Companies in the public sector, as well as industries such as financial services and healthcare, have been hesitant to leverage the opportunities in the cloud. Their main concerns revolve around data security and compliance, but now Microsoft is introducing a solution that specifically addresses these concerns.
Cloud brings several advantages, such as innovation, agility, scalability, and lower costs. However, there are lingering questions regarding security and compliance. This has held back many European companies, especially in the public sector and highly regulated industries such as financial services and healthcare.
Microsoft has now introduced Microsoft Cloud for Sovereignty (MCfS), developed specifically to address these questions and ensure the secure use of Microsoft Azure cloud services.
There are three key issues that MCfS addresses:
1. Secure storage within EU borders
Data must generally be kept within the EU, and when transferred to other countries there are strict rules for use. This was one of the fundamental rationales for GDPR. However, in recent years, there have been over 100 official complaints where national authorities found that data had been transferred to American companies like Google and Facebook in violation of existing rules.
MCfS has established the “EU Data Boundary” with EU-based data centers and specific guidelines for when and how customer data may be transferred to entities outside the EU or EFTA. EU Data Boundary applies to Azure, Dynamics 365, Power Platform, and Microsoft 365.
2. Data can be transferred to third countries
The next concern has been the obligation of American cloud companies to surrender data to government agencies. The U.S. Cloud Act allows U.S. authorities to access national IT companies’ customer data, even when stored in the EU.
MCfS has therefore developed “Confidential Computing”, where EU companies’ data is encrypted on three levels using special hardware modules. This means that when encryption is enabled, no one other than the company itself can read this data, neither Microsoft operations personnel nor a third party authorised by law to access this data.
3. Customised national legislation
The third issue revolves around country-specific legislation that can challenge companies using the cloud. Microsoft has addressed this dilemma with “EU & Country Compliance Packs.” These are local management packages that adapt structure and policies to local legislation. If an EU country introduces new legislation, Microsoft can launch a local patch so that national companies continue to comply with the rules.
In practice, MCfS ensures compliance with these three issues through an extension to Microsoft’s Cloud Adoption Framework (CAF) in the form of an architecture reference for a Sovereign Landing Zone. It is a special version of the regular Azure Landing Zone with additional security measures and compliance policies.
In a Sovereign Landing Zone, it is not possible to build solutions that violate current rules, and dashboards and reports are included to prove the compliance of all solutions.
Explore the possibilities
It should also be emphasised that not all services are yet supported in a Sovereign Landing Zone. Currently, the main focus is on virtual machines and containers, as well as certain databases, but more services are on the way.
The scheme already addresses the most obvious concerns, but data protection in the EU is a highly complex matter. Ultimately, it depends on each company’s security conditions and risk appetite weighed against the benefits expected to be gained.
If you have sensitive data in the cloud or wish to do so, we recommend exploring the possibilities with MCfS. For many, it is expected to completely solve compliance problems or at least significantly improve compliance with the solutions they already have.
Devoteam, as a European consulting firm, is deeply involved in data security issues in the EU. We have in-depth knowledge of MCfS and have, among other things, met with Microsoft’s CEO Satya Nadella to discuss possibilities and perspectives.
We help you learn more about MCfS
If you want to know more about complete security in the cloud and the possibilities with MCfS, get in touch with us below:
