Posts by Secon

Re: You could do a lot with that

>For that kind of money, the govt could build its own distributed bit barns complete with its own private “cloud”, whilst creating jobs for the locals too

Back in 2009/10 that was exactly the plan.

At that point AWS and Microsoft were just teeny little offerings and Cabinet Office mostly used Google (and loved them).

G-Cloud then was an actual programme to BUILD a UK Gov Cloud; we knew how to do it, had all the security and assurance stuff worked out and were pretty much good to go.

Then someone in OGC decided we should 'just let the market decide'.

So shortly after we downgraded all our data classifications (cos none of the cloud platforms could meet any of the required standards) and the future of UK Sovereign Cloud was writ.

Could we build it now?

Probably - this used to be 'Definitely,' but nowadays too many folks have sold their technical skills to Microsoft for us to be 100% confident of ever doing anything else.

Bit if we wanted to I daresay enough folks still have the skills, and lots appear to be willing to engage in such a project.

Gov however will never go for it - our politicians and public sector CxO's think the future has to be MS or AWS coloured.

Re: Maybe repetition helps?

No.

CLOUD Act and other laws relate to communication service providers so desktop OS services are excluded from that scope.

Unless you use Co-Pilot, Teams, etc.

Re: Really?

"This is m$ salesmen(and women) going into government offices and selling m$ products to people who would not know a mouse from a keyboard(maybe I'm being a bit harsh here, but you get the idea)"

I'm not sure that's true - but if it was the problem woul dbe a whole lot easier to fix.

Actually we have a cadre of digitial leaders who have been brought up on Microsoft since they began using a PC.

Many of them only know that technology - they've never used anything else, and they only want to buy what they know and understand.

It doesn't matter if the product is the right fit - there's no due diligence being done here and absolutely no comparison - because the answer is Microsoft (and to them it always has been).

Coupled to that, we have procurement policies and approaches that don't aim for best fit or engage any big picture thinking.

They don't consider things like lock-in except in the most peripheral manner.

They certainly don't consider the implications of all HMG using a single provider platform operated from outside of the UK and subject to the vagaries and whims of foreign Governments.

Nor do they consider for one second why they are now operating a skewed playing field - requiring domestic providers to continue to adhere to personnel vetting and physical security standards that simply don't apply to Microsoft and their cloud operations.

They still think Cloud = Datacentre, and if the Microsoft UK datacentres have the required badges, then the global Microsoft cloud itself must also be OK??

They whiolly ignore that even on the openly published lists of processors Microsoft admit that they send this data to over a dozen countries (and have always been open in their documentation to Gov that they do so), whilst the G-Cloud copntract specifically requires the processing to be done inside the UK only.

Actually BTW the number of countries used by Microsoft where data uploaded to their online services may be routinely remotelty accessed from is closer to 100 than the 17 they list on their sub-processor document - and each of those countries may have legislation or governmental interests that run contrary to the UK's.

In that list of 100 countries you'll also find China, along with the Hong Kong and Macau SAR's - whihc are probably bad destinations for UK Government data to go to...

So its not really about IT decision makers not understanding technology - its unfair to say that because they do; they just think 'technology' is spelled M-I-C-R-O-S-O-F-T.

They can't consider why you'd ever want to use anything else.

Re: I think it was news for some people

The contract terms on which G Cloud 14 was competed absolutely require all processing to be conducted inside the UK.

Microsoft (as well as others) sell services through that contract - but far from being UK only they actively support those services from 100 countries outside of the UK (according to Microsoft’s own listing of locations where administrators and persons with need to remotely access M365 or online services data are located.

Only about 64% of those countries have any UK or EU data adequacy.

EVERYONE must by now know that MSoft services have zero capability to support any form of sovereignty - and yet everyone keeps using them…

100% correct.

The EDPB made quite clear in their post Schrems II interim guidance that if data is decrypted IN the Cloud it cannot be considered an effective measure to protect that data FROM the Cloud provider.

Crypto gives significant benefits, but protection if your data from the cloud provider if you process or access the data in the cloud - even if they don’t hold the key - is not one of them.

>Government should have mandated the use of UKCloud only for UK data

They did.

The Government Security Classification Scheme specifically mandated that any data formerly above BIL 2-2-x must be resident in the UK on an approved, assured and accredited platform, right up till it was re-written in June of last year (to remove that requirement).

As a result - formal Ministerially signed HMG policy from 2014 to 2024 was specifically to use UK providers.

had that policy been applied UK Cloud (and probably other UK Sovereign prooviders) would have a solid footprint in the UK today and we wouldn't be exporting our critical data assets around the world.

However.... no-one adhered to that policy, and GDS/CCS/Cabinet Office/etc. all also pushed the 'use Public Cloud' model in favour of the Hyperscalers which was (perversely) NEVER part of the Cloud First policy when it was Ministerially created in 2013 - that was just policy by "blog and innuendo".

Re: "Problems with Azure were confined to one region"

>This really shouldn't be possible, and someone needs to fine Microsoft for it.

OR,

the folks using the Microsoft cloud platform for critical national and government services could read the MS terms of service; where they'll clearly see the restriction that Microsoft Azure and other MS Cloud services are not intended for high value processing, and specifically not for any use that could result in environmental damage, threats to safety or well-being of an individual or significant financial loss....

they might go on to read the guidance form Microsoft on DPIA's for M365 and see the caveat that M365 is not suitable for special category data under GDPR, and that if customers use it for such a prupose that is their responsibility and not Microsoft's.

Then they might wonder if Microsoft Azure and M365 is in fact the right platform for their services at all.

Re: Daft.

<Your data is safe wherever it is, if it is properly encrypted>

Only if your data is never decrypted inside the cloud...

That means you can't PROCESS your data in the cloud - encrypt --> upload to cloud --> download from cloud --> decrypt might = probably secure; but try and work on it INSIDE the cloud? Nope.

Not secured and thus accessible by bad actors, suppliers and foreign governments.

The only people who actually don't want Sovereign Cloud to happen are the Public Cloud providers (who are doing very nicely with the status quo thank you very much)...

True - but they'd also need to ask all those companies who have moved their OOS legacy IT in a 'lift and shift' model on to Azure to vacate the premises...

I think the bigger picture here is that Microsoft can't afford for a precedent to be created in Court where a Cloud Provider (either a Hyperscaler like Microsoft or someone sitting on the Hyperscaler and selling services like CrowdStrike) can be held liable for damages to a customer arising from a loss of service, which occurs for whatever reason.

If a court awards any level of damages to a customer because of losses arising from a Cloud outage, Microsoft lose the 'pseudo-protection' of their heavily caveated Terms of Service, which make the customer responsible for their internal IT not being able to support their business when Microsoft's Cloud goes down, AND for the p*** poor decision to use their shonky cloud platform in the first place.

As soon as a Cloud outage has been formally recognised by a Court as being the Cloud providers responsibility to compensate for Microsoft will face millions of claims every time their platform goes down.

Given the frequency of those outages of late, they can't afford a court making that decision - so they attack Delta hard 'pour encourager les autres'...

>>PS there was a UK cloud - it was actually called UK cloud - they went bankrupt failing to compete with AWS

Actually no that's not the case.

They went into liquidation principally as a result of Cabinet Office briefing HMG users not to use UK Cloud, but their issues had their root somewhat earlier.

Whilst the HMG data classification policy (the GSCS) placed strong restrictions on the use of Public Cloud and non-UK based Cloud Services for sensitive data (including sensitive personal data); the Government Digital Service (GDS) policy and blog postings increasingly pushed organisations to make more use of Public Cloud.

Crown Commercial Services (CCS) made significant investments in their relationships with both Microsoft and AWS who in turn heavily discounted their services in order to hoover up most HMG business.

(Recently Cabinet Office have been bemoaning the fact that now they have a huge footprint in those cloud providers they can no longer influence them and discounts are much harder to achieve - hardly a surprise...)

UK Cloud expected - realistically, because the Ministerially approved Classification Scheme said so - that some types of UK Public Sector bodies would always have a need for a UK based Cloud service.

After all, Azure was only ever formally approved to process data at Business Impact Level 2 (2-2-4 actually), which was at the old GPMS PROTECT level - so there was good basis for UK Cloud to beleive they qwere on firm ground.

Actually they were on shiting sands - because Cabinet Office removed the functions that would have ensured adherence to the GSCS Cloud requirements, and whole tranches of UK Publice Sector moved to Microsoft and AWS. Some have done so whilst also in breach of UK legislation - the problem is that serious.

So that's really what happened to UK Cloud - like an honest player at a crooked poker game they played by the rules in every expectation that they'd compete in a level playing field with some types of use virtually guaranteed by HMG Policy to come their way.

Turns out that HMG Policy favours the big players more than the little guy.

Re: So what did the taxpayer fund?

According to the Contract Finder award the Discovery Phase payment to Microsoft was capped at £1,868,224.

There will have been other costs under the Capgemini wider contract as well.

That contract has a total maximum value of just over £15m, with each phase paid in a series of Purchase Orders (PO's).

If the Discovery and Pilot Phase has a PO figure against it, its been redacted - so not clear what the charges for Capgemini delivery against the Discovery and Pilot were - though comments in the contract and associated documents suggest notional caps per sub-contractor phase of £1.8m also?

Re: Where's next?

Actually the NRS said it was published on purpose as part of their normal activity and as such is NOT a reportable breach; but they've taken the data down whilst they review their way of working...

Whilst the first part of that might appear to favour AWS:

"The government only wants bids from providers with "full and exclusive control" of the infrastructure that underpins their platforms"

The latter part rules out just about every hyper cloud player "which are capable of providing the services primarily from within the UK".

This is potentially just as well IF the UK want to retain any alignment with Europe (but perhaps not if they don't?

Re: What about Office Suites?

It is often assumed that because you seect a UK/EEA region in a cloud provider that your data stays there.

Sadly this is not the case, and even if it were the physical location of data is less important than you may assume.

The Microsoft Terms if Service very clearly state that they can move your data internationally including to countries that do not meet EU requirements for data protection; the systems are in part administrated from outside of EEA and some if the core services within the M365 stack are only available outside of EEA (and your data moves there for processing).

Finally the extra-territoriality of some US legislation means that even if none of the above were true your data is still exposed to disclosure to US authorities.

I’m sorry to say therefore that your assumptions around residency and data protection are quite wrong - though you are correct that for some sectors at least the rules of Data Protection shall change again in January, but sadly these shall become MORE complex, not less.