back to article El Reg drills into Office 365: The science of compliance

Office 365 may well be the most impressive attempt at providing international information on legal compliance ever attempted. Microsoft has hired many of the world's foremost experts on the various layers of legal compliance that exist and has created a software solution that helps enterprises meet compliance levels that would …

COMMENTS

This topic is closed for new posts.
  1. oldcoder

    You really expect Microsoft to actually DO something?

    They are big of "yes we match all applicable laws", until they don't want to.

    And then it is "that law isn't applicable in this situation"...

    Which ends up making the entire thing swiss cheese and useless.

    1. Trevor_Pott Gold badge

      Re: You really expect Microsoft to actually DO something?

      They have "Azure on premises" for Server 2012 R2. Where the fnord is my "Office 365 on Azure on Premises?" I'll go back to Microsoft's productivity suite if they give me a hosted version I can host on my OWN cloud to my customers.

    2. Anonymous Coward
      Anonymous Coward

      "yes we match all applicable laws"

      Agree. I can't envisage a situation where mistakes or exceptions won't be made. 'Office 365 is untested legal water.'...That's the crux of it! ...'We will use reasonable efforts to notify the enterprise customer"... Enterprise? What about the little SME guy, will he get little notification? Nobody is testing the limits of this and that's key. I'd like to see the 'Anonymous' guys upload terrorist material, dodgy porn or somehow push the limits of this and do a trial run now before the average user comes along, as the devil is in the detail...

      Ultimately it comes down to sufficiently harsh penalties in place in order to concentrate corporate minds. I don't care if MS' hosting in Europe is supposedly Certified under EU law. Where are the real-world financial and criminal penalties acting as deterrents for non-compliance? Give me one real-world example where a company has been severely taken to task over everyday data leaks? There needs to be safeguards in place ahead of time to stop data leaking across borders and jurisdictions. If companies can't even protect user account and cc info today how can we trust them with future cloud security and privacy? The truth is, we can't! To think this will work as expected means making some serious assumptions, and assumption as we know is the mother of all f*ck-ups!

  2. Peter Jones 2

    I can't recommend it.

    Whilst I work almost exlusively in the MS stack, I don't recommend their stuff without good reason. And in this case, I just can't.

    The main problem is US law rather than any technical point. Bob Muglia shortly before his departure confirmed that a UK company, using Office 365 and/or Azure in the MS datacentre in Ireland, could potentially have their data transferred to a US datacentre for probing by the US government. The UK company would not notice (which is kind of a testament to the technical side, if true) and would not be told. The US government would not need a warrant to do this, but as MS is a US company, they would be compelled to assist.

    From a business point, I can see all cloud businesses using the low cost to draw people in, and then slowly escalating fees once you are there. You will be very aware of the shaft, but it will cost more to migrate out. So year after year, the price goes up beyond reasonable cost, and you just accept it.

    1. Another Justin

      Re: I can't recommend it.

      Microsoft recently announced that Office 365 is fully compliant with EU data protection standards, which means that what you are saying isn't true (or Microsoft are lying).

      1. alain williams Silver badge

        Re: I can't recommend it.

        Microsoft may well be doing the best that it can; however it is still subject to the USA Patriot Act.

        It would be interesting to have a MS customer (I am am not) write them a letter explicity addressing this issue. I can't complain about them having to obey it, but they should at least come clean.

        1. Trevor_Pott Gold badge
          Linux

          Re: I can't recommend it.

          I am a Microsoft customer.

          I am a Microsoft partner.

          I am a Microsoft Certified Professional.

          I am a Microsoft blogger.

          I've written some pretty damned explicit things on the topic and asked some very direct questions. The response always goes like this:

          Me: [Concerns listed in the article]

          Microsoft: "We are constantly working to improve our compliance!"

          Me: "You compliance doesn't change your legal obligations. I want the ability to run Office 365/Azure/etc as part of a push-button-simple on-premises solution, or the ability for hosted providers in my own nation (who do not have business ties with, employees in or use servers in the USA) to provide me Office 365/Azure/etc such that my data is never, ever legally exposed to the government of the USA."

          Microsoft: "We work hard to provide top notch technological solutions, but we cannot meet every edge case requirement."

          I call bollocks. They have a deployable "Hosted Azure" solution as part of Server 2012 R2. No hosted Office 365. No hosted skydrive. Just a user portal that backs onto System Center and Server to allow users to spin up some VMs. Huzzah! They've finally caught up to VMware vCloud Request manager! Be awed by their might.

          This is no different than my circular arguments with Microsoft (or hardened Microsoft fanboys) regarding Windows 8.

          Me: [List of usability complaints we're all familiar with]

          Microsoft "Microsoft has worked hard to incorporate touch as a first-class input mechanism and has enhanced productivity on all devices by providing a common interface regardless of where you use your computing device!"

          Me: "Touch is not a benefit. I use a keyboard and mouse for [long list of activities and reasons]. What I want is for you to make using the keyboard and mouse better than it was in the previous version, especially for those people (like me) who are mouse-driven, not keyboard shortcut mavens. For [list of reasons] I do things like use windowed remote desktop sessions that don't pass through ctrl-alt-esx/Windows key, so your 'just use Windows-key and start typing' marketing verbiage is simple malarky.

          I also realise that with enough effort and additional third-party applications I can make Windows 8 as easy to use as previous versions, but what I want is for you to release a product that actually makes how I work better, less irritating and easier out of the box. Without having to buy additional hardware or third-party software beyond what I already have. I have a massive investment in my existing estate and if you want money out of me then I want to make that existing investment work more smoothly and efficiently for my real-world use. I don't want to have to piss around for hours on every new install I touch just to make things as usable as they were even one generation of your product ago."

          Microsoft: "We work hard to provide top notch technological solutions, but we cannot meet every edge case requirement."

          The really assholish ones simply are even funner.

          Me: "Man, Windows 8 is ass-tastic".

          MS Fanboy: "It works for me, so it's not ass-tastic."

          Me: "It doesn't work for me without way too much third-party customization. Is choice too much to ask for?"

          MS Fanboy: "Well it works for me, so you're not the majority. The majority is all that matters. They shouldn't be giving you choice because you need to be dragged kicking and screaming into the future. You need to be like the majority. We know that this is what people want because Microsoft took metrics on that. It's science. Anyone who disagrees is an edge case who thinks they are a lot more important than they really are. There are only a handful of people who don't like Microsoft's design, because metrics tell us what the majority wants and we should all strive to be like the majority. Humanity can't afford to be held back by giving choice to the few. Microsoft did the right thing and you just need to learn to live with it."

          Me: "Fuck this, I'm using Linux."

          MS Fanboy: "See? You're a nobody nerd that is too full of ego, pride and hating the man to admit that Microsoft has designed a better way to work. You need to shave your neckbeard and jsut learn how to use things the way Microsoft designed things, you'd be happier then."

          Me: "I can't hear you over the sound of my keyboard as I'm actually getting shit done over here."

          Long story short: it doesn't matter if it is about privacy or user interfaces. Microsoft doesn't have a forum for the disenfranchised to voice their opinions and gives zero fucks about those who don't fit it's very middle-of-the-bell-curve, American-centric view of the universe. They will design what they design and the rest of the world can go hang. Since the majority of multinationals are USian in nature, they have the planet by the business-document-format balls and that's all they need to keep on keeping on.

          Where there is no requirement to care, Microsoft doesn't. But everyone is on the edge of the bell curve at some point and the more narrowly you tailor to the centre of that curve the more people fall outside the design lines. Microsoft and Microsoft fanboys complain about the "religious hatred" that greets them at every turn. I submit that the head --> desk experiences of nearly every person on the planet who has at one point or another found themselves on the edge of the bell curve with Microsoft refusing to give any fucks might perhaps be an explanation.

          So I'll keep on being a refusnik until my needs are discovered by MS metrics to be no longer colour outside the lines. What else can a body do?

          1. Anonymous Coward
            Megaphone

            Dennis Miller

            I don't want to go off on a rant here but...

            I agree with you that they only bend to the big corporates - those that get onto the TAP program and influence the final product - until they get a response like they did on Win 8.

            1. Trevor_Pott Gold badge

              Re: Dennis Miller

              Um...Microsoft didn't bend on Win 8. The "compromises" they offered were an outright insult. None of the issues I raised were addressed at all. They made one grudging concession to the masses by putting in a button where the hotcorner was. That's it. Then they told the world how wonderful they are while secretly laughing and demanding we go twist.

              To hell with the clientOS team. They can each and every one of them [something truly horrible]. Bastards to the very last one of them.

          2. Squander Two
            Headmaster

            Vice versa.

            Funnily enough, that is almost word-for-word the same as the argument I get into because I have the temerity to like Windows 8.

            "Man, Windows 8 is ass-tastic".

            "It works for me, so it's not ass-tastic."

            "Well it doesn't work for me, so you're not the majority. The majority is all that matters. They shouldn't be giving you a new OS. You need to be like the majority. We know that this is what people want because Microsoft's sales are doing so badly and developers are building custom Start Menu replacements. Anyone who disagrees is an edge case who thinks they are a lot more important than they really are. There are only a handful of people who like Microsoft's design, because sales figures tell us what the majority wants and we should all strive to be like the majority. Humanity can't afford to be held back by putting change ahead of familiarity. Microsoft did the wrong thing and you just need to learn to accept that fact."

            Uncanny.

            1. Trevor_Pott Gold badge

              Re: Vice versa.

              Oh, I admit that I'm an edge case. I do, however, believe that "edge case" here is defines as anything not 2 sigma from the centre. That leaves a lot of people kicked to the curb. A lot.

              I don't mind being "different." I do mind people taking something that was working and then breaking it. I Ioathe the arrogance of a company (and it's fanboys) demanding that I explain why I don't want to buy a given product. It's my fucking money! The burden is on the vendor to convince me why I should spend my hard-earned.

              That's really what the whole thing boils down to for me. Microsoft - and Microsoft fanboys - have taken an attitude that constant upgrades, subscription fees and so forth are their due. They Deserve it on some moral level. Those who choose not to pay the fees (all of them, and they are many) every year, every upgrade cycle and then turn around and evangelize the product are suspect, questionable and above all guilty of something.

              There is a concerted push to berate, belittle, ostracize and condemn anyone who doesn't accept blindly the assertions, claims and propaganda shovelled at them. There is a well thought out strategy to put the customer on the defensive and make them repeatedly explain the choice not to upgrade.

              That's fucking asinine and I have nothing but contempt for those who practice such utter bullshit.

              If you want my money - either to keep your business running (Microsoft) or to prop up your personal ego by ensuring you feel like you've made the right choices with your money (Microsoft fanboys) then you will have to convince me that what's on the table makes my life and my workloads, use cases and extant estate run better.

              I'm the customer, damn it. Not a terrorism suspect captured at the border with a truck full of semtex and a USB key full of 56,000 American jobs in MP3 format. So don't get shocked and shaken if I get all ornery when you treat me like a US Customs and Border weasel with wide eyes at the prospect of finally having a chance to validate the existence of their job.

              There is no moral equivalence in the online debate. One side is selling something and wants money from the other side. There are valid reasons for customers to be skeptical and they have every moral right not to spend money. There are no valid reasons to attack the customers and no company has a moral right to a customer's money.

              Grok the gap?

              1. Squander Two

                Re: Vice versa.

                Couldn't agree more. What puzzles me, though, is the way that, when I say I like Windows 8, the Windows-8-haters insist that I justify Microsoft's decision to release it, rather than just my decision to like it.

                I'm perfectly happy to admit that Microsoft got it badly wrong with Windows 8, as evinced by users' reactions. Similarly, I'm perfectly happy to admit that IOS was a usability revolution despite the fact that I can't use an iPhone without wanting to stamp on the damn thing.

                1. Trevor_Pott Gold badge

                  Re: Vice versa.

                  Never ask anyone to explain why they like something. It doesn't help you improve a product and people like strange things. Some people juggle geese...

  3. Anonymous Coward
    Thumb Up

    Great article

    Found it well balanced and loved the insight you provided with your own experience in Canada. Still not sure many people will be sold on Microsoft being the answer to their security woes - and as you highlight, privacy is still a concern.

    Security and privacy will remain a concern for most organisations, and it will come down to a risk appetite vs cost of mitigation. For some, the cost of continually chasing their tails to patch security holes and keep software up to date will lead them to hosted services, and the potential risk of a privacy breach might not be enough to upset that course. For others, the risk of a privacy breach will prove too much, and the laws too challenging to untangle or take a punt on.

  4. Charles Calthrop

    >The US government would not need a warrant to do this,

    Really? Bloody hell what a world we live in.

  5. Anonymous Coward
    Anonymous Coward

    You think that's bad?

    You wanna try things where your data isn't just private, but privileged.

    If you're a lawyer, and the emails are between you and your client, then the government can't access your data even with a warrant. They need a court order specifically revoking legal professional privilege (E&W law) or attorney/client privilege (US law).

    I've had to stand in front of a police officer with a warrant and refuse him access to the building because there is privileged information and I need to ensure that he can't access it. I had a mobile in one hand and a lawyer on the other end, while the lawyer drove to the office to argue with the police, natch.

    You want to bet that Microsoft would do that with your data? They're not the ones who get sacked when lawyers get struck off for breaching privilege

    1. Anonymous Coward
      Anonymous Coward

      Re: You think that's bad?

      "I've had to stand in front of a police officer..."

      You would be well advised not to try that if they, or Customs, arrive mob handed.

      1. Anonymous Coward
        Anonymous Coward

        Re: You think that's bad?

        It's a no-win situation; exposing privileged information is a criminal offence too, so you're literally in a position where you could go to prison either way if you get it wrong.

  6. Nick Ryan Silver badge

    Cloud (online data storage mainly) security, the real side of it, is a continual minefield.

    In the end, it's safest to work on the assumption that if the data is replicated out of the EU then it has gone to somewhere insecure that has no real concept of privacy, such as the US. The US safe harbor(sp) agreements are never enforced or checked and are usually so specific in use that your data will bypass the agreements and won't be covered by them... and the safe harbour agreements only dictate what the company may voluntarily do with your data in their posession, as noted here it has nothing to do with legal, government or other processes.

    Where I work a small amount of our data is extremely confidential and sensitive as it relates to high profile events and court cases, a sizeable chunk is commercially sensitive such that the company involved would not like a competitor to access it but most is trivial and of little interest to almost everyone. To be safe we work on the basis that it's all very confidential and as a result there's no way we can seriously consider cloud data or cloud application hosting, especially if the service provider mirrors the data outside of the EU but that we'd also be implicitly trusting all staff, contractors and other third parties that are involved with the hosting.

  7. Malagabay
    WTF?

    "IT security is becoming a problem"

    I stopped reading the advert at this point.

    IT security became a problem the moment Windows hit the corporate desktop a longgggggggggggggggggg longggggggggggggggggggg longggggggggggggggggggggggg time ago...

  8. Robert Helpmann??
    Childcatcher

    Ia! Ia! Shub niggurath!

    The US is the same, and the EU has created a Lovecraftian horror in the form of libraries upon libraries of complex interconnecting law textbooks.

    Upvote on the whole article for this single phrase.

  9. Anonymous Coward
    Anonymous Coward

    'Office 365 is untested legal water.'...

    I can't envisage a situation where mistakes or exceptions won't be made. 'Office 365 is untested legal water.'...That's the crux of it! ...'We will use reasonable efforts to notify the enterprise customer"... Enterprise? What about the little SME guy, will he get little notification? Nobody is testing the limits of this and that's key. I'd like to see the 'Anonymous' guys upload terrorist material, dodgy porn or somehow push the limits of this and do a trial run now before the average user comes along, as the devil is in the detail...

    Ultimately it comes down to sufficiently harsh penalties in place in order to concentrate corporate minds. I don't care if MS' hosting in Europe is supposedly Certified under EU law. Where are the real-world financial and criminal penalties acting as deterrents for non-compliance? Give me one real-world example where a company has been severely taken to task over everyday data leaks? There needs to be safeguards in place ahead of time to stop data leaking across borders and jurisdictions. If companies can't even protect user account and cc info today how can we trust them with future cloud security and privacy? The truth is, we can't! To think this will work as expected means making some serious assumptions, and assumption as we know is the mother of all f*ck-ups!

  10. asdf
    Trollface

    fake Trevor

    >Hands on with Trevor

    Bah there is only one real Trevor.

    http://www.youtube.com/watch?v=9NGrxZQ-7Ew

  11. Trevor_Pott Gold badge

    For those who feel I am too paranoid

    Please, read this.

  12. Fanagolo

    Why not encrypt your data to prevent MS passing it on?

    Why not address the risk of MS sharing your data with Uncle Sam (and anyone else!) by using an encryption gateway where you send MS encrypted data and you hold the keys?

    Richard

This topic is closed for new posts.

Other stories you might like