, Microsoft president Brad Smith noted that "while not all of these claims are valid, some of them are."
Matthew Hodgson, boss at Element, told us that adding data to Microsoft's cloud means "putting all of your data and metadata in infrastructure controlled entirely by Microsoft, regardless of the country where the data might reside - and that data is not typically end-to-end encrypted.
"Physically putting your data in the 'right' country does not give you sovereignty if in practice the whole thing is operated outside of your country's control," he added. "Countries should instead avoid massive vendor lock-in by embracing open standards, and host their data with their preferred vendor in their preferred country - using vendor-independent end-to-end encryption to retain full control and actual sovereignty. Data is not typically end-to-end encrypted which puts user data at greater risk."
OVHcloud said retaining data in European storage locartion is "by no means a silver bullet" as US companies will "still be exposed to extra-territorial laws like the Cloud Act even if their data is physically stored in Europe."
"The implications of working with cloud providers outside of Europe pose both technical and legal challenges and it remains to be seen how these will be tackled as part of new offerings like this one," OVHcloud told The Register.
Microsoft has also recently come in for some criticism over data protection, with a Data Protection Impact Assessment issued by the Netherlands department of Justice and Security noting that Microsoft still had work to do ahead of the promised EU data boundary.
A report [PDF] published by the Capgemini Research Institute, drawn from executives in 1,000 organizations found that more than half were "planning on including sovereignty in their overall cloud strategy in the next 12 months." Some 71 per cent expected to adopt cloud sovereignty to ensure compliance with regulations. More than 80 per cent reckoned that cloud sovereignty would continue to "gain prominence."
Perhaps reassuring for the tech giants, the report went on to say: "Only 14 per cent [of organizations] define cloud sovereignty as the exclusive use of cloud providers based in the same legal jurisdiction and storing data within the borders of a country or region."
The Microsoft Cloud for Sovereignty is a private preview at this stage so there is a chance the concerns of interested parties might be addressed in the coming months, particularly in light of the promises made regarding EU data.
However, while heavy on residency and encryption, there is little regarding where data will actually be processed. Open-source solutions might turn out to be a better bet if customers are truly concerned about what is going in inside the black box. Even if it has a shiny "Cloud for Sovereignty" label pasted on the side. ®