How Microsoft is luring European governments into the cloud

Share your love

Edward Snowden’s revelations were almost eight years ago, but recently they returned to public awareness: at the end of May, several European media uncovered that the NSA had wiretapped European politicians, including Angela Merkel, with the help of the Danish secret service.

Such “spying on friends” explains why the federal government is skeptical of the cloud services of American providers. Your officers work and email with Microsoft Office and Exchange – but the software runs in the federal data centers. Relocating mails and documents to the servers of US companies, as has long been normal in business, has always been ruled out by Berlin, even if authorities occasionally use US services such as Cisco Webex.

More from c't magazine

More from c't magazine

More from c't magazine

Startled by Microsoft’s cloud strategy, Berlin proclaimed “digital sovereignty” as its goal two years ago and announced that it would test open source alternatives to Microsoft Office and Exchange. France also propagated the “souveraineté numérique”. The fear of becoming vulnerable to blackmail also played a role: The US government under Donald Trump and later also under Joe Biden had made it clear with its trade embargo against Huawei that it could cut off its opponents from US cloud services at any time by decree.

Meanwhile, however, Microsoft seems to have come up with a solution that Europeans like. At the end of May, the French government announced that it intends to use Microsoft’s Cloud Office Suite 365 and the “Azure” platform with over 200 services in the future – but not from Microsoft data centers. Instead, the French companies Orange and Capgemini will operate the servers. Microsoft is content with the role of the software supplier.

The new model ensures “immunity from all extraterritorial laws”, write Capgemini and Orange. What is meant is the Cloud Act, which obliges US corporations to also provide the authorities in their home country with customer data that is held by their subsidiaries around the world, if necessary. Technically, too, the data centers remained “strictly separated” from Microsoft’s global infrastructure, emphasize Capgemini and Orange. The French cybersecurity agency ANSSI has already given the project its blessing.

Employees at the T-Systems data center in Magdeburg: The Telekom subsidiary can imagine operating a “sovereign” Microsoft cloud for the federal government.

(Image: Telekom)

Microsoft has also proposed such a model to the federal government. “To ensure the applicability of German law, the ownership and operation of the sovereign cloud platform remain with an operating company”, it says in a confidential concept paper of the group, which is available to c’t. One or more German companies and the state itself could be involved in the company. So Berlin could use Microsoft services, but control the servers itself.

There is a lot at stake in the negotiations between Microsoft and the federal government. The company’s cloud services could become the de facto public sector standard for decades. The number of users should be in the seven digits if federal, state and local authorities go into the new cloud. For this, several redundantly designed data centers would have to be built out of the ground. The costs would be in the three-digit million range.

On top of that, the decision would have a signal effect for other European countries. “Many are now looking to Germany and France. If solutions are found there, other countries could follow the example,” says Frederik Blachetta, partner at the strategy consultancy Strategy &, in an interview with c’t.

But how “sovereign” is the new Microsoft model really? What about data protection and independence in the event of diplomatic tension? The Federal Office for Information Security (BSI) is now supposed to check this, and not just on paper, like the colleagues from the French ANSSI. The federal government is also planning practical tests in a pilot data center.

Microsoft has agreed to enable such a “proof of concept” and wants to provide the necessary software and support free of charge. A possible financial risk would be “entirely with Microsoft,” writes the group in its paper.

What is certain is that Microsoft has taken another step towards Europeans with its new model in terms of data protection. At the beginning of May the group had already announced a “data limit” for its own data centers: data from customers from the EU should also be stored and processed in the EU. But this does not protect the data in an emergency against non-European laws such as the Cloud Act.

If Microsoft no longer operates the data centers itself, the level of protection is higher. US intelligence services would then have to get Microsoft to participate in the espionage, for example by installing back doors. The new concept therefore provides that the German operating company must authorize every Microsoft access. Updates should be checked before they are imported. A source code inspection could also be useful, explained the BSI on request.

However, full control should remain utopian – due to the large number of updates and the associated amounts of data. However, the federal government already has this problem. Finally, the Microsoft programs also receive updates that run in the federal data centers.

In terms of availability, too, little would change compared to the status quo. Because Microsoft does not operate the servers itself, the company could not simply turn them off, but the US government could force it to stop supplying security updates. Depending on the threat situation, the cloud could then continue to run for a few days, weeks or months with an acceptable risk, which is similar with the federal government’s own in-house exchange servers currently in use.

With the new model, however, it also depends on which German groups would be involved in the operating company. It is conceivable, for example, that the US government could exert pressure on its American subsidiaries.

The whole range of Microsoft cloud services for German authorities, hosted by a German operating company: That sounds like a perfect combination. The offer offers the opportunity to simplify the chaotic IT structures of the administration and to advance digitization. And the level of data protection would be similarly high – or low, depending on your point of view – as with the current infrastructure with proprietary Microsoft software in state-owned data centers. Because regardless of whether it is in-house or external, nobody can say for sure what is really in the software. Source code analyzes do not change that much either.

However, the economic dependence on Microsoft would increase. Because the US group is not only packing its office services into the cloud, the local versions of which are already used by the administration and for which there will be no practical alternative for the foreseeable future. In addition, there is the entire package of around 200 “Azure” services from big data to container management and AI. If the authorities took this bundle with them, a later switch to the competition would be even more difficult. The MS cloud would be a highly integrated, comfortable, azure blue cage.

Therefore, the Microsoft package should be kept as small as possible. The authorities should only book the Office 365 package – but work with open source alternatives for other applications and data storage.

The new cloud model should offer advantages in some aspects of IT security. At the moment, the federal IT is fragmented: Some authorities still operate their own data centers, the move to state service providers such as the ITZ Bund is slow. The BSI therefore also sees opportunities in the cloud concept, such as “continuous, highly professional administration” and “centralized, highly automated patch management”. Weak points could potentially be remedied more quickly.

Compared to “Microsoft Cloud Germany” (MCD), the new approach has been further developed. As part of the MCD, Microsoft has had its cloud services hosted by T-Systems for several years. However, telemetry data continues to flow to Redmond. In the new concept, however, according to the BSI, this data would remain in the national cloud.

Functionally, the new cloud would also stand out from the MCD. This was not well received by companies because Microsoft only made new applications such as teams available there late or not at all. Microsoft will therefore discontinue the offer in the fall. The envisaged “sovereign” cloud, on the other hand, should be functionally permanently equal – Microsoft promises an “evergreen” in its concept paper. Unlike the MCD, the new offer would probably not be available to companies.

In its paper, Microsoft is already confident that it will be able to meet all the requirements of the BSI. Should the security experts and the Federal Commissioner for Data Protection actually give the green light, it will ultimately be up to politicians to decide.

The pressure to accept Microsoft’s offer will be high because there is no equivalent alternative. The federal government speaks of a “multi-cloud strategy” and also wants to promote open source alternatives such as data ports “Phoenix”. The open-source office and communication suite, even if it is seriously promoted, will only be ready for practical use in five to ten years.

And the pressure will continue to rise as Microsoft is slowly but surely pushing its customers towards the cloud. Teams, for example, are only available as a cloud offer. On top of that, Corona has shown how far the administration is lagging behind in digitization.

In any case, candidates for the establishment of a national operating company are already available. “Yes, we could imagine building and operating such a hyperscaler-based, sovereign cloud,” said Maximilian Ahrens, head of technology at T-Systems, in an interview with c’t. However, purely European solutions are just as important, he emphasized. The IT service provider Arvato Systems also confirmed a “fundamental interest” in building a potential “sovereign cloud” upon request.

In c’t 14/2021 we show you how you can surf without being bothered by cookies and trackers. c’t editor Mirko Dölle found out how Apple’s AirTags can be remodeled as a stalking kit. We have also upgraded the Raspi as a backup server, shed light on the technology and infrastructure for card payment and explain what you should pay attention to after UMTS has ended. You can find issue 14/2021 from June 18th in the Heise shop and at the well-stocked newspaper kiosk.


Read Also   The big security check | c't uplink 39.7
Share your love