KTSDESIGN – stock. adobe. com
Microsoft’s dominant control over government IT is under scrutiny, following the software giant’s revelation that it guarantees sovereignty over UK police knowledge hosted on its hyperscale cloud infrastructure.
As revealed exclusively via Computer Weekly on June 19, Microsoft informed the Scottish Police Service that it will ensure that data hosted on its Microsoft 365 (M365) and Azure platforms remains in the UK.
The disclosure is from a series of Freedom of Information (FOI) responses from the Scottish Police Authority (SPA) to questions posed through independent security representative Owen Sayers about the authority’s use of Microsoft cloud services.
In one of the responses, published via Computer Weekly, Sayers asks the SPA for a list of “all Microsoft clouds that are known not to work fully in the UK” or that require the overseas move of visitor data.
In its response, the SPA said, “Microsoft has indicated that it will ensure knowledge sovereignty for M365. “
Other data released as part of the FOI disclosure shows that knowledge hosted on Microsoft’s cloud infrastructure is transferred and processed overseas, as well as Microsoft’s recognition that foreign knowledge transfers are an integral component of the operation of its public cloud infrastructure.
The significance of Microsoft’s disclosures is that the processing of non-public knowledge through law enforcement agencies is governed by the content of Part 3 of the Data Protection Act (DPA) 2018, which restricts the use of the foreign cloud through law enforcement agencies, unless “appropriate promises are made. ”
And while Part 3 of the 2018 DPA only applies to law enforcement agencies, other public sector organizations operate under regulatory controls that expect or require knowledge and also live 100 percent in the U. K. , Sayers said.
“Until June 2023, the government’s classification formula notably prohibited the offshoring of data, and now it is worth asking how Her Majesty’s government’s use of the Microsoft cloud between 2014 and 2023 was allowed to grow as it did when it was a giant contravention. of that policy. said Sayers.
Computer Weekly asked the Cabinet Office this question, but said the branch was limited to what it could say at this time due to the upcoming general election.
The significance of the era proposed by Sayers is that 2014 was the year in which the Cabinet Office sought to simplify the government’s seven-tier knowledge classification formula of Business Impact Levels (BILs), used by departments to assess the sensitivity of the knowledge they process.
The procedure resulted in the creation of the three-tier Government Classification System (GCS) and the advent of a new naming conference in which government knowledge is now classified as official, secret, or more sensible secret.
“The policy published at the time and to date in 2018 not only superseded the names, but also contained express provisions on the use of the cloud,” Sayers said. “One such provision provided that for knowledge classified as exceeding the old BIL threshold of BIL 2xx, the cloud hosting had to be accredited and located in the United Kingdom. “
On top of this, Sayers said: “Many governments and organisations in the sector itself will have a threat in their Enterprise Risk Register or in their Data Protection Impact Assessment [DPIA] that reflects Microsoft’s use of UK knowledge centres [to] ensure that they don’t-” Public knowledge does not leave knowledge non-public. The United Kingdom and, as such, is sovereign,” he said.
“These clarifications from Microsoft show that this is likely not true for peak processing use cases, and therefore those organizations want to know how this changes their threat profile and whether reliance on Microsoft’s data residency safeguards has, in fact, been misplaced.
Computer Weekly asked Microsoft if it could guarantee sovereignty over other public sector data bureaucracies hosted on its hyperscale cloud platform, but the company did not respond directly.
According to Sayers, Microsoft’s revelations also highlight the relevance of the UK government’s long-standing policy in favor of the public cloud.
The policy, introduced in January 2017, requires all central government departments to adopt a public cloud technique for next-generation hiring. The rest of the public sector is required to follow this advice, but is strongly encouraged to do so.
“Now that one of the UK government’s largest [public cloud] partners, Microsoft, has been shown to be offshoring much of the UK’s data, the next government, regardless of its composition, will have to ask itself what the existing strategy is of prioritising the cloud. remains valid. ” Sayers said.
This policy is credited with accelerating the speed of cloud adoption in central government and is known to be reviewed through the Cabinet Office.
The emergence of this policy in 2017 was accompanied by guidance from the Government Digital Service (GDS), around the same time, which stated that the public cloud could only be used securely for the vast majority of public sector workloads.
It comes several months after Microsoft opened its first core knowledge region in the UK in September 2016. Microsoft’s former vice president of Office 365, Ron Markezich, touted the launch as a reaction to the fact that “some consumers want localized, stored knowledge. “the United Kingdom. “
Nicky Stewart, a former ICT manager at the Cabinet Office, told Computer Weekly that many public sector IT investors could have bought Microsoft “with blind confidence” and assumed that since the company operates data centres in the UK, its data on M365 would have been kept in the country.
“Microsoft touts what it describes as a sovereign cloud, but what do they mean by sovereign. . . Because, in fact, sovereign knowledge wouldn’t be offshored in any way — and in fact wouldn’t be subject to the jurisdiction of a third country, “This will be the case when something is hosted on Microsoft or some other cloud founded in the United States,” he said. “Is sovereignty presumed simply because knowledge is kept in the UK?
It is difficult to understand why such a presumption could have been made simply through public sector IT buyers.
When the plan to expand Microsoft’s knowledge hub in the UK was first announced in November 2015, former UK government lead generation officer Liam Maxwell said the news would have “big implications for businesses, local governments and for many other people who have discovered the factor”. “The sovereignty of knowledge and the location of knowledge are concerning,” during a Q&A session with the press in which Computer Weekly participated.
In an interview with the BBC, Scott Guthrie, former head of Microsoft’s cloud business group, said that opening knowledge hubs in the UK would address the knowledge sovereignty considerations of watchdogs and privacy regulators.
“For some spaces, such as healthcare, national defence and public sector workload, there are regulations that state that knowledge will have to stay in the UK,” he said. “Having those two Azure regions on-premises means we can say that this knowledge will never leave the UK and will be governed by all regulations and laws. “
The company also has documentation hosted on its website, dating back to 2018, for users of the G-Cloud public sector procurement framework, ensuring that its facilities are hosted in UK knowledge centers for use by through UK government clients.
Despite those statements, Sayers said Microsoft never gave assurances that the knowledge stored in its systems would remain in the U. K.
“People just chose to read it that way,” he said. All Microsoft has done is make sure that data is stored at rest in a specific geographic area, and even then that guarantee is limited to certain services. “
He continued, “In this regard, I have some sympathy for Microsoft, [because] its users might not have read the terms of service well or done a lot of diligence before signing up to use itsArray. If they had, all of this would have fallen into the public domain much sooner. ” All the SPA did was ask Microsoft to verify what the terms of service for its cloud products meant in practice, he continued. “Microsoft didn’t dodge the question, and it turns out that Police Scotland was only the first to ask it. ”
Computer Weekly asked Microsoft if any government departments had ever contacted it for assurances about the sovereignty of data stored and processed in M365, but the company did not respond to a question.
The UK Government’s Public Sector Cloud Guidance, jointly published in November 2023 through the Cabinet Office’s generation arm, the Central Data and Digital Office (CCDO) and the Government Commercial Function, states that it is up to government departments where your cloud will be located. Knowledge deserves to be hosted, and ultimately, it’s your duty to make sure that providers meet your requirements.
“There is no government policy that directly prevents departments or departments from storing cloud-based knowledge in an express country. However, you have to take into account the implications of where you house your knowledge,” the document says.
“It is the duty of the industry to make risk-based decisions about the use of cloud providers for the storage of government knowledge. ”
To further complicate the scenario, while a branch office would possibly assume its knowledge is hosted in the U. K. , some parts of the public sector allow their cloud engineers to go to the location where the knowledge is hosted for cost-cutting reasons, Stewart said.
“In a setup like that, it’s conceivable that a decision is made to place knowledge overseas based on economic considerations without thinking about the regulatory implications of that or the implications of the contract, because a cloud engineer is really miles away from the cloud. Unless they have a purchasing professional on their shoulders, which doesn’t happen nine times out of ten,” he said.
As an example, he cited the NHS England Cloud Centre of Excellence’s Financial Operations Guidelines (FinOps), which will be published publicly.
This indicates that cloud purchasing decisions are made through the organization’s engineers, who are responsible for delivering the services, which he describes as a “shift from the day-to-day work of the classic style of centralized procurement and approvals. “
This suggests, he added, “once your business has been deployed in the cloud, you’re at the mercy of cloud engineers, because they’re the ones who make the decisions about where the knowledge will necessarily be hosted. “
Microsoft’s disclosure of knowledge sovereignty also puts under scrutiny the government’s promotion of M365 as a “productivity standard,” given that nearly every department uses the suite.
The only exceptions to this rule are the Ministry of Culture, Media and Sports (DCMS), which relies on the competing Google Workspace offering, and the Cabinet Office (the latter is in the midst of a multi-year migration to M365).
Discussing the launch at a TechUK Cabinet Office market engagement event on April 21, 2023, the department’s Head of Data and Information, Mike Hill, said that M365 is the “governance of productivity,” as explained by the Central Office for Data and Digital (CDDO). . .
“There are only two government departments, ourselves [the Cabinet Office] and DCMS, that remain on Google,” he said. “So what we must do is align ourselves with the popular government, facilitate interoperability, percentage of information and be more productive as departments. . . [and] be much more agile by adopting the popular set through DDC.
There is no formal mandate for ministries to use M365, but what does exist – a government source told Computer Weekly – is the preference within Whitehall for ministries to use the same equipment anywhere possible.
“There is a push to create a better-connected interdepartmental communication and data sharing infrastructure,” he said. At this point, Computer Weekly is aware that DCMS, a long-time Google Workspace user, has added Microsoft Teams. to the diversity of communication equipment it will use in 2023.
“Officials move from one branch to another and this increased connectivity deserves to make the computer help for this procedure more manageable, in addition to facilitating the exchange of data between branches,” the source added.
According to Rob Anderson, lead analyst and director of public sector coverage at GlobalData, an observer of the IT market, the fact that all branches use the same productivity software makes sense from a collaboration and consistency standpoint, but it can lead to monetary drawbacks. .
“In the last two or three years, we’ve noticed an increase in government spending with Microsoft [in general], and most of that spending goes to third-party resellers. The amount of cash spent directly with Microsoft doesn’t seem like much, yet when you think about [resellers], it’s important,” he said.
As an example, Anderson cited a deal revealed in April 2023, in which the Department for Work and Pensions (DWP) signed a five-year, £250 million deal with Microsoft’s third-party reseller, Softcat.
It’s a follow-up to a three-year, £70. 8 million deal between the two men, which ran until March 2023, meaning the amount of cash DWP spends on Microsoft products for the year has more than doubled.
“When you look at the number of DWP employees, that equates to around £600 per year per user, which is ridiculous for a suite of productivity tools,” Anderson said.
In 2013, Anderson worked briefly in the Cabinet Office as a representative to the Crown, whose task was to track the amount spent on generation contracts, aggregating Microsoft’s implementations.
“When I held this position of Crown Representative 10 or 11 years ago, we were concerned about whether more than £100 per worker was consistent with the year [spent] at Microsoft,” he said.
Other notable deals come with the three-year Microsoft Azure source deal, HM Revenue
“This is in addition to the five-year deal with another reseller called Bytes that last year granted a license [M365] valued at £166. 3 million, which equates to £500 per user per year,” he said. In total, since April 2021, HMRC has committed to spending £265 million on Microsoft products and services.
There has also been a notable increase in the number of contracts awarded in the general public sector that mention Microsoft, he added.
“[It’s] grown particularly over the last 3 years: totalling £1. 44 billion in 2023/24, up from £1. 26 billion in 2022/23 and just £562 million in 2021/22,” he said. “Only £169 million in those three fiscal years went to Microsoft [rather than its resellers], or 7% of total spending over the next four years. “
Given the push to standardize M365 in central government, Microsoft’s dominance in the public sector is poised to grow. ” In the absence of a genuine festival and phasing Google out of the equation, Microsoft will most likely hold all the cards. “
This can potentially mean that more government knowledge is at risk of being prosecuted overseas, Sayers said. “Now we will have to assume that all M365 knowledge travels around the world by default, which is politically for the UK government. This necessarily means that we have offshored all IT from the UK government.
This comes at a time when growing geopolitical instability around the world is prompting governments of other countries to redouble their sovereignty efforts, knowing that their citizens remain in the country for privacy reasons, Stewart said.
“True knowledge sovereignty is a very vital thing in other parts of the world, yet we gladly transfer all our knowledge to non-sovereign entities, believing what they say about [sovereignty], when in fact we don’t know what’s going to happen. “”Nobody cares or cares about this in the UK, least of all our own government. “
Computer Weekly asked the U. K. Cabinet Office in reaction to Microsoft’s revelations that it could not guarantee M365’s knowledge sovereignty, but the branch did not directly respond to the question.
The branch also asked if it had ever asked Microsoft for assurances that all government knowledge found in M365 would remain in the UK at all times, but did not receive a direct response to this query.
As Microsoft’s revelations become public, Sayers said public sector buyers want to be aware that sovereignty claims and guarantees made through other public cloud providers may not be what they seem either.
“The challenges here are with Microsoft, but the challenge is possibly not limited to just them. Most hyperscaler public cloud users don’t realize this, however, all of the hyperscaler key terms of service allow the cloud provider, at its sole discretion, to move your knowledge anywhere within its globality without asking for express permission,” he said.
“The degree to which they reveal to the visitor where the knowledge is sent varies. Google is pretty transparent, while Amazon Web Services and Microsoft are a bit more opaque, but they all have this challenge not unusual to some extent.
Long-term corporations will rely even more on staff with IT skills than they do today. Find out which jobs will be offered to the fullest in. . .
Get guidance on how applicable cloud compliance criteria evolve and guidance on cloud assessment by third-party vendors. . .
The Biden administration’s regulatory efforts have explained the U. S. strategy to resist over the past four years.
The breach, which CISA first disclosed in March, was due to Ivanti’s zero-day vulnerabilities that threaten a Chinese geographic region. . .
Endpoint detection and reaction equipment and antivirus equipment, whether corporate networks, have different benefits. ¿Which one. . .
Peter Hedberg of Corvus Insurance gave a review of the cyber insurance landscape after a tumultuous 2023 and which corporations they are for. . .
Organizations deserve to create comprehensive work-from-home reimbursement plans that have network and web connectivity. . .
Experts at Cisco Live 2024 discussed the long-term of AI in networking and how its use can simplify networking and. . .
Analysts Jim Frey and Jon Brown of Enterprise Strategy Group share what they took away from the Cisco Live 2024 convention in. . .
Fresh air is and wasting it is inefficient. Maintaining the separation of hot and cold air maximizes cooling efficiency.
The UPS in a data center may not be overloaded. Check the circuits and balance the 3 stages as close to the S. . .
As climate becomes a more pressing issue, more productive sustainability practices can help make your knowledge greener, which. . .
KPIs and metrics are used to measure the quality of knowledge. Organizations can use dimensions of knowledge quality to establish. . .
The knowledge control and analytics provider’s embeddable knowledge base now includes streaming capabilities through Kafka and. . .
The provider’s most recent update adds new visitor data features, adding an AI assistant and industry-specific tools, all of which are available to the Customer Provider.