France reports that Microsoft's Office 365 offering on Azure does not meet the requirements of the state cloud doctrine. All the details
On September 15, 2021, Interministerial Director of Digital Nadi Bou Hanna issued a press release to ministries informing them that Microsoft's Office 365 offering on Azure Cloud did not meet the requirements of the state's French cloud doctrine (Cloud at the Center), and in particular its R9 rule.
It provides that the processing of sensitive data must be possible only by qualified hosting providers and also immune to any extraterritorial law (cloud Act, FISAA, etc.). Following this press release, French administrations should no longer use the Microsoft-hosted service.
In response to this press release, eight French players have come together to offer a group of alternative solutions to Office 3655. Atolia, Jalios, Jamespot, Netframe, Talkspirit, Twake, Whaller and WIMI which have 3 million users and a sovereign offering 100% hosted by European players. The collective mentions that all of these solutions are suitable for integration into SecNumCloud certified infrastructures.
The National Information Systems Agency (ANSSI) has been offering a security visa called SecNumCloud since 2016. This brand is intended for cloud service providers (IaaS, PaaS and SaaS) who wish to provide guarantees on the quality of the service provided and the level of trust that can be placed in them. It is also a strong marketing asset because the SecNumCloud brand is widely recognized in France and attests to a state-of-the-art security level certified by ANSSI. This mark is awarded to suppliers who meet all security requirements defined by ANSSI and have been subject to a compliance assessment by an approved organization. The SecNumCloud label therefore allows customers to be confident in the security implemented in the cloud offering to which they subscribe. At the 2021 cybersecurity conference, ANSSI released a new version of SecNumCloud. This new version provides immunity criteria against non-EU laws, especially American ones.
The ban on using Microsoft-hosted Office 365 in French administrations therefore questions the legitimacy of hosting health data from the Health Data Hub (HDH) in Microsoft infrastructures that are not SecNumCloud certified and subject to US law. The HDH, created in 2019, is a project to bring together the health data of over 67 million people and aims to promote the development of artificial intelligence in the health field by providing data to the different poles of medical research. Microsoft was selected to host this data, most notably with its “Health Data Hosts” (HDS) certification. This choice was strongly criticized because the United States has legislative instruments (FISAA, cloud Act) that could undermine the confidentiality of data hosted by cloud providers subject to US law, even if they are located in data centers on European territory. In order to regulate the transfers of personal data to the United States, in 2016 an agreement, called "Privacy Shield", was formalized with Europe.
The "Privacy Shield" has provided guarantees on the protection of the personal data of European citizens stored and processed by companies based in the United States. The "Privacy Shield" has therefore made it possible, in theory, to protect personal data stored in Microsoft Office 365 infrastructures, for example.
However, on July 16, 2020, the Court of Justice of the European Union invalidated the "Privacy Shield", deeming it to be non-compliant with the General Data Protection Regulation (GDPR) and thus making it illegal to transfer personal data to the United States in the absence of measures. additional. Following the invalidation of the “Privacy Shield” and for fear of transferring health data to the United States, associations and unions have appealed to the Council of State to request an emergency suspension of the HDH platform. On October 14, 2021, the Council of State indicated that no personal data hosted in Microsoft's data center could be transferred outside the European Union under the agreement with Microsoft. However, the judge showed that it was not excluded that the American authorities, as part of monitoring and intelligence programs, could ask Microsoft and its Irish subsidiary for access to certain data.
To address this issue in the short term, the State Council asked the CNIL to work with Microsoft to strengthen security measures related to HDH. However, he felt that the identified risk did not justify a short-term discontinuation of HDH. Regarding the future of HDH, the Minister of Health mentioned in November 2020 the desire to find a "new technical solution" to protect HH from "possible illegal disclosure to the American authorities (…) within as much time as possible. between 12 and 18 months and, in any case, not exceeding two years ". The aim is to give French and European actors time to be ready to host HDH.
Notably, the United States has two legislative weapons that allow federal authorities to access customer data of cloud service providers.
The first, the Cloud Act, allows US courts to solicit an individual's personal communications from service providers operating in the United States without the individual being informed, neither the authorities of his country of residence nor those of the country in which these data are archived. The Cloud Act also applies to foreign companies active on American soil.
The second, called FISAA (FISA Amendments Act), is an amendment to the Foreign Intelligence Surveillance Act of 1978 that describes physical and electronic surveillance procedures and allows for the collection of information on foreign powers. FISAA allows for bulk monitoring and extends to all data in the cloud. The goal, in particular of the NSA (National Security Agency), is to have the opportunity to intercept, decrypt, copy, analyze and archive all global communications that pass through by satellites, cables … It was in particular this law which authorized the use of surveillance tools used by the NSA and the FBI as part of the PRISM project revealed by Edward Snowden in 2013.
These two laws then allow federal authorities to force American cloud players to provide data on demand, even on servers located in Europe and without informing targeted individuals or organizations. Hence the Gaia-X project which is a German-French initiative launched in June 2020 which aims to offer a European response to the rise of GAM (Google, Amazon, Microsoft) and Alibaba cloud (Chinese cloud provider) through the sharing of technological and industrial data among its members. The idea is not to create a single company, but rather to rely on the principle of decentralization to create a 'European data infrastructure'. For example, for autonomous research activities, Gaia-X could provide a very high volume of data thanks to all its active members in this segment. However, the Gaia-X project was recently criticized when new members of Google, Microsoft, Amazon, Alibaba, Palantir, Huawei… appeared within the association. For advocates of digital sovereignty, the support of these members contradicts the project's initial goal and discredits the goals pursued.
For its part, Gaia-X replies that it was never about creating a sovereign and secure cloud and data ecosystem supported by 100% European players, but about inviting American and Chinese suppliers to the table to collaborate.
This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/microsoft-office-365-cloud/ on Tue, 23 Nov 2021 06:27:43 +0000.