Microsoft launches nebulous Cloud for Sovereignty

In a blog post published on May 18, 2022, Brad Smith, President of Microsoft, announced a series of measures to comply with legal constraints and demands from European cloud customers and providers.

In addition to the outstretched hand to European cloud providers, the Redmond firm had presented principles adapted to the demands of European companies and governments.

Two months and a day later, on July 19, the provider announced Cloud for Sovereignty, an offer supposedly in line with this speech.

What is Microsoft Cloud for Sovereignty?

This solution for public service worldwide should include Microsoft 365, Dynamics 365 and Azure services. The provider claims that it will rely on its existing infrastructure, the expertise of its local entities and partners, including Capgemini and Orange, as well as a set of security and privacy mechanisms.

To establish this so-called sovereign offer, Microsoft once again takes up the argument of data residency. “The foundation of Microsoft Cloud for Sovereignty will rest on our regional Azure data centers,” writes Corey Sanders, Microsoft corporate vice president for Industry and Global Expansion Team. Azure spans 60 data centers in 35 countries.

This residentiality will be combined with existing control methods and others under development.

For example, Microsoft presented the future Sovereign Landing Zone, derived from the Azure Landing Zone. These are architectural principles for defining compliance and security rules using Infrastructure as Code and Policy as Code.

For his part, Corey Sanders recalls the availability by the end of the year of the EU Data Boundary program. It must ensure that the data and related processing remain within the European Union, even for support purposes. This does not mean that maintenance operations will necessarily be carried out from the European Economic Area (EEA).

“We will rely on technologies such as VDI (Virtual Desktop Infrastructure)”, write the authors of a progress report on the implementation of EU Data Boundary, published on December 16, 2021.

“VDI eliminates the need to transfer or store physical data outside the EU border, allowing us to deploy the best support and engineering resources possible for our customers inside the EU at all times. the EU border.

This controlled access to corporate data is also at the heart of the “Customer Lockbox” offers for Microsoft 365, Azure, Power Platform and “and soon for Dynamics 365”. These lockboxes should ensure that Microsoft only accesses customer data for maintenance purposes with their explicit consent.

More encryption and confidential computing

Microsoft’s other key argument in favor of its Cloud for Sovereignty offer is that it is very popular among cloud providers. “We will provide customers with additional layers to protect and encrypt sensitive data,” promises Corey Sanders.

The manager mentions in particular the double key encryption system (DKE) attached to the Microsoft 365 E5 license. The service is designed to protect documents produced with the desktop versions of Word, Excel and PowerPoint. With DKE, one of the keys is administered by Microsoft, the other by the customer in the location of his choice. This should prevent the provider from decrypting the files, even once transferred to OneDrive or Sharepoint. For the most sensitive uses, the supplier still recommends opting for an HSM from Entrust or Thales, in a BYOK (Bring Your Own Key) mode.

Microsoft also relies on confidential computing. Here, it is no longer just a question of protecting data at rest and in transit, but in full processing. The publisher can apply this technique to virtual machines, containers and Azure SQL.

The manipulated data then resides in Trusted Execution Environments (TEEs), which are most often based on TPMs (Trusted Platform Modules), isolated areas within AMD and Intel processors.

“Customer-owned encryption keys are confidentially and securely released directly from a managed hardware security module (HSM) in the TEEs running the customer’s encrypted data,” explains Corey Sanders. ” [Cela] protects data and keys against many security and operator access risks”.

BYOK Debate

Managed HSMs, although managed by Microsoft, are said to be single-tenant. Even if they are owned and maintained by the cloud giant, an access management mechanism (RBAC) must allow a customer to have full control, Azure’s documentation promises. Again, BYOK is an option.

Administering your own keys and transferring them to the cloud is a practice promoted by some cloud providers, including Microsoft, and their HSM manufacturing partners or KMS publishers.

However, the subject is debated. In a blog post published on April 10, 2021, Barbara Vieira, Senior Security Engineer at AWS – then Principal Security Engineer at TomTom – insists that “BYOK is not a way to solve the problem of key control in regarding compliance requirements or the issue of key control in SaaS solutions”.

Barbara Vieira specifically mentions the use of KMS (Key Management System), which only offer software encryption. But in view of the recommendations of the European Data Protection Board (EDPB) after the invalidation of the Privacy Shield, “use an HSM, a KMS or BYOK delegating the storage, control or use of the key to the sub- processing outside the EEA is not a sufficient additional measure” to protect the data against their transfer to the United States, according to the analysis of the French publisher Seald.

Azure Arc, for the most sensitive uses

In this sense, to contain data processing to local environments, Microsoft recommends the use of Azure Arc. Arc lets you extend Azure management tools to on-premises, multicloud, and edge resources as long as they’re running on Windows, Linux, or Kubernetes. Customers can use certified Stacks systems manufactured by third-party OEMs.

Here, on-premises instances are connected to Azure through two modes: direct or indirect. Indirect connect mode should “send a minimal amount of data to Azure for inventory and billing purposes only,” according to Microsoft’s documentation.

A private link via Azure Private Link has recently become available to manage Windows and Linux servers “without sending network traffic over the public internet”. This would prevent data exfiltration. In this case, the local network of a data center is connected to an Azure virtual network via a site-to-site VPN or via ExpressRoute.

The vendor does mention a “never connected” mode for Arc in which “no data can be sent to or from Azure”, but it is not currently supported.

Transparency that is also confidential

As this article proves, the publisher maintains particularly extensive documentation. In fact, most components of Cloud for Sovereignty are already available. But doubts remain on certain aspects. This is why the editor plans to extend its Government Security Program (GSP).

This program was designed to provide qualified government personnel “with the confidential security information they need to trust Microsoft products and services”, recalls Corey Sanders, during a virtual session of the Inspire event. “We plan to expand this program to the critical elements of our cloud offerings, starting with key Azure infrastructure components.”

” [Le programme] will provide controlled access to source code, exchange of threat and vulnerability information, engagement on technical content of Microsoft products and services, and access to Transparency Centers for in-depth levels of inspection and source code analysis. Additionally, we will offer customers enhanced audit rights to review processes, evidence, and physical access to Microsoft data centers under NDA. [accord de non-divulgation N.D.L.R.] “.

Cloud for Sovereignty causes confusion

This desire for transparency does not eliminate certain questions among the participants of the Inspire 2022 event. The most important of them being: “how to differentiate Microsoft Cloud for Sovereignty from offers like Bleu in France? “.

“We and our partners believe this is the model with which we can deliver the most long-term value to our customers rather than building hundreds of sovereign clouds all over the world.”

Nathan JohnsonPrincipal Program Manager, Microsoft

“Government Clouds or Blue are essentially completely separate clouds where we deploy a new instance of Azure,” said Nathan Johnson, Principal Program Manager at Microsoft.

Cloud for Sovereignty is not a cloud environment per se, but a combination of security and privacy best practices recommended by Microsoft and its partners to be applied depending on the type of workload in Azure.

“By analyzing data based on sensitivity and classification, you’ll be able to select the best approach for each cloud or edge workload,” says Nathan Johnson.

“Ultimately, we and our partners believe this is the model with which we can deliver the most long-term value to our customers, rather than building hundreds of sovereign clouds all over the world,” adds- he.

Or Bleu was created to respond to an essential issue for players in the French public sector: immunity from non-European legislation. According to the Cloud in the center doctrine, with some exceptions, the French Administration can no longer use an offer such as Cloud for Sovereignty. And, unequivocally, the Azure cloud remains subject to US extraterritorial laws, including the CLOUD Act, the Patriot Act and the FISA Act.

Leave a Comment