Last Updated on 2022-09-08 by Joop Beris
The public cloud is everywhere. Companies like Amazon, Google, Microsoft and dozens of others are eager to sign up new users and expand their services to existing customers. Many organisations moved their entire IT operations to Amazon Web Services or Microsoft Azure and more will follow. The Dutch government abstained, until very recently. Just last month, the state secretary for digitisation Alexandra van Huffelen, announced that the Dutch government is allowed to use public cloud services.
Once upon the time, the Dutch government made plans to build their own cloud service infrastructure. However, this infrastructure never saw the light of day. According to van Huffelen, public cloud services changed and improved significantly over the past decade, with the Covid pandemic being an important driver for innovation. So much so that she feels it’s time to update the National Cloud Policy of 2011.
Poor arguments to use public cloud
The arguments she raises to green-light the use of public cloud, also raised my eyebrows. They’re not particularly good or convincing arguments to allow the use of public cloud, in my opinion.
Public cloud services are popular
She argues that services have become more reliable and that lots of citizens and companies use them. While it is undoubtedly true that public cloud services are generally available, their perceived popularity is not an argument to use them! Just because something is popular, doesn’t mean it is good or trustworthy. Just have a look at popular Tik Tok challenges for a great example of why popular doesn’t equal good. An appeal to popularity is actually a logical fallacy.
The availability of a system is only one pillar of the CIA-triad of information security. The other two, confidentiality and integrity are just as important. With the Dutch government allowed to use public cloud, I’m not so concerned about availability. What I worry about most is confidentiality.
More patches doesn’t equal more security
The state secretary further argues that the public cloud offers more security options now and the large-scale deployment of updates and patches makes it easier to address faults in the software. While I agree with this in theory, someone still has to actually configure the security settings to address known risks. Having more buttons to push is no guarantee the right ones will be pushed.
Also, in theory the large-scale deployment of updates and patches could increase the security posture of an organisation. But frequent large scale deployment of patches isn’t a mark of quality. If I drive a car but every other week I have to go to the dealer to have nuts and bolts tightened or brake discs replaced, that doesn’t mean I have a reliable car!
A transparent solution?
Van Huffelen’s third argument is that the low initial cost and pay-per-use principle make the public cloud a transparent solution. Never mind the obvious observation that clouds aren’t transparent for now. Why is this a good argument to use the public cloud? Is it about cost reduction? Because things don’t get cheaper when you move from in-house IT to the cloud, they tend to get more expensive.
While it is possible to design a cost efficient cloud architecture, the Dutch government’s track record with IT projects doesn’t make me more confident here. Initial costs may be low, but once you begin to use your infrastructure, store more data, eat more compute cycles, your costs will rise. Good asset and capacity management can keep the costs in check but again, I’m not confident. Sure, it may be transparent in terms of knowing what you pay for, I don’t think this is a strong argument to move away from private clouds or in-house IT.
The risks are more manageable?
In a fourth and final argument, the state secretary says that the risks are now more manageable than before, due to large investments by public cloud providers in securing their services. This is much more than the government is willing or able to invest in information security itself. There are so many errors of thought in this one sentence that it makes my brain hurt.
First of all, how are the risks more manageable? I’d like to see the risk analysis that concluded this. What risks is she talking about? Sure, AWS and Microsoft Azure take away some of the hassle of patch management, asset management and hardening systems, but there’s still a lot you need to do yourself. The risks due to low user awareness, phishing, ransomware or human error don’t disappear when you move to the cloud. They may even increase.
A company like Microsoft is going to pump a lot of money into securing their Azure service. It’s their life blood, after all! They’re also running a global infrastructure with millions of customers and many thousands of petabytes of data. So yes, both in absolute numbers and in relative terms, Microsoft invests more in information security than the Dutch government can or should. The Dutch government doesn’t have to run a global infrastructure with millions of customers and many thousands of petabytes of data. They don’t need to spend so much, both in absolute and in relative terms. So why this comparison? It is comparing apples to oranges.
Some sensible precautions
Fortunately, the state secretary also lists some sensible precautions and some data types which are not allowed in the public cloud, no matter what.
- Basic registries are not allowed. So no database of all inhabitants of the Netherlands, no vehicle registry, etc. But what about a subset of data from basic registries?
- Special personal information, such as medical information, religious affiliation, etc.
- State secrets.
- The Ministry of Defence is not allowed to use public cloud.
The use of cloud services based in countries that have “an active cyber programme that is aimed against Dutch interests” is also prohibited. This seems a bit vague but I hope someone in the government will be keeping a list of which countries are meant.
Those seem pretty sensible as precautions go. So why don’t they make me feel better? Well, I have a number of reasons which I will outline below.
Potential issues with public cloud use
With the Dutch government allowed to use public cloud, I see more than just a few minor issues. There are some issues that could even be a threat to running our nation in the long run. These issues apply to businesses too, of course. But businesses have to make different considerations because they have different responsibilities. They’re not national governments. So let’s take a look at these issues.
Data sovereignty means one of two things:
- Data is subject to the laws of the nation in which it is collected or
- The self-determination of individuals and organizations with regard to the use of their data
With the use of public cloud services by the Dutch government, there are issues with both definitions. Using public cloud, you can never be sure where your data is stored, nor can Dutch citizens determine how their data is used. While European laws such as GDPR are supposed to protect the rights of the individual with regards to their data, these rights become much harder to enforce by storing data outside of the national jurisdiction or with companies subject to foreign laws. This is what lawyer and activist Max Schrems has been warning about since 2011.
Dependent on the responsiveness of the vendor
When you have outsourced all or part of your IT to a cloud service, you are dependent on the responsiveness of the vendor when there are issues. Your vendor probably makes use of subcontractors or other third parties to deliver their service so you are dependent on them too, including the stipulations they have agreed on in their service contracts.
The Dutch government could conceivably put sufficient pressure on national or even European vendors when there are issues but when it comes to companies like Amazon or Microsoft, the Dutch government is a relatively small player.
Dependent on terms of service and quality of the vendor
Customers are dependent on the terms of service and quality of the vendor. When the vendor changes their terms of service, it is generally a choice between accepting the new terms or stop using the service. But this is not so easy when your entire IT infrastructure lives in Amazon Web Services. You can’t just stop using the service because you have no alternative.
Similarly, should the service of your vendor decline to the point where it becomes unacceptable, it is not that easy to leave. In both cases, exit conditions in the contract are supposed to save you. Fortunately, van Huffelen indicates that such conditions should be part of the contract but you better hope that the Dutch government has better lawyers than cloud vendors .
Longevity of the service
Cloud services are a relatively new phenomenon and they exist in a dynamic and volatile international market. Who can guarantee that shiny new service or that promising startup where you decide to park your data will be around in another 5 years? Relative old-timers like Microsoft and Amazon most likely will be but maybe not all of their services will. It would be a shame if they decide to cancel certain services because they’re not that lucrative but the Dutch government depends on that service.
No control over who has physical access to the hardware
If your IT is in-house, you can control exactly who has access to the physical hardware. If you move to the cloud, you have no idea who touches your hardware. In fact, it’s not even your hardware any more. Reputable cloud services have strict requirements when it comes to data centre access. In fact, they’re probably better than what most organizations have in place. But you can’t control it, you can’t audit it and you can’t verify it in another way. You simply have to rely on what the contract says or the vendor says so there is a risk there.
You can take appropriate countermeasures, like encrypting data in transit and encrypting data at rest. If you store any sensitive data in the cloud, you probably should. And hope nobody else has access to the encryption key.
Jurisdictional issues over access to data
Use of the public cloud usually means data is travelling through multiple countries and thus multiple jurisdictions. While this won’t be much of a problem when the data remains within the EU, this changes when it leaves the EU. Many nations don’t have strong laws protecting privacy or may simply not care about the privacy of Dutch citizens.
Even if the contract with the cloud service provider stipulates that data should not leave the EU, the CSP may have third parties they use or dev-ops in countries outside the EU who may gain access to the data remotely.
Issues in case of a conflict with the US
One of the lessons of the current war between Russia and Ukraine, is how US cloud providers where quick to stop providing services to Russia. Within a few weeks after the start of the war, Russian companies were almost cut off. While we can applaud this sanction as a stance against Russian aggression, it does make you wonder: what if the US government and the Netherlands got into a conflict?
It’s conceivable that such a conflict could see cloud providers cease operation here too, especially under pressure from the White House. A shoot-from-the-hip president like Trump could cut off the Dutch government from access to its own data, making the task of governing the country challenging. Does the Dutch government really want to create such a dependency?
Cloud Act, Patriot Act and espionage
We know from the Snowden revelations, that US cloud providers have close ties with US agencies such as the NSA and CIA. We also know that the US government doesn’t care much for the privacy of non-US citizens. Just two weeks before state secretary van Huffelen announced “Dutch government allowed to use public cloud”, the Dutch National Cyber Security Center released a memo on the US Cloud act.
The conclusion of that memo is rather startling, though not unexpected: “EU Entities can be within the reach of the CLOUD Act, even if the EU Entities are located outside the U.S.” If it has sufficient contacts inside the US, it is reasonable for the US to claim jurisdiction over the EU entity. Basically, all US cloud providers have “sufficient contacts” inside the US because their headquarters is there. So Microsoft Europe might technically be an EU entity, the data stored there is up for grabs to the US government.
EU Entities can be within the reach of the CLOUD Act, even if the EU Entities are located outside the U.S.Cloud Act Memo, NCSC
Another interesting passage in the memo, is in answer to the following question: “Question 4: Please indicate whether the U.S. can obtain data from an EU Entity over whom it does not have jurisdiction by ordering a U.S. national who has access to data abroad to hand over data under the CLOUD Act or otherwise.”
The answer there is quite plain: “In theory the answer is NO, in practice it is most likely YES.”
Just two weeks after the Dutch NCSC basically tells the government that it’s virtually impossible to protect data stored with US cloud service providers from being accessed under the Cloud Act, van Huffelen says “Dutch government allowed to use public cloud”.
No matter if the Dutch government is allowed to use public cloud or not, there is still the matter of responsibility. They hold important and sensitive data on millions of Dutch citizens. As citizens we should expect our government to protect that data to the best of their ability. Moving to the public cloud doesn’t discharge them of that responsibility. If anything, it makes that responsibility all the more serious.
Information security goes beyond having a great firewall and fast patch management. These are the things the cloud providers can help with. But what they can’t help with, is managers taking information security seriously. They don’t help with soft skills like user awareness or processes like incident response, data classification and risk assessment. Those are always the responsibility of the cloud customer and that responsibility can’t be delegated away.
What I am concerned about, is that this will be forgotten. Too often I have heard people assume the cloud service provider will handle security. Also, there’s always the potential for user error, which become magnified when data is in the cloud. What’s to prevent some civil servant from uploading a partial set of registry records or share them with the wrong people?
With the Dutch government allowed to use public cloud, we could see a more agile, informed and efficient government. However, it could just as easily be a data disaster waiting to happen. Time will tell.