ktsdesign - stock.adobe.com

UK government’s M365 use under scrutiny after Microsoft’s ‘no guarantee of sovereignty’ disclosure

Microsoft’s hold on government IT is under scrutiny, following a disclosure to a Scottish policing body that saw the software giant advise that it cannot guarantee data sovereignty in its cloud-based Microsoft 365 suite

This article can also be found in the Premium Editorial Download: Computer Weekly: How data drives decisions at BAE Systems

The dominant hold that Microsoft has on government IT is coming under close scrutiny, following the software giant’s disclosure it cannot guarantee the sovereignty of UK policing data hosted within its hyperscale cloud infrastructure.

As exclusively revealed by Computer Weekly on 19 June, Microsoft has advised Scottish policing bodies it cannot guarantee that data hosted in its Microsoft 365 (M365) and Azure platforms will remain in the UK.

The disclosure features in a series of freedom of information (FOI) responses from the Scottish Police Authority (SPA) to questions raised by independent security consultant Owen Sayers about the authority’s use of Microsoft’s cloud services.

One of the responses, seen by Computer Weekly, sees Sayers ask the SPA for a list of “any Microsoft cloud services identified as not operating fully within the UK” or that require the international transfer of customer data.

In its response, the SPA stated: “Microsoft have advised that they cannot guarantee data sovereignty for M365.”

Other information released as part of the FOI disclosure reveals that data hosted in Microsoft’s cloud infrastructure is regularly transferred and processed overseas, as well as acknowledgements from Microsoft that international data transfers are part and parcel of how its public cloud infrastructure works.

The significance of Microsoft’s disclosures is that the processing of personal data by law enforcement bodies is governed by the contents of Part 3 of the Data Protection Act (DPA) 2018, which limits the use of overseas cloud providers by law enforcement entities unless “appropriate safeguards” are in place. 

And while the DPA 2018 Part 3 only applies to law enforcement bodies, other public sector organisations operate under regulatory controls that expect or require data to be 100% resident in the UK too, said Sayers.

“Until June 2023, the government classification scheme specifically prohibited the offshoring of data, and questions should now be asked as to how HM government’s use of Microsoft cloud between 2014 and 2023 was allowed to grow as it did when it largely contravened that policy,” said Sayers.

Computer Weekly put this question to the Cabinet Office, but was told the department is limited on what it can say at this time due to the upcoming General Election. 

The significance of the time period proposed by Sayers is that 2014 was the year when the Cabinet Office sought to streamline the government’s seven-tier Business Impact Levels (BIL) data classification system, used by departments to assess the sensitivity of the data they handled.

The process resulted in the creation of the three-tier Government Classification Scheme (GCS) and the introduction of a new naming convention whereby government data is now classified as being either Official, Secret or Top Secret.

“The policy issued then and updated in 2018 didn’t just change the names, it also contained some specific provisions about using cloud,” said Sayers. “One of those provisions was that for data classified as being above the old BIL threshold of BIL 2xx, the cloud hosting it had to be accredited and located in the UK.”

In addition to this, Sayers said: “Many government and private sector organisations will have a risk statement in their corporate risk register or Data Protection Impact Assessment [DPIA] that reflects Microsoft’s use of UK datacentres [to] ensure personal data doesn’t leave the UK and, as such, is sovereign,” he said. 

“These clarifications from Microsoft show that this probably isn’t true for most processing use cases, and – as a result – those organisations need to look at how that changes both their risk profile and whether trust in Microsoft’s data residency guarantees has, in fact, been misplaced.”

Computer Weekly asked Microsoft if it could guarantee the sovereignty of other forms of public sector data hosted on its hyperscale cloud platform, but the company did not directly answer the question.

Revisions to the public cloud-first policy

According to Sayers, the Microsoft disclosures also call into question whether the UK government’s long-standing public cloud-first policy remains fit for purpose.

The policy, introduced in January 2017, mandates that all central government departments should take a public cloud-first approach to new technology procurements. The rest of the public sector is not mandated to follow this advice, but is strongly encouraged to do so.

Now it’s been confirmed that one of HM government’s biggest [public cloud] partners – Microsoft – is offshoring much of the UK’s data, the next government needs to consider if the current cloud-first strategy remains sound
Owen Sayers, independent security consultant

“Now it’s been confirmed that one of HM government’s biggest [public cloud] partners – Microsoft – is offshoring much of the UK’s data, the next government, whatever its make-up, needs to consider if the current cloud-first strategy remains sound,” said Sayers. 

The policy is credited with accelerating the pace of cloud adoption in central government, and is known to be kept under regular review by the Cabinet Office.

The policy’s emergence in 2017 was accompanied by guidance from the Government Digital Service (GDS) around the same time that stated public cloud is safe to use for the vast majority of public sector workloads.

Its publication came several months after Microsoft opened its first UK datacentre region in September 2016, with the former Microsoft corporate vice-president of Office 365, Ron Markezich, pitching the launch as the answer to the fact that “some customers need data located and stored in the UK”.

Nicky Stewart, former ICT chief at the Cabinet Office, told Computer Weekly many public sector IT buyers may have bought Microsoft services “on blind trust” and presumed that, because the company operates UK datacentres, their M365 data would have remained in-country.

“You’ve got Microsoft touting what they describe as sovereign cloud, but what do they mean by sovereign…because truly sovereign data would not be offshored under any circumstances – and certainly wouldn’t be subject to any third country jurisdiction, which is always going to be the case when something is hosted in Microsoft or another US-based cloud,” she said. “Is sovereignty just presumed because the data is being kept in the UK?”

It is not difficult to see why such a presumption might have been made by public sector IT buyers.

When the Microsoft UK datacentre development plan was first announced in November 2015, former UK government chief technology officer Liam Maxwell said the news would have “great implications for business, local government and for lots of people who have always found the issue of data sovereignty and data location to be troubling”, during a press Q&A Computer Weekly attended. 

In an interview with the BBC, Microsoft’s former cloud enterprise group chief, Scott Guthrie, said opening UK datacentres would address the data sovereignty concerns of privacy watchdogs and regulators.

“For some things – like healthcare, national defence and public sector workloads – there’s a variety of regulations that says the data has to stay in the UK,” he said. “Having these two local Azure regions means we can say this data will never leave the UK, and will be governed by all of the regulations and laws.”

The company also has protected documentation hosted on its website, dating back to 2018, aimed at users of the public sector G-Cloud procurement framework that assures them its services are hosted within UK datacentres for use by UK government customers.

A misinterpretation of guidance?

Despite these statements, Sayers said Microsoft has never given assurances that any data stored on its systems would always stay in the UK.

“People just chose to read it in that way,” he said. “All Microsoft has ever done is guarantee that data would be stored at rest in a specific geography, and even then that guarantee is limited to certain services.”

He continued: “In that regard, I have some limited sympathy for Microsoft, [because] users of its services perhaps haven’t read the terms of service properly or conducted much in the way of due diligence before signing up to use its services. If they had done so, all this would have come into the public domain much sooner.”
 
All the SPA did was ask Microsoft to confirm what the terms of service for its cloud products meant in practice, he continued. “Microsoft didn’t duck the question – and it looks very much like the Scottish Police Authority were just the first to ask it.”     

Computer Weekly asked Microsoft if any government departments had ever contacted it directly for assurances about the sovereignty of data stored and processed within M365, but the company did not respond to the question.

The UK government’s Cloud guide for the public sector document, which was jointly published in November 2023 by the Cabinet Office’s technology arm, the Central Digital and Data Office (CCDO) and the Government Commercial Function, states that it is down to departments to decide where their cloud data should be hosted and, in short, their responsibility to ensure suppliers meet their requirements.

“There is no government policy which directly prevents departments or services from storing cloud-based data in any specific country. However, you need to consider the implications of where you host your data,” the document stated.

“It is the responsibility of each government department to take risk-based decisions about their use of cloud providers for the storage of government data.” 

User-centred responsibility for sovereignty

Something that complicates the picture further is that while a department might assume their data is hosted in the UK, some parts of the public sector allow their cloud engineers to call the shots on where data is hosted for cost-cutting reasons, said Stewart. 

“In a setup like that, it’s feasible that a choice could be made to put data offshore based on economics without thinking about the regulatory implications of that or the implications of the contract, because a cloud engineer is effectively sitting miles away from the cloud contract – unless they’ve got a procurement professional hanging over their shoulders, which nine times out of 10 they won’t,” she said.

As an example of this, she pointed to the publicly referenceable NHS England Cloud Centre of Excellence financial operations (FinOps) guidance.

This states cloud purchasing decisions are made by the organisation’s engineers, who are responsible for provisioning services, which it describes as a “shift of responsibilities away from the traditional central procurement and approvals model”.

This suggests, she added: “Once your business has been deployed in the cloud, you’re at the mercy of cloud engineers because they’re the ones making the decisions about essentially where data is going to be hosted.”

Central government’s use of M365

The Microsoft data sovereignty disclosure also puts the government’s championing of M365 as the “standard for productivity” under scrutiny, given that nearly every department uses the suite.

The only exceptions to this are the Department for Culture, Media and Sport (DCMS), which relies on rival offering Google Workspace, and the Cabinet Office – although the latter is in the midst of a multiyear migration to M365.

Discussing the deployment at a TechUK Cabinet Office market engagement event on 21 April 2023, the department’s chief data and information officer, Mike Hill, said M365 is the “government standard for productivity” – as defined by the Central Digital and Data Office (CDDO).

“There are only two departments within government – ourselves [the Cabinet Office] and DCMS – who remain on Google,” he said. “So what we’re looking to do is align to the government standard, to make it easier to interoperate, to share information, and to be more productive as departments…[and] to be much more simplified by adopting the standard set by the CDDO.”

There is no formal mandate stating that government departments should use M365, but what there is – a government source told Computer Weekly – is a want within Whitehall for departments to use the same tools wherever possible.

“There is a drive to create a better connected, department-to-department, collaborative information-sharing and communication infrastructure,” the source said. On this point, Computer Weekly is aware that long-time Google Workspace user DCMS added Microsoft Teams to the range of communications tools it uses in 2023.

“Civil servants often switch between departments, and this increased connectivity should make the IT support for that process more manageable, as well as aid information sharing between departments,” the source added.

Having every department running the same productivity software sounds sensible from a collaboration and consistency perspective, said Rob Anderson, chief analyst and service director, covering the public sector, at IT market watcher GlobalData, but there could be financial drawbacks.

“Over the last two to three years, we’ve seen an increase in government spending with Microsoft [overall], with most of that spending going through third-party resellers. The amount of money spent directly with Microsoft does not seem that much, but when you take into account [the resellers], it is significant,” he said.

As an example, Anderson pointed to a contract that came to light in April 2023, which saw the Department for Work and Pensions (DWP) sign a five-year deal worth £250m with Microsoft via third-party reseller Softcat.

This is a follow-on to a three-year contract worth £70.8m between the pair, which ran until March 2023, meaning the amount of money DWP spends on Microsoft products each year has more than doubled.

“When you look at the number of employees DWP has, it works out at about £600 a year per user, which for a suite of productivity tools sounds ridiculous,” said Anderson.

In 2013, Anderson worked for a short time in the Cabinet Office as a Crown Representative, whose work involved tracking the amount spent on tech contracts, including Microsoft deployments.

“When I was working in that Crown Rep role 10 or 11 years ago, we were concerned if more than £100 per employee per year [was spent] on Microsoft,” he said.

Other notable deals include the three-year Microsoft Azure provisioning contract HM Revenue & Customs (HMRC) awarded to Softcat for £81.5m in June 2024, said Anderson.

“This is in addition to the five-year contract with another reseller called Bytes that was awarded last year for [M365] licensing worth £166.3m, which is equivalent to £500 per user per year,” he said. “In total, since April 2021, HMRC has committed to £265m of spend on Microsoft products and services.”

There has also been a noticeable uptick in the number of contract awards in the wider public sector mentioning Microsoft, he added.

“[It’s] increased dramatically over the last three years – totalling £1.44bn in 2023/24, rising from £1.26bn in 2022/23 and just £562m in 2021/22,” he said. “Just £169m across those three fiscal years was direct to Microsoft [rather than to its resellers] – 7% by value of the total spend over the last four years.”

It should be assumed now that all M365 data does travel internationally by default, which is politically bad for the UK government. This basically means we’ve offshored the whole of UK government IT
Owen Sayers, independent security consultant

Given the push to standardise on M365 within central government, Microsoft’s public sector dominance is poised to increase. “Without any true competition, and by steadily removing Google from the equation, the likelihood is Microsoft will hold all the cards.”

This could potentially mean more government data is exposed to the risk of being processed overseas, said Sayers. “It should be assumed now that all M365 data does travel internationally by default, which is politically bad for the UK government. This basically means we’ve offshored the whole of UK government IT.”

This comes at a time when rising geopolitical instability across the world is prompting governments in other countries to double down on sovereignty to ensure their citizens’ data remains in-country for privacy reasons, said Stewart.

“True data sovereignty is becoming a really big thing in other parts of the world, but we just happily push all our data into non-sovereign entities, believing what they say about [sovereignty], when in fact we don’t know what will happen to our data,” she told Computer Weekly. “Nobody appears to be owning or caring about this in the UK, not least of all our own government.”

Computer Weekly requested a statement from the UK Cabinet Office in response to Microsoft’s disclosures about being unable to guarantee the sovereignty of M365 data, but the department did not directly answer the question.

The department was also asked if it had ever sought assurances from Microsoft that any government data that resides in M365 will remain in the UK at all times, but – again – no direct response to this question was forthcoming.

Next steps for public sector IT buyers

With the Microsoft disclosures now out in the open, Sayers said public sector buyers need to be aware that the sovereignty claims and assurances made by other public cloud providers might also not be quite what they seem.

“The issues here relate to Microsoft – but the problem may not be limited only to them. Most users of hyperscaler public cloud services do not realise this, but all the major hyperscaler terms of service allow the cloud provider – at their sole discretion – to move your data anywhere within their global services without asking for specific permission,” he said.

“The extent to which they disclose to the customer where data is sent varies. Google is fairly transparent, whilst Amazon Web Services and Microsoft are somewhat more opaque, but they all have this common issue to some degree.”

Read more about data sovereignty

Read more on Software-as-a-Service (SaaS)

CIO
Security
Networking
Data Center
Data Management
Close