Microsoft and the CLOUD Act

Oct 15, 2020
Raphael Scherrer
Raphael Scherrer

We often hear statements such as “my data just isn’t secure in the Microsoft Cloud” or “Microsoft is subject to the CLOUD Act”. There’s good reason to wonder what’s behind statements like this.

But just what is this CLOUD Act, anyway?

By definition, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is an American law that allows American Internet companies and IT service providers or US authorities to legally access stored data even if it is not stored in the USA. This of course directly affects Microsoft Corporation as an American company. The same applies to the competing hyperscalers Amazon or Google. In any case, the CLOUD Act should be viewed objectively and not prove a hindrance to cloud projects in Microsoft Azure, for example. In addition, Microsoft Schweiz GmbH is 100 % subject to Swiss law.

Microsoft and the CLOUD Act

Does the CLOUD Act discourage large cloud projects? No, in fact big Swiss companies are leading the way. Mobiliar, SwissRe, UBS, Helsana, Clarunis Spital, Children’s Hospital Zurich, Kantonsspital Baden and many ProCloud customers demonstrate great confidence in the hyperscaler Microsoft, despite the CLOUD Act. To make it clearer, here’s just a sample of some sensitive data that’s already in Microsoft’s Swiss data center:

  • AHV data
  • Pension and wage details of the compensation funds
  • Health data from insurance companies
  • Customer data from several Swiss banks

That seems to inspire confidence, but the discussions about the CLOUD Act are still ongoing. The subject is complex. There is a wonderful article about this by a well-known Swiss lawyer, David Rosenthal from VISCHER AG, who deals with precisely this topic and explains why the US Cloud Act should not prevent cloud projects. So if you want to know exactly what’s going on, you shouldn’t miss this article. It’s enlightening in every respect and comes with an Excel template to quantify the risk.

See also our interview with Marc Holitscher, National Technology Officer Microsoft Switzerland, who comments on the subject of the CLOUD Act.

Is the CLOUD Act already being enforced?

Microsoft has published a “Digital Trust Report”. This provides, among other things, clear figures regarding the CLOUD Act and the extent to which it is enforced abroad: “In the first half of 2019, Microsoft received 4,860 legal demands for consumer data from law enforcement in the United States. Of those, 126 warrants sought content data which was stored outside of the United States. In the same time frame, Microsoft received 43 legal demands from law enforcement in the United States for commercial enterprise customers who purchased more than 50 seats. Of those demands, 1 warrant resulted in disclosure of content data related to a non-US enterprise customer whose data was stored outside of the United States.”

Microsoft cloud and cyber security

The current cyber security situation reveals the obviously greater risk. A legally justified request for data delivery is one thing – by the way, this is also used without the CLOUD Act, even internationally – and a data leak due to cyber risks and data in the hands of cyber criminals is quite another. Cyber attacks have increased enormously. So that’s reason enough that Microsoft is still investing a lot in cyber security. The following facts and figures demonstrate Microsoft’s efforts to demonstrate excellence and stay at the forefront in this regard:

Marc Holitscher, National Technology Officer at Microsoft Switzerland, sums it up in our interview: “In the slipstream of Corona and the significant acceleration of cloud adoption, we have also seen an increase in cyber attacks. The fact is, however, that the cloud benefits precisely from the fact that it can access an almost infinite pool of signals worldwide, condense them and then make them available to all customers worldwide. As a result, the cloud platforms have mastered this baptism of fire of crises and changed threats extremely well. I would say that today we are clearly at the point at which companies decide in favor of the cloud, because they assume that data protection or data security is higher than if you implemented it in your own infrastructure.”

ProCloud offers

ProCloud AG positions itself as a multi-cloud provider with its own infrastructure in two data centers in Switzerland. As a purely Swiss company and with our own infrastructure, we are a suitable choice for companies that are not yet completely comfortable with the CLOUD Act. We are also Microsoft Partner of the Year, Microsoft Gold Partner and were the first to use Microsoft Datacenter Switzerland – even before the official opening. We are well informed about the data protection situation and would be happy to advise you. We also have extensive know-how when it comes to data encryption practices, for example in Azure or Microsoft 365, in order to be able to operate patient data in the Microsoft Cloud, for example. We are also ISO-27001 certified – feel free to review our certificate.

With regard to cyber security, we offer a high-end solution in the cyber security area with our Enterprise Cyber Defense Center. Thanks to our 24/7 proactive Security Operation Center (included), we recognize anomalies and escalate them at any time. We would be glad to advise you. Book your free online consultation now.