Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Cloud Microsoft Privacy Security Politics Technology Your Rights Online

Microsoft Opens Up Azure Cloud in Germany Even It Can't Access (windowsitpro.com) 98

Reader v3rgEz writes: International customers are becoming increasingly concerned about the U.S.'s data snooping practices, and it appears Microsoft has devised a solution to make them happy: Set up Azure cloud in a foreign region. Because it's under the technical ownership of a German company named Deutsche Telekom, even Microsoft doesn't have access to the data. The move is not surprising, but it could set a precedent that encourages others to move their corporate data away from U.S. shores to countries that take a friendlier view of encryption and data privacy. From the official blog post, "Microsoft has -- in this new model -- no rights at all to access customer data. Only for special purpose like a support call from a customer a temporary access will be granted by the Data Trustee to the Microsoft engineer, and only for the specified area. After that time (using a technology similar to what you might know as JIT) all access is revoked automatically. So to repeat: Access is granted to the Microsoft engineer only by the Data Trustee. Microsoft has no way to grant that access to itself."
This discussion has been archived. No new comments can be posted.

Microsoft Opens Up Azure Cloud in Germany Even It Can't Access

Comments Filter:
  • I'm freaked out right now. Whats going on here?
    • It's not ripe yet.
      • What happens when Microsoft, operating under a secret NSA Security Letter, intentionally induces a fault in the Azure Cloud service of an individual of interest. And then of course the Data Trustee gives the Microsoft engineer access to the customer's data. If the NSA knows what they want, the access would not have to be for an extended period of time.
        No, this won't work for mass surveillance or even continuous surveillance of one individual. But it is not data security of the type implied by the announ

        • Re:NSA tango (Score:5, Interesting)

          by tnk1 ( 899206 ) on Tuesday March 15, 2016 @02:40PM (#51702595)

          Or they could just barter intelligence deals with German intelligence to have *them* hand over the information directly.

          These are government intelligence agencies here. The NSA certainly could social engineer themselves the information, or induce faults on a case by case basis, but why do that when you can just cut a deal or two? The NSA has so much juicy information that German intelligence would be happy to trade for.

          Sorry, what? German intelligence would never do that? Yes... sorry... I'm not laughing, that's just a lot of coughing. That's the ticket.

          • Re:NSA tango (Score:5, Informative)

            by Mister Transistor ( 259842 ) on Tuesday March 15, 2016 @02:55PM (#51702755) Journal

            Well, Deutche Telekom is (or was) the German State telephone company, kind of like the Post Office in Britain, owned and operated by the government. They have many subsidiary companies, in the U.S. we know them as T-Mobile and T-Systems.

            So, they are one step closer to ease of mass surveillance than we are in the US, in that the "cloud" data or whatever is _already_ in the German Gov't.'s hands, basically.

            • and serve Microsoft in the same writ. I think this sort of hocus-pocus would only work in places where there is minimal infrastructure and no treaties with the US. like, say North Korea. places where you KNOW your data is being analyzed, mangled, and monetized.

              so the ultimate responsibility has to be the Congress formally recognizing the first amendment still applies to technology that didn't exist at the time they were sharpening their goose quills to write the document.

            • Re:NSA tango (Score:5, Informative)

              by PolygamousRanchKid ( 1290638 ) on Tuesday March 15, 2016 @03:42PM (#51703133)

              Well, Deutche Telekom is (or was) the German State telephone company

              "Was". It was privatized a long time ago. So there is no direct control of the Deutsche Telekom by the German government.

              Of, course, when the German government asks Deutsche Telekom for a "favor", they are not going to say no. Especially if there are some laws backing the government up. There's another set of secret squirrels in Germany called "Verfassungsschutz", which means something like "protection of the constitution". They have broad powers for snooping on folks that are deemed enemies of the state.

          • Re:NSA tango (Score:5, Interesting)

            by duckintheface ( 710137 ) on Tuesday March 15, 2016 @03:06PM (#51702853)

            tnk1, I'm inclined to think that the worm has turned in Germany. Exposure of spying by the US on the Chancellor and other high government officials has poisoned the well. It would be a political death sentence for any politician or government employee who was caught helping the US spy on Germans.

            • It would be a political death sentence for any politician or government employee who was caught helping the US spy on Germans.

              I totally agree wi....
              Oh!!!! Germany's next top model is on!
              Sorry, what were you saying?

          • Deutsche Telekom runs one of the biggest ISPs in Germany: T-Online. Part of their RADIUS platform is a component called "LI" . . . "Lawful Interception". The spooks can directly access this, without any assistance from the T-Online operator. And, in fact, LI even hides and obfuscates the taps that are in place. So if a drug cartel smuggled in a rogue T-Online operator, this person would not be able to tell the drug cartel that they were being spied on. The other ISPs in Germany probably do the same th

          • by Sique ( 173459 )
            That's not what this move is about. It's about information that can be legally introduced into an U.S. court. Now the U.S. state attorney has to jump through the loop and actually ask a german court to force Deutsche Telekom to release the information requested, which until now they tried to avoid as much as possible. Especially in cases where the U.S. sentencing laws are considered draconic in Germany, this request might be denied on legal grounds. If for instance an U.S. state attorney would put pressure
        • by lgw ( 121541 )

          The NSA doesn't need this, any more than they need a National Security Letter to access US data, as long as it's not encrypted well. When I worked at MS, we would half-joking blame (assumed) NSA taps on the low quality we'd see in WAN connections between DCs. It was a bit of a shock to discover from Snowden it was all true (MONKEY PUZZLE was the codename for those NSA taps, IIRC).

          It's different if the data is encrypted in such a way that MS only has access to the metadata (which should be enough for custo

        • I think the government can force them to help, and to keep their mouth shut about it, but not to lie.

          In this case, lying might even put the lying engineer at risk in the foreign country..

    • I'm freaked out right now. Whats going on here?

      oh wait I get it lol... WAS red header, now green after I posted Yeah second post!!

    • by Archfeld ( 6757 )

      A story from the mysterious future ?

    • Comment removed based on user account deletion
      • Re:red header? (Score:5, Insightful)

        by MightyMartian ( 840721 ) on Tuesday March 15, 2016 @02:43PM (#51702627) Journal

        Until Germany does the same thing the US is doing.

        This may seem like a distinctly American problem, but it is global. Every government; from the direst dictatorships to the most liberal democracies, wants their own version of the "Snooper's Charter", and wants to crush anyone who dares question their unlimited right to spy on their own citizens 24/7. This is a theory of government that is unconstrained by any notion of civil liberty, responsible or constrained government power.

        The world is run by sociopathic monsters with a pack of braindead retarded legislators who gave up actually governing years ago.

        Welcome to Dystopia, and now there's an app for that!

        • I'd actually like for Microsoft to have the same onus in the USA. Don't touch stuff only and unless you get a secondary auth key from a trustee of the account's data, verified by both sets of credentials, and then only for the session or four hours, which ever is less. A reauth would be needed if they can't fix something within the four hours. The key has to be a healthy, domain curated hefty key. Then: goodbye.

  • a German company named Deutsche Telekom

    I think I've heard of them. They're a niche local exchange phone carrier, right?

  • by JoeyRox ( 2711699 ) on Tuesday March 15, 2016 @02:20PM (#51702361)
    Just a little Mom and Pop business in Germany with an $81 Billion USD market capitalization. :)
    • by WarJolt ( 990309 )

      Not sure if that's sarcasm. If you're a US telecom with less than a $100 billion market cap you're a mom and pop business.

      Verizon and at&t are greater than $200 billion and comcast is at $144.

      • The US has a population of 319 million people, Germany has 81 million. I'll take DT's over Verizon and AT&T.
  • Eh? (Score:4, Interesting)

    by OverlordQ ( 264228 ) on Tuesday March 15, 2016 @02:21PM (#51702377) Journal

    (using a technology similar to what you might know as JIT)

    I think most people would associate JIT with Just-In-Time compilers, but I fail to see how that translates to credentialing.

    • by WarJolt ( 990309 )

      They are talking about just in time activation of permissions. The permissions automatically expire after some period of time.

    • JIT is a common terminology for many things. Just In Time Access, Just In Time Manufacturing, Just in Time Production and numerous others. Just in computing the most common one is just in time compilers.
    • The term JIT predates compilers and goes back to automobile manufacturing practices where companies would minimise excess stock by optimizing manufacture workflow so that parts come online just as they are needed.

  • The only way they could not possibly access the data was if they did not develop the software and consequently could not use their update mechanisms, back doors and other established methods to gain access when so requested. So is the author trying to tell us Microsoft is no longer the software developing company behind Azure and Windows?

  • Laws matter (Score:4, Insightful)

    by Anonymous Coward on Tuesday March 15, 2016 @02:25PM (#51702419)

    Yet again, laws matter.

    If the US wants to keep data centers in the US, it needs to understand that making draconian laws is NOT the way to go about it.

    Simply put, right now, I would NOT be building a data center in the US if my primary customer base was outside of the US, period.

    • by rtb61 ( 674572 )

      Now of course if you own the box via it's operating system, that sends data to the cloud and gets data from the cloud. What is to stop that box sending a copy elsewhere at the same time an unencrypted copy. M$ is screwed people that wont touch their OS won't touch their cloud either. Their prying ways with the backing of the US government has put them in a pickle, no one trusts them any more with any thing. For games meh, who cares for real world secure applications, you'd need to have your head read.

    • by AmiMoJo ( 196126 )

      While I agree that it's best to keep data out of the US, it's hardly the only country on the list. What really matters though is keeping the data outside the jurisdiction that the company and customer are based in. Make sure that it requires an international effort to get the data, which is encrypted with a key in another jurisdiction anyway.

      The goal is to increase the cost in both time and money, to discourage fishing trips and laziness. If it's hard to do, law enforcement will only bother if it's really w

  • After betraying their customers for years by doing stupid shit like uploading their encryption keys to OneDrive by default, Microsoft wants to jump in on the fame and honor that Apple is getting for refusing to make malware in order to unlock a terrorist's iPhone. Hurray, off-shore data lodging! Ultimately though this'll mean nothing but a teeny bit more latency for PRISM, which Microsoft has oh-so-willingly cooperated with the NSA to power for years.
    • by EmperorArthur ( 1113223 ) on Tuesday March 15, 2016 @02:45PM (#51702643)

      After betraying their customers for years by doing stupid shit like uploading their encryption keys to OneDrive by default, Microsoft wants to jump in on the fame and honor that Apple is getting for refusing to make malware in order to unlock a terrorist's iPhone. Hurray, off-shore data lodging! Ultimately though this'll mean nothing but a teeny bit more latency for PRISM, which Microsoft has oh-so-willingly cooperated with the NSA to power for years.

      Not quite. This thing is a response to: https://en.wikipedia.org/wiki/... [wikipedia.org]

      Basically, Microsoft has been fighting this case for years now. If the US wins, then it can mandate that Microsoft must turn over data anywhere in the world with just a warrant. That doesn't pass muster with EU laws. So, if the US wins, then all of a sudden it becomes illegal for an EU business to use any Microsoft cloud service, or at least extremely risky for them to do so.

      This new service is something where they can tell the US government, "We phisically can't do that." Just like how Apple will probably push out an IOS upgrade that prevents flashing new firmware to a phone while locked without wiping the device.

    • Oh, the Apple viral AD! Microsoft is trying to make something like it?
  • " Only for special purpose [sic] like a support call from a customer..."

    Or the NSA, FBI, CIA...

    • It doesn't have to be an American 3-letter agency - it's not as if the BND doesn't have a track record of violating German citizens' privacy.

  • by Howitzer86 ( 964585 ) on Tuesday March 15, 2016 @02:34PM (#51702525)

    US Government: "We will fine you until you comply with the order giving us access to the servers."
    Microsoft:"Those aren't our servers. We don't have access."
    Government: "Comply or be fined a million dollars a day."
    Microsoft files bankruptcy in AD 3276.

    Thus begins the first Year of Linux on the Desktop.

    • Re:Year of Linux (Score:5, Insightful)

      by MightyMartian ( 840721 ) on Tuesday March 15, 2016 @02:48PM (#51702679) Journal

      More like:

      US Government: "We will fine you until you comply with the order giving us access to the servers."
      Microsoft:"Those aren't our servers. We don't have access."
      US Government: "Fine have it your way."

      three weeks later

      German Government: "We will fine you until you comply with the order giving us access to the servers."
      Deutsche Telekom: "Fuck you, Microsoft, take your servers back."

      • by OhPlz ( 168413 )

        Store fragments of the data in different countries.

      • Re:Year of Linux (Score:5, Insightful)

        by bloodhawk ( 813939 ) on Tuesday March 15, 2016 @04:47PM (#51703697)
        MS and other companies have no objection to proper court orders in the appropriate country following due process. This move is due to the US governments unwillingness to follow due process and demand access to servers and data residing in foreign countries without going through the legal processes of that country. So going to German court and arguing the case for access they will be fine with, but of course that will be issued against Deutch Telkom not MS
      • German Government: "We will fine you until you comply with the order giving us access to the servers." Deutsche Telekom: "Fuck you, Microsoft, take your servers back."

        Sure, if a German court orders the data to be provided, Deutsche Telekom would comply. So? The problem Microsoft is trying to solve is solved.

      • Re:Year of Linux (Score:5, Interesting)

        by shutdown -p now ( 807394 ) on Tuesday March 15, 2016 @08:21PM (#51705091) Journal

        The point is to put the servers under the control of the government which is deemed more trustworthy by the customers. And it doesn't even have to be all or most customers - just a subset. Say, those in EU.

        Hopefully, there will be more similar centers opening in other countries in the future, so that customers can actually shop around, and pick the country with surveillance laws and/or track record that they're most comfortable with.

  • Untrustable (Score:2, Interesting)

    by Stan92057 ( 737634 )
    Comes down to can Microsoft be trusted and that answer we all know is a flat out No. Forcing people to download adware to get a security patch is flat out evil and all the tricks they have been using to get people to switch to Windows 10 is also evil. So Microsoft is a 100% untrustable and evil IMO based on those facts.
    • I would say the most annoying part about the Win 10 upgrade notifications is that I ran the compatibility test and failed but does that mean I stop getting the upgrade notifications and Win 10 ads... NO!

    • Trust, but verify.

      The Gipper was on to something. If Microsoft announced that the EFF had the unfettered ability to monitor and audit MS and DT, then I would say this is the change we've been hoping for.

  • Like most things this I'm guessing this comes down to money (not that that's always a bad thing).

    In many market segments (think government, healthcare) data residency requirements are build into any contracts. Having a European data center likely allows them to big and win business in these markets.

  • Hmm,

    so DTAG announced this in November here [telekom.com] and MS did it here [microsoft.com] with availability of H2 2016.

    I wonder if there is any discount for ex employees of that small, unheard of 260000 (iirc in 2006) people employing obscure German company.
  • Could Microsoft open up an Azure cloud so that even it can't access it?

    Apparently, the answer is yes.

    (not that I'm buying in to this, whether US authorities will have access to the data, the German ones most certainly will, and they have been very co-operative with NSA et al.)

  • Microsoft Windows 10 monitors the user in my opinion more than any exploration of the world, I really understand those users who are concerned about their safety and privacy, I think this is only the beginning, many companies are engaged in the surveillance of Internet users it is only necessary to look deeper at the problem of personal data
  • Smart move for them (Score:4, Interesting)

    by ErichTheRed ( 39327 ) on Tuesday March 15, 2016 @03:16PM (#51702939)

    Microsoft's betting on Azure being the next IBM mainframe-style lock in device for IT. It seems to me like their goal is to get IT people thinking in Azure terms whenever they design anything, such that it becomes one of only a couple of ways to get anything deployed. Look at Windows Server 2016 and the upcoming Azure Stack -- Microsoft is basically telegraphing that the days of an on-site server not controlled by the Azure resource manager are on the way out. I'm betting Server 2016 is one of the last "monolithic" server releases, and the rest is going to be an Azure-y collection of services that you turn on and off either in the cloud or in your own datacenter.

    Given that, and given Germany's privacy laws, it makes perfect sense that they would essentially build a "Public Azure Stack" to work around that detail. Whether every single company decides they're not afraid of the public cloud or not is in question, but Microsoft's looking to control that conversation and slowly bring everyone into the ongoing monthly charges model. Makes sense too -- either collect one fee for Windows Server one time, or sell it over and over again in monthly installments forever -- the choice seems obvious!

  • by RogerWilco ( 99615 ) on Tuesday March 15, 2016 @03:18PM (#51702963) Homepage Journal

    They don't need access to your data in the Azure Cloud any more. They will just read all your data directly from within Windows 10, when you're using it in its unencrypted form.

    • If you don't trust Windows 10 on your VMs then either:

      A. Set up a firewall at the host level to stop if from talking to non-trusted servers.

      B. Use enterprise edition, which is trusted by people like Amazon (which owns AWS) not to snoop on private information

      C. As part of a major corporation negotiate rights to look at the source code for Windows.

      D. Install linux on Azure (just make sure you use updated hyper-v drivers in your distro).

  • They did a similar setup in China, but for a different reason. The Chinese government wanted one of their service providers to have access to everything. Same separation of ownership, completely different outcome.

  • Who really thinks that the Germans are more friendly about privacy and encryption? European laws might grant individuals some recourse about the use of data by corporations, but don't count on corresponding constraints on government. The difference between what ends up in German vs American government hands has more to do with how developed their snooping infrastructure is, not on whether the legal environment is more "friendly"

  • You may also know it by it's international Name "T-Mobile".

  • Stripe the data on the servers. Put two bits in Germany, two in Russia, two in China, and two in Taiwan.

    Nobody has access to all the data, and they're never going to cooperate to get the missing pieces.

  • Set up Azure cloud in a foreign region. Because it's under the technical ownership of a German company named Deutsche Telekom, even Microsoft doesn't have access to the data

    Deutsche Telekom is roughly the German equivalent of AT&T: a former government-sponsored monopoly. It is in bed with the German government; they are actually still 30% government owned. You can bet that if you put your data on that cloud, the German government, intelligence agencies, and police are going to get full access to it.

  • OK, I am an American admin heading over to Germany for a security audit, code update, bug tracking, etc. (at the airport 8 thugs in cheap suits hand me a security letter from the DOJ saying that if I don't comply I go to jail. If I tell anyone about the security letter, I go to jail. If I call a lawyer they haven't approved, I go to jail. But at the same time they tell me that they are trying to stop very very bad people and that it would improve my job prospects with future applications to various securit

news: gotcha

Working...