In revelations by Computer Weekly, Microsoft has admitted that it cannot guarantee the sovereignty of UK data hosted on its hyperscale public cloud infrastructure. This worrying development was discovered via a Freedom of Information (FOI) request to the Scottish Police Authority (SPA).
SPA has discovered that data hosted in Microsoft’s hyperscale public cloud infrastructure is regularly transferred and processed overseas, a situation that is also likely to be true for all UK government users.
In a detailed article Computer Weekly explains the situation. Part 3 of the Data Protection Act (DPA) 2018 says that law enforcement data must be kept within the UK, as must all public sector data under the G-Cloud 14 framework regulations. In the article it states that Microsoft has confirmed for the first time that a guarantee of sovereignty for ‘data at rest’ does NOT extend to ‘data being processed’, NOR does it cover the provision of support which may entail accessing data. Microsoft, in common with many multi-national suppliers, provides ‘follow-the-sun’ support, meaning that people providing support outside of UK office hours are not necessarily going to be UK-based.
Furthermore, in a separate FOI response from SPA, as recently as May 2024 Microsoft confirmed that they cannot guarantee data sovereignty for M365 (Microsoft 365 is a suite of productivity apps that includes Microsoft Teams, Word, Excel, PowerPoint, Outlook, and OneDrive). As many police forces, government departments and the wider public sector rely on M365 for the day-to-day desktop operations, this brings into question, what is happening to classified data, and how can it be handled in accordance with UK law?
Certainly any information that needs higher assurance handling should not be discussed using M365, including the Teams video conferencing app, if data sovereignty cannot be guaranteed, which appears to the case. This is quite apart from the other security issues we have highlighted before regarding the use of a mass-adoption communications apps which includes their susceptibility to AI-generated deepfake and impersonation-based attacks.
So how can organisations that need to protect highly sensitive data ensure data sovereignty?
Award-winning Armour secure communications
The Armour® Secure Communications Platform (recent recipient of the SC Awards Best Communications Security Solution) provides an alternative to consumer grade applications. The platform brings together a quick-to-deploy, easy-to-use solution suitable for BYOD devices and desktops, with enterprise security features not provided by mass-adoption collaboration products or free-to-use consumer apps. It protects data throughout its lifecycle, providing all elements of mobile communications/collaboration including voice, instant messaging, and video conferencing, encrypting data both at-rest and over-the-air.
Suitable for higher assurance video conferencing
Security conscious organisations such as government departments, the military, defence contractors and public sector bodies all need products designed with their specific requirements in mind. The Armour Secure Communications platform is built to give organisations control of where they deploy and where their data resides, with both secure hosted and on-premises options available. It addresses issues such as GDPR and industry-specific regulations including DPA 2018 Part 3 as cloud-based providers often cannot satisfy sovereign needs, as this latest story demonstrates.
Armour Recall™ captures, retains and archives data to ensure organisations keep control of their data and can prove compliance.
Armour Unity™ delivers secure conferencing in an easy-to-use app for mobile use and is available in several configurations to ensure the level of security matches the sensitivity of the conversation.
Armour Connect™ provides voice and video interoperability with unified comms systems, and Armour Bridge™ delivers messaging interoperability with other messaging apps,
Strict security measures within Armour give the organisation total control over data. For example, constraining message retention, Message Burn (automatically deleting messages after a set time), controlling features like forwarding/sharing data, erasing all data in the event of device (or user) compromise.
Users and call groups are centrally managed, people can only join and use the app by invitation. Identity-based authentication (using NCSC’s MIKEY-SAKKE protocol) means that users can be confident when using the platform that they are communicating with who they think they are. In this way Armour addresses the issue of identity-spoofing and ghost-callers, including AI-generated deepfakes.
Federated secure communications
The Armour Platform can provide a multi-domain, multi-organisation structure with strictly siloed security making it suitable for federated secure communications between Armour communities. This means that different police forces, government departments or social services (for example) using Armour are able to communicate, once Admins have set up the appropriate links between the groups of users, while each organisation retains total control over its own users.
This type of robust secure collaboration is not available from mass-adoption communication tools such as MS Teams, Zoom, GoogleMeet and WebEx. They all claim end-to-end encryption, however, as we’ve mentioned on numerous occasions, there is a lot more to security than just encryption.
When looking for a secure communications solution there are multiple aspects to consider. Understanding the likely threats in this environment and solving each one combined with providing an application that is as easy to use as, say, a consumer application, is key to most organisations’ decision making. This is an important point made by the UK’s National Cyber Security Centre (NCSC) Seven Principles for Secure Communications and Armour distinguishes itself by meeting all seven principles.
For more information on this topic, read our blog: https://www.armourcomms.com/2021/04/21/replacing-whatsapp-advice-from-ncsc/
Also for Nine tips for keeping communications secure read this blog: https://www.armourcomms.com/2024/02/05/nine-tips-for-keeping-communications-secure-within-the-supply-chain/?cat-slug=10
Armour® provides highly usable and engaging solutions, so your users will have no reason not to use them. Our Buyer’s Guide gives detailed advice as to what you should be looking for: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/
