back to article Microsoft: Look at our cloudy privacy award. Isn't it so ... meaningful?

Microsoft is in self-licking lollipop mode after its cloudy wares passed the privacy water mark set by the International Organisation for Standardisation, letting it paper over customers’ concerns. Data sovereignty is a major hurdle for global companies trying to sign up customers to the fluffy white stuff, particularly in …

  1. Anonymous Coward
    Anonymous Coward

    “If there is unauthorised access ... we’ll let you know about this,”

    Nice, but it's the authorised access that they can't tell you about that is the problem.

    I'm not knocking Microsoft in particular here. It is a fundamental flaw in the idea of a business or any person using cloud storage for their sensitive information in preference to their own controlled facilities.

    1. Paul Crawford Silver badge

      Re: “If there is unauthorised access ... we’ll let you know about this,”

      A much more useful measure of "cloud service" integrity would be some properly audited trail to show that YOU, the customer, sets a private encryption key on your clients and that is never made available to the cloud provider.

      If the law want your data then they have the proper course of action by getting a court order in YOUR COUNTRY to force disclosure.

      Anything less is just marketing whitewash.

    2. Trevor_Pott Gold badge

      Re: “If there is unauthorised access ... we’ll let you know about this,”

      Why is unauthorized access even possible? Everything should be encrypted in flight and at rest in a manner such that neither Microsoft nor it's US government TLA partners can get access to it, even if they wanted to. Sorry, but if the US government can access my data, your cloud isn't secure, and fuck you very much I'll not use it.

      1. Chris Miller

        Re: “If there is unauthorised access ... we’ll let you know about this,”

        Sorry Trevor, but no-one is going to offer a commercial service that makes it impossible for them to get at your data if so requested by lawful authority. If you're that sensitive about it, you can always encrypt it prior to uploading, but a commercial operation will look dubiously upon such practices - how can they know it's not your stash of kiddieporn and they won't find the Feds (or local equivalent) beating their door down?

        1. The_Idiot

          Re: “If there is unauthorised access ... we’ll let you know about this,”

          Lord Chris

          "no-one is going to offer a commercial service that makes it impossible for them to get at your data if so requested by lawful authority"

          You may well be right. And whether what you suggest to be reasonable is the case or not (as a commercial business decision, and not as a judgement of its reasonable-ness), it is simply one more reason, for me, not to use such services and to advise anyone i work for or deal with not to use such services. At a pinch, if the service is wholly and entirely hosted in the organisation's jurisdiction of domicile, maybe. And even then, I'd prefer not.

          Of course - I'm an idiot (blush).

          1. Chris Miller

            Re: “If there is unauthorised access ... we’ll let you know about this,”

            Damn, I was trying to keep my peerage a secret :)

            You are, of course, free not to use cloud services if they transgress the boundaries of your personal privacy (though, increasingly, public services are moving to the cloud, even though that may not be obvious to their users). But, just as with mobile phone operators, hoping to see a commercial service that offers complete protection from lawful interception is wishing for the moon.

            1. Paul Crawford Silver badge

              Re: “If there is unauthorised access ... we’ll let you know about this,”

              Chris, this "protection from lawful interception" you speak of is complete bollocks. If the police wants my data then they simply have to get a court order in my country and I will have to hand it over.

              We are not talking about some free/anonymous service here, this is all about businesses paying for storage/servers/etc so its pretty clear who is responsible.

              1. Chris Miller

                @Paul

                If I'm talking bollocks (nice argument), you should easily be able to provide an example of such a service. I shan't be holding my breath,

                Better still, set one up for yourself, since you're so clued up. You could piggy back on Amazon or whatever, so it needn't cost very much. Do come back and tell us all how it went.

        2. Trevor_Pott Gold badge

          Fucking panopticon apologists

          @Chris Miller

          Sync.com is a dropbox alternative that does exactly what I described. It's commercial. So right there you're flat out wrong. And I am working with a number of Canadian cloud providers to get to zero knowledge encryption for general workloads, and more!

          Sorry mate, just becuase you prefer to live in a world where the presumption of innocence has been abandonned doesn't mean the rest of us are stupid enough to pay money to usher in such a society. Just remember to always speak what you're told to speak, Mr. Miller. Lest you run face first into the new laws that equate political dissidence with "antisocial behavior", and "antisocial behavior" with "nonviolent extremism", and "nonviolent extremism" with terrorism.

          In the world you choose to pay for, be very careful what you say, and to whom. Be careful what you think, and where you write those thoughts down. Do you even know if they're illegal? Honestly? You know every single criminal law in every single jurisdiction that might have say or sway over your cloudy life?

          Are you certain of that?

          Me, I'll stick to commercial zero knowledge encryption offerings, thanks. And the presumption of innocence they entail.

        3. Anonymous Coward
          Anonymous Coward

          Re: “If there is unauthorised access ... we’ll let you know about this,”

          "Sorry Trevor, but no-one is going to offer a commercial service that makes it impossible for them to get at your data if so requested by lawful authority."

          Microsoft do. You can already manage your own keys, etc. in Azure - even to a degree in Office 365 where you can lock down keys to a region - certainly you can easily prevent say the US government being able to directly access your data that is in the EU. We do this already - we hold control of the keys to our data, not Microsoft, and all our traffic is IPSEC encrypted.

      2. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          Re: “If there is unauthorised access ... we’ll let you know about this,”

          "Everything should be encrypted in flight and at rest in a manner such that neither Microsoft nor it's US government TLA partners can get access to it, even if they wanted to."

          See https://technet.microsoft.com/en-gb/library/dn440580.aspx

          "For example, instead of Microsoft managing your tenant key (the default), to comply with your company policies, you might have to manage your own tenant key, which is also known as bring your own key (BYOK).

          1. You generate your tenant key on your premises, in line with your IT policies.

          2. You securely transfer the tenant key from a Hardware Security Module (HSM) in your possession to HSMs that are owned and managed by Microsoft. Throughout this process, your tenant key never leaves the hardware protection boundary.

          3. When you transfer your tenant key to Microsoft, it stays protected by Thales HSMs. Microsoft has worked with Thales to ensure that your tenant key cannot be extracted from Microsoft’s HSMs.

          As an additional protection measure, Azure RMS uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East and Africa), and Asia. When you manage your own tenant key, it is tied to the security world of the region in which your RMS tenant is registered. For example, a tenant key from a European customer cannot be used in data centers in North America or Asia."

          See also: https://www.thales-esecurity.com/msrms/cloud

    3. Mark 85

      Re: “If there is unauthorised access ... we’ll let you know about this,”

      Therein is a major part of the problem. If I have a house, a storage shed, no matter... the law enforcement types have to hand me a warrant to enter and look around. Until that happens, no way will I use or recommend the use of the cloud.

      As for encryption, that works for me but in the US, there's movement afoot to "regulate" encryption. So again, no cloud.

      Given the nature of the hijackings lately of banks, insurance companies, etc., encryption would be the only proper way to store anything and that's only if (and a big if) the admins can keep their key secure.

    4. veti Silver badge

      Re: “If there is unauthorised access ... we’ll let you know about this,”

      Be fair: unauthorised access is an enormous problem that strikes dozens of major players every year. Promising to notify you about that - isn't everything, but it's not nothing either.

      No, they won't tell you about the KGB - sorry, I mean DHS - weaselling[1] about in your files. But nobody will. They will, however, tell you when Q Blackhat Scumsucker gets in there, and that's more than most companies will.

      [1] It's like ferretting, except that weasels are harder to spot.

  2. Anonymous Coward
    Anonymous Coward

    And so ..

    .. do we demonstrate the glaring gap between certifications and the Real World.

    1. Anonymous Coward
      Anonymous Coward

      Re: And so ..

      Well in my business - and we're accredited not certified - if you don't meet the standard (it is one of the ISO/IEC ones) you have no credibility.

      1. Anonymous Coward
        Anonymous Coward

        Re: And so ..

        Well in my business - and we're accredited not certified - if you don't meet the standard (it is one of the ISO/IEC ones) you have no credibility.

        .. but you still end up on the receiving end of all sorts of mayhem if you only went as far as ticking the accreditation boxes. I have had to dig companies like that out of deep holes often enough to know the difference. Typically, the company gets in a costly herd of consultants to make them standard compliant and then gets the accreditation. At that point, the budget runs out for doing anything more than routine maintenance - the intelligence walks out with the consultants - and that's when the real problems start.

        Don't get me wrong, I think an accreditation process is a good route to force especially larger companies to cut fewer corners, but it's not the be all and end all of delivering on the values that are behind the accreditation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like