UK government’s M365 exhaust below scrutiny after Microsoft’s ‘no guarantee of sovereignty’ disclosure

The dominant assign that Microsoft has on government IT is coming below shut scrutiny, following the machine huge’s disclosure it will not be going to be sure the sovereignty of UK policing info hosted within its hyperscale cloud infrastructure.

As exclusively printed by Laptop Weekly on 19 June, Microsoft has told Scottish policing our bodies it will not be going to guarantee that info hosted in its Microsoft 365 (M365) and Azure platforms will stay within the UK.

The disclosure parts in a series of freedom of info (FOI) responses from the Scottish Police Authority (SPA) to questions raised by just security consultant Owen Sayers about the authority’s exhaust of Microsoft’s cloud products and services.

Regarded as one of many responses, considered by Laptop Weekly, sees Sayers build a query to the SPA for a list of “any Microsoft cloud products and services identified as now not working fully in some unspecified time in the future of the UK” or that require the arena transfer of buyer info.

In its response, the SPA acknowledged: “Microsoft occupy told that they are able to’t guarantee info sovereignty for M365.”

Different info launched as fragment of the FOI disclosure unearths that info hosted in Microsoft’s cloud infrastructure is continuously transferred and processed out of the country, as smartly as acknowledgements from Microsoft that world info transfers are fragment and parcel of how its public cloud infrastructure works.

The importance of Microsoft’s disclosures is that the processing of personal info by legislation enforcement our bodies is dominated by the contents of Part 3 of the Knowledge Protection Act (DPA) 2018, which limits the exhaust of out of the country cloud suppliers by legislation enforcement entities until “acceptable safeguards” are in convey. 

And whereas the DPA 2018 Part 3 only applies to legislation enforcement our bodies, other public sector organisations operate below regulatory controls that question or require info to be 100% resident within the UK too, said Sayers.

“Till June 2023, the federal government classification diagram specifically prohibited the offshoring of info, and questions must now be asked as to how HM government’s exhaust of Microsoft cloud between 2014 and 2023 became once allowed to develop as it did when it largely contravened that policy,” said Sayers.

Laptop Weekly build this query to the Cabinet Place of industrial, but became once told the department is limited on what it would possibly per chance per chance most likely most likely disclose as we mumble due to the the upcoming Long-established Election. 

The importance of the length of time proposed by Sayers is that 2014 became once the 300 and sixty five days when the Cabinet Place of industrial sought to streamline the federal government’s seven-tier Commerce Influence Ranges (BIL) info classification machine, feeble by departments to assess the sensitivity of the guidelines they handled.

The course of resulted within the introduction of the three-tier Government Classification Scheme (GCS) and the introduction of a fresh naming conference whereby government info is now categorized as being both Legit, Secret or High Secret.

“The policy issued then and up so far in 2018 didn’t factual replace the names, it also contained some stammer provisions about the exhaust of cloud,” said Sayers. “Regarded as any such provisions became once that for info categorized as being above the former BIL threshold of BIL 2xx, the cloud info superhighway hosting it needed to be licensed and located within the UK.”

As well to this, Sayers said: “Many government and non-public sector organisations can occupy a threat statement in their corporate threat register or Knowledge Protection Influence Evaluation [DPIA] that displays Microsoft’s exhaust of UK datacentres [to] be particular personal info doesn’t fade the UK and, as such, is sovereign,” he said. 

“These clarifications from Microsoft demonstrate that this potentially isn’t most life like most likely for a entire lot of processing exhaust cases, and – as a consequence – these organisations must seek for at how that adjustments every their threat profile and whether or now not belief in Microsoft’s info residency guarantees has, if truth be told, been misplaced.”

Laptop Weekly asked Microsoft if it would possibly per chance per chance most likely also guarantee the sovereignty of more than a few forms of public sector info hosted on its hyperscale cloud platform, but the company did indirectly solution the question.

Revisions to the public cloud-first policy

Per Sayers, the Microsoft disclosures also call into question whether or now not the UK government’s prolonged-standing public cloud-first policy remains match for operate.

The policy, launched in January 2017, mandates that every particular person central government departments must get a public cloud-first capability to fresh abilities procurements. The leisure of the public sector is now not mandated to practice this advice, but is strongly impressed to enact so.

Now it’s been confirmed that one in every of HM government’s greatest [public cloud] partners – Microsoft – is offshoring worthy of the UK’s info, the next government desires to judge if the present cloud-first formula remains sound
Owen Sayers, just security consultant

“Now it’s been confirmed that one in every of HM government’s greatest [public cloud] partners – Microsoft – is offshoring worthy of the UK’s info, the next government, whatever its invent-up, desires to judge if the present cloud-first formula remains sound,” said Sayers. 

The policy is credited with accelerating the crawl of cloud adoption in central government, and is identified to be kept below extraordinary review by the Cabinet Place of industrial.

The policy’s emergence in 2017 became once accompanied by guidance from the Government Digital Carrier (GDS) across the same time that acknowledged public cloud is safe to make exhaust of for the overwhelming majority of public sector workloads.

Its e-newsletter got right here several months after Microsoft opened its first UK datacentre convey in September 2016, with the former Microsoft corporate vice-president of Place of industrial 365, Ron Markezich, pitching the inaugurate because the acknowledge to the incontrovertible fact that “some customers need info located and kept within the UK”.

Nicky Stewart, former ICT chief at the Cabinet Place of industrial, told Laptop Weekly many public sector IT consumers would possibly per chance most likely occupy purchased Microsoft products and services “on blind belief” and presumed that, because the company operates UK datacentres, their M365 info would occupy remained in-nation.

“You’ve purchased Microsoft touting what they picture as sovereign cloud, but what enact they point out by sovereign…because if truth be told sovereign info would now not be offshored below any conditions – and indubitably wouldn’t be arena to any third nation jurisdiction, which is consistently going to be the case when one thing is hosted in Microsoft or one other US-primarily primarily based cloud,” she said. “Is sovereignty factual presumed because the guidelines is being kept within the UK?”

It’s far now not advanced to glance why any such presumption would possibly per chance most likely well need been made by public sector IT consumers.

When the Microsoft UK datacentre model notion became once first launched in November 2015, former UK government chief abilities officer Liam Maxwell said the guidelines would occupy “sizable implications for enterprise, local government and for a entire lot of of these that occupy consistently learned the arena of info sovereignty and info spot to be troubling”, in some unspecified time in the future of a press Q&A Laptop Weekly attended. 

In an interview with the BBC, Microsoft’s former cloud endeavor neighborhood chief, Scott Guthrie, said opening UK datacentres would take care of the guidelines sovereignty concerns of privacy watchdogs and regulators.

“For some things – admire healthcare, nationwide defence and public sector workloads – there’s a unfold of laws that claims the guidelines has to halt within the UK,” he said. “Having these two local Azure regions blueprint we are able to claim this info couldn’t ever fade the UK, and will be dominated by the overall laws and laws.”

The company also has safe documentation hosted on its online web grunt, dating abet to 2018, geared in direction of users of the public sector G-Cloud procurement framework that assures them its products and services are hosted within UK datacentres to be utilized by UK government customers.

A misinterpretation of guidance?

With out reference to those statements, Sayers said Microsoft has never given assurances that any info kept on its techniques would consistently halt within the UK.

“Folks factual selected to be taught it in that formula,” he said. “All Microsoft has ever done is guarantee that info would possibly per chance most likely well be kept at leisure in a particular geography, and even then that guarantee is limited to particular products and services.”

He continued: “In that regard, I occupy some restricted sympathy for Microsoft, [because] users of its products and services most likely haven’t be taught the phrases of service smartly or performed worthy within the blueprint of due diligence earlier than signing up to make exhaust of its products and services. If they’d done so, all this would occupy advance into the public domain worthy sooner.”


Your total SPA did became once build a query to Microsoft to substantiate what the phrases of service for its cloud merchandise supposed in practice, he continued. “Microsoft didn’t duck the question – and it appears to be like to be to be like very worthy admire the Scottish Police Authority had been factual the principle to construct a query to it.”     

Laptop Weekly asked Microsoft if any government departments had ever contacted it at once for assurances about the sovereignty of info kept and processed within M365, but the company did now not acknowledge to the question.

The UK government’s Cloud guide for the public sector document, which became once jointly published in November 2023 by the Cabinet Place of industrial’s abilities arm, the Central Digital and Knowledge Place of industrial (CCDO) and the Government Industrial Feature, states that it is down to departments to get where their cloud info desires to be hosted and, briefly, their duty to be particular suppliers meet their requirements.

“There’s now not any government policy which at once prevents departments or products and services from storing cloud-primarily primarily based info in any stammer nation. Then all once more, or now not it is well-known to judge the implications of where you host your info,” the document acknowledged.

“It’s the duty of every government department to get threat-primarily primarily based choices about their exhaust of cloud suppliers for the storage of government info.” 

User-centred duty for sovereignty

Something that complicates the image additional is that whereas a department would possibly per chance most likely well recall their info is hosted within the UK, some parts of the public sector allow their cloud engineers to call the shots on where info is hosted for price-reducing causes, said Stewart. 

“In a setup admire that, it’s feasible that a desire will be made to construct info offshore in conserving with economics without excited by the regulatory implications of that or the implications of the contract, because a cloud engineer is effectively sitting miles away from the cloud contract – until they’ve purchased a procurement real putting over their shoulders, which nine cases out of 10 they gained’t,” she said.

Shall we embrace of this, she pointed to the publicly referenceable NHS England Cloud Centre of Excellence monetary operations (FinOps) guidance.

This states cloud shopping choices are made by the organisation’s engineers, who are guilty for provisioning products and services, which it describes as a “shift of responsibilities away from the conventional central procurement and approvals model”.

This implies, she added: “Once your enterprise has been deployed within the cloud, you’re at the mercy of cloud engineers because they’re the ones making the selections about if truth be told where info is going to be hosted.”

Central government’s exhaust of M365

The Microsoft info sovereignty disclosure also puts the federal government’s championing of M365 because the “same old for productiveness” below scrutiny, given that on the subject of every department uses the suite.

The one exceptions to this are the Department for Tradition, Media and Sport (DCMS), which relies on rival offering Google Workspace, and the Cabinet Place of industrial – although the latter is within the midst of a multiyear migration to M365.

Discussing the deployment at a TechUK Cabinet Place of industrial market engagement event on 21 April 2023, the department’s chief info and info officer, Mike Hill, said M365 is the “government same old for productiveness” – as defined by the Central Digital and Knowledge Place of industrial (CDDO).

“There are only two departments within government – ourselves [the Cabinet Office] and DCMS – who stay on Google,” he said. “So what we’re having a glimpse to enact is align to the federal government same old, to invent it more uncomplicated to interoperate, to section info, and to be extra productive as departments…[and] to be worthy extra simplified by adopting the frequent convey by the CDDO.”

There’s now not any formal mandate mentioning that government departments must exhaust M365, but what there would possibly per chance be – a government source told Laptop Weekly – is a desire within Whitehall for departments to make exhaust of the same tools wherever most likely.

“There is a pressure to have an effect on a greater related, department-to-department, collaborative info-sharing and verbal replace infrastructure,” the source said. On this point, Laptop Weekly is aware that prolonged-time Google Workspace client DCMS added Microsoft Groups to the differ of communications tools it uses in 2023.

“Civil servants customarily swap between departments, and this elevated connectivity must invent the IT make stronger for that course of extra manageable, as smartly as reduction info sharing between departments,” the source added.

Having every department working the same productiveness machine sounds gleaming from a collaboration and consistency viewpoint, said Capture Anderson, chief analyst and service director, overlaying the public sector, at IT market watcher GlobalData, but there’ll be monetary drawbacks.

“Over the final two to three years, we’ve considered an lengthen in government spending with Microsoft [overall], with most of that spending going thru third-occasion resellers. The quantity of money spent at once with Microsoft does now not seem that worthy, but whereas you get into narrative [the resellers], it is well-known,” he said.

Shall we embrace, Anderson pointed to a contract that got right here to light in April 2023, which noticed the Department for Work and Pensions (DWP) signal a five-300 and sixty five days deal charge £250m with Microsoft thru third-occasion reseller Softcat.

Here’s a practice-on to a three-300 and sixty five days contract charge £70.8m between the pair, which ran till March 2023, which blueprint the sum of money DWP spends on Microsoft merchandise every 300 and sixty five days has greater than doubled.

“Need to you seek for at the need of staff DWP has, it works out at about £600 a 300 and sixty five days per client, which for a assortment of productiveness tools sounds ridiculous,” said Anderson.

In 2013, Anderson labored for a rapid time within the Cabinet Place of industrial as a Crown Representative, whose work alive to tracking the amount spent on tech contracts, including Microsoft deployments.

“When I became once working in that Crown Fetch role 10 or 11 years within the past, we had been concerned if greater than £100 per employee per 300 and sixty five days [was spent] on Microsoft,” he said.

Different principal offers encompass the three-300 and sixty five days Microsoft Azure provisioning contract HM Earnings & Customs (HMRC) awarded to Softcat for £81.5m in June 2024, said Anderson.

“Here is as smartly as to the five-300 and sixty five days contract with one other reseller called Bytes that became once awarded final 300 and sixty five days for [M365] licensing charge £166.3m, which is same to £500 per client per 300 and sixty five days,” he said. “In entire, since April 2021, HMRC has committed to £265m of exhaust on Microsoft merchandise and products and services.”

There has also been a noticeable uptick within the need of contract awards within the broader public sector mentioning Microsoft, he added.

“[It’s] elevated dramatically over the final three years – totalling £1.44bn in 2023/24, rising from £1.26bn in 2022/23 and factual £562m in 2021/22,” he said. “Honest correct £169m across these three fiscal years became once remark to Microsoft [rather than to its resellers] – 7% by price of the total exhaust over the final four years.”

It desires to be assumed now that every particular person M365 info does run internationally by default, which is politically deplorable for the UK government. This mainly blueprint we’ve offshored your total of UK government IT
Owen Sayers, just security consultant

Given the frenzy to standardise on M365 within central government, Microsoft’s public sector dominance is poised to lengthen. “With none most life like most likely competition, and by steadily eradicating Google from the equation, the probability is Microsoft will assign the total cards.”

This can also potentially point out extra government info is exposed to the threat of being processed out of the country, said Sayers. “It desires to be assumed now that every particular person M365 info does run internationally by default, which is politically deplorable for the UK government. This mainly blueprint we’ve offshored your total of UK government IT.”

This comes at a time when rising geopolitical instability across the arena is prompting governments in other international locations to double down on sovereignty to be particular their voters’ info remains in-nation for privacy causes, said Stewart.

“Correct info sovereignty is popping into a extremely sizable thing in other parts of the arena, but we factual fortunately push all our info into non-sovereign entities, believing what they are saying about [sovereignty], when if truth be told we don’t know what is going to occur to our info,” she told Laptop Weekly. “Nobody appears to be like to be to be proudly owning or caring about this within the UK, now not least of all our possess government.”

Laptop Weekly requested an announcement from the UK Cabinet Place of industrial in conserving with Microsoft’s disclosures about being unable to be sure the sovereignty of M365 info, but the department did indirectly solution the question.

The department became once also asked if it had ever sought assurances from Microsoft that any government info that resides in M365 will stay within the UK at all cases, but – all once more – no remark response to this query became once coming near near.

Next steps for public sector IT consumers

With the Microsoft disclosures now out within the inaugurate, Sayers said public sector consumers deserve to undergo in mind that the sovereignty claims and assurances made by other public cloud suppliers would possibly per chance most likely well also now not be moderately what they seem.

“The components right here stammer to Microsoft – but the arena would possibly per chance most likely now not be restricted only to them. Most users of hyperscaler public cloud products and services enact now not realise this, but the total main hyperscaler phrases of service allow the cloud supplier – at their sole discretion – to dart your info wherever within their world products and services without asking for stammer permission,” he said.

“The extent to which they present to the buyer where info is disbursed varies. Google is somewhat transparent, even as Amazon Internet Companies and products and Microsoft are considerably extra opaque, but all of them occupy this frequent arena to about a stage.”

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button