As governments today look at technology innovation, there is a need to address the rapidly evolving demands of their citizens while protecting the most sensitive data and delivering on promises of trust and security. Modernization of government services without compromising security, digitization of manual processes and improved user experiences for both citizens and government employees are all benefits of digital transformation, and the right technology platforms can create even better opportunities for social and economic growth.
The cloud can offer agility and flexibility, advanced cybersecurity features, and access to the latest innovations, including AI, to accelerate digital transformation and the delivery of essential public services. Many governments want to take advantage of the benefits of the public cloud while also managing their data in accordance with their local policies and regulatory requirements. They need solutions that ensure digital sovereignty, giving them control over their data in the cloud. In July of last year, we announced Microsoft Cloud for Sovereignty, a new solution that will enable governments to build and digitally transform workloads in the Microsoft cloud while helping to meet many of their specific compliance, security and policy requirements. Microsoft Cloud for Sovereignty creates software boundaries in the cloud to establish the extra protection that governments require, leveraging hardware-based confidentiality and encryption controls.
Since then, we have engaged with numerous government leaders, policymakers and public sector organizations in Europe and the rest of the world about why the cloud is the best solution for sovereignty needs. We have delivered two Microsoft Cloud for Sovereignty private preview releases that validated the power and scale of the cloud with adherence to government requirements and empowered government customers with the digital transformation they are striving for. It also helped identify three key obstacles impeding governments from meeting their digital transformation and innovation goals: Complying with legislative and regulatory requirements; protecting and securing sensitive data; and innovating without compromise.
Comply with legislative and regulatory requirements
Before taking advantage of the many benefits of the cloud, government policymakers want to have confidence in the security and privacy of their data and the ability to keep innovating while protecting that data. A key element of this is meeting their legislative or regulatory obligations. This is where Microsoft’s transparency commitments come in.
Many governments require transparency regarding how Microsoft responds to third-party data requests. At the core of our business, we adhere to the following policies across our services and commit this to our customers:
- Microsoft does not provide direct and unfettered access to our customers’ data. We do not share encryption keys or the ability to break our encryption with anyone, including any government.
- Governments must follow the applicable legal process to request customer data. They must serve us with a warrant for content or a court order or subpoena for subscriber information or other non-content data.
- All requests must target specific accounts and identifiers. Microsoft’s legal compliance team reviews all submissions to ensure they are valid and rejects those that are not. We use a variety of legal means to challenge data requests, provide data only when a request is valid and provide only the data specified in a legal order.
As all major cloud service providers operate globally, governments often wonder how legislation such as the U.S. CLOUD Act impacts cloud providers. This law does not change any of the legal and privacy protections. Microsoft adheres to the same principles and customer commitments for government demands for user data.
Microsoft’s semi-annual law enforcement request report, part of our transparency measures, reveals that the vast majority of our customers are never impacted by government requests for data. For example, in the first half of 2022, Microsoft received 41 legal demands from law enforcement in the United States for commercial, educational, and public sector customers who purchased more than 50 seats. Of those demands, there were no disclosures of content data related to a non-U.S. customer whose data was stored outside of the United States.
With Microsoft Cloud for Sovereignty, we provide additional sovereign guardrails that help ensure data is protected in transit and in storage by customer-owned keys not accessible to Microsoft and protected in use when using Azure confidential computing, delivering unmatched software and hardware protections such that only customers with the proper keys can access the data when unencrypted.
Ability to protect and secure sensitive data
With the rapid increases in volume, severity, and sophistication of cyberattacks, it is increasingly clear that the cloud is the best way to protect data. The cloud provides government customers with world-class protection and unmatched resources and scale to detect, respond and deter attacks early on.
Microsoft Cloud and Azure are trusted by millions of customers with their most sensitive and mission-critical workloads. We offer a wide variety of tools to monitor and respond to security threats, as well as specialized services to help governments keep their data safe. With more than 8,500 Microsoft security experts across 77 countries, we have helped provide a critical perspective on the security landscape and are continuously fine-tuning our security approaches as we learn from each cyberattack. With the addition of the Microsoft Cloud for Sovereignty, government customers can establish their own software boundary in the cloud while taking full advantage of Azure’s best-in-class security, resilience and scale capabilities. Microsoft Cloud for Sovereignty allows customers to leverage key Azure capabilities including:
- Microsoft’s Azure Key Vault Managed Hardware Security Module allows customers to maintain complete control of the cryptographic key, while still benefiting from the redundancy, resilience, cybersecurity and managed experience of the cloud.
- Azure confidential computing is a unique service that protects data in use and allows the data to be processed only after the cloud environment is verified to be a trusted execution environment. In this way, confidential computing helps protect data from being accessed by cloud operators, malicious admins, and even privileged software such as the hypervisor. It helps keep data protected throughout its lifecycle — in addition to existing solutions of protecting data at rest and in transit, data is now protected while in use. In Azure, the root of trust is with independent hardware, so even Microsoft operators cannot access the memory encryption keys. This independent hardware root trust is what helps government customers to independently cryptographically verify the identity and “known good state” of the cloud operating environment they are relying on.
With Microsoft, governments can take advantage of our view of the evolving threat landscape. With industry-leading AI, we synthesize 65 trillion security signals a day across all types of devices, apps, platforms and endpoints, which is an eight times increase from the 8 trillion daily signals captured just two years ago. And we apply the learnings from that signal intelligence, as well as from our world-class threat intelligence, into all the products and services we offer. Furthermore, we now have more than 15,000 partners working with us across our security ecosystem, helping to bring better solutions and more choices to the market. Our global threat intelligence perspective enables early detection and response to emerging threats across multi-cloud, hybrid, on-premises and heterogeneous platforms.
Innovation without compromise
Embracing digital innovation while ensuring digital sovereignty is a challenge for governments. Investing in a private, isolated on-premises datacenter might, at face value, seem to be the only way to achieve the level of control and security a government requires. But building on a private cloud requires maintaining on-premises datacenters, which are no longer viable due to their inability to scale and deliver the security and functionality that the cloud provides. Finally, we also hear from our customers that they are operating under increasingly restrained resources and shrinking budgets. The cloud offers governments the ability to operate on a lean budget, compared to on-premises. Migrating to the cloud can enable governments to take advantage of the agile benefits of the cloud and focus their spending on the latest innovations in the delivery of services.
As technologies advance, they are taken to the cloud first. Governments that adopt the cloud benefit from the latest innovations changing how governments operate, including AI, blockchain, digital identity and online services, while those that maintain or expand their private cloud investments may not benefit from the same growth and innovation.
Innovating while meeting digital sovereignty requirements is complex and can differ greatly between customers, industries and geographies. We believe a cloud solution designed to address sovereignty needs to have advanced capabilities built with the needs of government customers in mind and must be customizable and flexible to adhere to evolving local policies and regulatory requirements around the handling of data.
Now for the first time, governments are not forced to choose between digital innovation and data control; they can have both. With Microsoft Cloud for Sovereignty, we are investing further in guardrails such as Sovereign Landing Zones, local policy packs and increased transparency throughout Azure, creating a virtual sovereign cloud environment for customer workloads. This helps enable customers to take advantage of best practices and implement secure, consistent and compliant environments and adhere to evolving local regulations while taking full advantage of the cloud.
Ensuring compliance and driving digital transformation
The public sector will always need to protect and secure sensitive data, comply with legislative and regulatory requirements and innovate without compromise. At Microsoft, we strive to meet these needs by providing customers with transparency and unsurpassed data controls, investing in cybersecurity and collaborating with governments worldwide to meet their policy and regulatory needs.
It is no longer necessary for governments to choose between innovation and digital sovereignty. Governments can now harness the full power of the cloud, including broad platform capabilities, while having greater control over their data and increased transparency to the operational and governance processes of the cloud — allowing governments to ensure compliance while driving their digital transformation.
For more information, please visit microsoft.com/sovereignty.
This post originally appeared on The Official Microsoft Blog.