Microsoft has made Cloud for Sovereignty generally available. The new service is promising to allow governments to securely place their data in the cloud. Yet Microsoft personnel can access the data in specific scenarios. It’s part of the reason that the authenticity of this “sovereign cloud” seems dubious.
Going forward, all 60+ Azure regions support Cloud for Sovereignty. Microsoft emphasizes the usefulness the new service will have for governments. After all, these parties that have to face the most “complex and layered” regulatory landscape. The counterpart from AWS is European Sovereign Cloud, which, with only 32 regions, has a much less broadly deployable offering.
The interest from governments and highly regulated sectors can be easily explained. They may finally stand to benefit from the public cloud without the fear of losing control over their own data. At least, that’s the promise. Microsoft is boasting of policies that aim to help protect sensitive data entirely according to (inter)national regulations, including a new Sovereignty Policy Baseline. The Dutch Government Information Security Baseline (BIO) is also explicitly mentioned. It further suggests that every effort is being made to create a secure private environment in the Azure cloud.
CEO of email security provider Zivver Rick Goud already told us (on our Dutch language site) that the BIO regulation is “low-hanging fruit” when it comes to data privacy. However, he said there is a lack of practical application of how to ensure data privacy. More regulation will be needed to actually impose rigid rules. It seems some of Microsoft’s promises already fail to inspire much confidence. There’s also cause for concern elsewhere.
American authority over data can’t be swept away
Microsoft runs the Cloud for Sovereignty service itself, but would, according to Atea CEO Steinar Sonsteby, use a “technical mechanism” to lock down the data. No one outside the customer would actually be able to access it without approval. The Register pointed out back in the preview phase of the new cloud offering that such promises fail to overcome the clear fear that Microsoft can be compelled to provide access to the data for U.S. authorities. To make that concrete, we need some additional explanation.
We heard such an explanation recently from Guy Bartram, Director of Product Marketing, and Martin Hosken, Chief Technologist, Cloud, both working at VMware. That company (now owned by Broadcom) claims to hold a very narrow definition of data sovereignty. Bartram, for example, was unapologetic about the dilution of the “sovereign” terminology that Microsoft and AWS in particular have brought about. “The problem is that everyone has jumped on the terminology of sovereign cloud when there is no real definition. Now we have confusion in the market: hyperscalers claim to have sovereign services, so do their partners, and cloud vendors claim the same.”
Read more: VMware tells its competitors what a true sovereign cloud is
Indeed, the problem for parties like Microsoft and AWS is of a fundamental nature. The U.S. CLOUD Act requires them as U.S. entities to share data if such access is deemed necessary for national security. So despite all the promises that data-in-use is encrypted and policies are available to meet all compliance requirements, Microsoft can’t wiggle its way out of this problem. In other words, call it what you will, but a cloud service from an American company can never truly promise sovereignty in Europe.
Perhaps it can still let sensitive data communicate with the public cloud in a limited way. That, however, throws up old roadblocks that the new Cloud for Sovereignty was meant to avoid. France-based Atos, for example, made more concrete commitments about who had control over data when it launched Atos OneCloud Sovereign Shield in 2021. That still doesn’t negate the potential for sensitive data to fall under Microsoft’s control if you actually want to benefit from the public cloud fully.
Transparency logs
Notable in the Microsoft announcement of Cloud for Sovereignty is the passage about Transparency logs. In these, customers of the sovereign package can see when a Microsoft engineer has accessed their own environment. A common rationale for this would be a response to a support request, where an employee may need to take a look in person at the customer’s resources. However, nowhere is it explicitly stated that this needs to be the only reason for accessing the customer’s data, or that the Transparency logs must always report that resources have been accessed. Indeed, it only refers to “eligible customers,” which gives some wiggle room after the fact. What if a customer is under investigation by U.S. authorities? Does Microsoft then choose to make that customer ineligible for the Transparency log feature from now on? The tricky thing about this issue is that it has all yet to be subjected to a legal challenge. For now, doubts about data sovereignty remain.
We’re not lawyers, and neither is VMware’s Bartram. Still, he suggested a rule of thumb to provide a pre-emptive blow to Microsoft’s new offering. “The more you move toward public cloud, the less sovereign it is,” he said. Ultimately, Cloud for Sovereignty is simply an Azure product, spread across the same regions as the conventional public cloud.
1 day ago
