Microsoft Opens Up Azure Cloud in Germany Even It Can't Access (windowsitpro.com) 98
Reader v3rgEz writes: International customers are becoming increasingly concerned about the U.S.'s data snooping practices, and it appears Microsoft has devised a solution to make them happy: Set up Azure cloud in a foreign region. Because it's under the technical ownership of a German company named Deutsche Telekom, even Microsoft doesn't have access to the data. The move is not surprising, but it could set a precedent that encourages others to move their corporate data away from U.S. shores to countries that take a friendlier view of encryption and data privacy. From the official blog post, "Microsoft has -- in this new model -- no rights at all to access customer data. Only for special purpose like a support call from a customer a temporary access will be granted by the Data Trustee to the Microsoft engineer, and only for the specified area. After that time (using a technology similar to what you might know as JIT) all access is revoked automatically. So to repeat: Access is granted to the Microsoft engineer only by the Data Trustee. Microsoft has no way to grant that access to itself."
red header? (Score:2)
Re: (Score:3)
NSA tango (Score:2)
What happens when Microsoft, operating under a secret NSA Security Letter, intentionally induces a fault in the Azure Cloud service of an individual of interest. And then of course the Data Trustee gives the Microsoft engineer access to the customer's data. If the NSA knows what they want, the access would not have to be for an extended period of time.
No, this won't work for mass surveillance or even continuous surveillance of one individual. But it is not data security of the type implied by the announ
Re:NSA tango (Score:5, Interesting)
Or they could just barter intelligence deals with German intelligence to have *them* hand over the information directly.
These are government intelligence agencies here. The NSA certainly could social engineer themselves the information, or induce faults on a case by case basis, but why do that when you can just cut a deal or two? The NSA has so much juicy information that German intelligence would be happy to trade for.
Sorry, what? German intelligence would never do that? Yes... sorry... I'm not laughing, that's just a lot of coughing. That's the ticket.
Re:NSA tango (Score:5, Informative)
Well, Deutche Telekom is (or was) the German State telephone company, kind of like the Post Office in Britain, owned and operated by the government. They have many subsidiary companies, in the U.S. we know them as T-Mobile and T-Systems.
So, they are one step closer to ease of mass surveillance than we are in the US, in that the "cloud" data or whatever is _already_ in the German Gov't.'s hands, basically.
they could serve DT through T-Mobile (Score:2)
and serve Microsoft in the same writ. I think this sort of hocus-pocus would only work in places where there is minimal infrastructure and no treaties with the US. like, say North Korea. places where you KNOW your data is being analyzed, mangled, and monetized.
so the ultimate responsibility has to be the Congress formally recognizing the first amendment still applies to technology that didn't exist at the time they were sharpening their goose quills to write the document.
Re:NSA tango (Score:5, Informative)
Well, Deutche Telekom is (or was) the German State telephone company
"Was". It was privatized a long time ago. So there is no direct control of the Deutsche Telekom by the German government.
Of, course, when the German government asks Deutsche Telekom for a "favor", they are not going to say no. Especially if there are some laws backing the government up. There's another set of secret squirrels in Germany called "Verfassungsschutz", which means something like "protection of the constitution". They have broad powers for snooping on folks that are deemed enemies of the state.
Re:NSA tango (Score:5, Interesting)
tnk1, I'm inclined to think that the worm has turned in Germany. Exposure of spying by the US on the Chancellor and other high government officials has poisoned the well. It would be a political death sentence for any politician or government employee who was caught helping the US spy on Germans.
Re: (Score:2)
I totally agree wi....
Oh!!!! Germany's next top model is on!
Sorry, what were you saying?
Re: (Score:2)
Deutsche Telekom runs one of the biggest ISPs in Germany: T-Online. Part of their RADIUS platform is a component called "LI" . . . "Lawful Interception". The spooks can directly access this, without any assistance from the T-Online operator. And, in fact, LI even hides and obfuscates the taps that are in place. So if a drug cartel smuggled in a rogue T-Online operator, this person would not be able to tell the drug cartel that they were being spied on. The other ISPs in Germany probably do the same th
Re: (Score:2)
Re: (Score:3)
The NSA doesn't need this, any more than they need a National Security Letter to access US data, as long as it's not encrypted well. When I worked at MS, we would half-joking blame (assumed) NSA taps on the low quality we'd see in WAN connections between DCs. It was a bit of a shock to discover from Snowden it was all true (MONKEY PUZZLE was the codename for those NSA taps, IIRC).
It's different if the data is encrypted in such a way that MS only has access to the metadata (which should be enough for custo
Re: (Score:2)
I think the government can force them to help, and to keep their mouth shut about it, but not to lie.
In this case, lying might even put the lying engineer at risk in the foreign country..
Re: (Score:1)
I'm freaked out right now. Whats going on here?
oh wait I get it lol... WAS red header, now green after I posted Yeah second post!!
Re: (Score:2)
A story from the mysterious future ?
Re: (Score:2)
Think about it - in one shot, Microsoft gains something to offer both commercial and (paying) consumer customers - the expectation that encrypted data will remain private -- while simultaneously leaving Apple twisting in the wind in this whole US Gubberment vs. Everyman BS that's playing itself out right now in our "Judicial" system.
Big bucks triumphs over Big Brother. The Ferengi are right - greed is eternal.
Re:red header? (Score:5, Insightful)
Until Germany does the same thing the US is doing.
This may seem like a distinctly American problem, but it is global. Every government; from the direst dictatorships to the most liberal democracies, wants their own version of the "Snooper's Charter", and wants to crush anyone who dares question their unlimited right to spy on their own citizens 24/7. This is a theory of government that is unconstrained by any notion of civil liberty, responsible or constrained government power.
The world is run by sociopathic monsters with a pack of braindead retarded legislators who gave up actually governing years ago.
Welcome to Dystopia, and now there's an app for that!
Re: (Score:2)
I'd actually like for Microsoft to have the same onus in the USA. Don't touch stuff only and unless you get a secondary auth key from a trustee of the account's data, verified by both sets of credentials, and then only for the session or four hours, which ever is less. A reauth would be needed if they can't fix something within the four hours. The key has to be a healthy, domain curated hefty key. Then: goodbye.
I think I've heard of them (Score:2)
a German company named Deutsche Telekom
I think I've heard of them. They're a niche local exchange phone carrier, right?
Re: (Score:2)
Re:I think I've heard of them (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It was a reference to this [wikipedia.org] place, which managed to screw up its name so horrifically that it's kind of funny.
Re: (Score:3)
It is actually a German comedy act - die Telekomiker. They also own the "T-" brand, as in T-Shirt, T-Rex and T-Bone Steak.
"Of a German company named Deutsche Telekom" (Score:4, Insightful)
Re: (Score:2)
Not sure if that's sarcasm. If you're a US telecom with less than a $100 billion market cap you're a mom and pop business.
Verizon and at&t are greater than $200 billion and comcast is at $144.
Re: (Score:2)
Eh? (Score:4, Interesting)
I think most people would associate JIT with Just-In-Time compilers, but I fail to see how that translates to credentialing.
Re: (Score:2)
They are talking about just in time activation of permissions. The permissions automatically expire after some period of time.
Re: (Score:2)
A few seconds is all that's required to install a persistent trojan to retain access later.
Re: (Score:2)
A few seconds and the correct rights, not to mention a complete lack of oversight.
Re: (Score:2)
Re: (Score:2)
The term JIT predates compilers and goes back to automobile manufacturing practices where companies would minimise excess stock by optimizing manufacture workflow so that parts come online just as they are needed.
So Microsoft no longer develops Azure and Windows? (Score:1)
The only way they could not possibly access the data was if they did not develop the software and consequently could not use their update mechanisms, back doors and other established methods to gain access when so requested. So is the author trying to tell us Microsoft is no longer the software developing company behind Azure and Windows?
Laws matter (Score:4, Insightful)
Yet again, laws matter.
If the US wants to keep data centers in the US, it needs to understand that making draconian laws is NOT the way to go about it.
Simply put, right now, I would NOT be building a data center in the US if my primary customer base was outside of the US, period.
Re: (Score:2)
Now of course if you own the box via it's operating system, that sends data to the cloud and gets data from the cloud. What is to stop that box sending a copy elsewhere at the same time an unencrypted copy. M$ is screwed people that wont touch their OS won't touch their cloud either. Their prying ways with the backing of the US government has put them in a pickle, no one trusts them any more with any thing. For games meh, who cares for real world secure applications, you'd need to have your head read.
Re: (Score:2)
While I agree that it's best to keep data out of the US, it's hardly the only country on the list. What really matters though is keeping the data outside the jurisdiction that the company and customer are based in. Make sure that it requires an international effort to get the data, which is encrypted with a key in another jurisdiction anyway.
The goal is to increase the cost in both time and money, to discourage fishing trips and laziness. If it's hard to do, law enforcement will only bother if it's really w
Microsoft's "me too!" (Score:2)
Re:Microsoft's "me too!" (Score:5, Informative)
After betraying their customers for years by doing stupid shit like uploading their encryption keys to OneDrive by default, Microsoft wants to jump in on the fame and honor that Apple is getting for refusing to make malware in order to unlock a terrorist's iPhone. Hurray, off-shore data lodging! Ultimately though this'll mean nothing but a teeny bit more latency for PRISM, which Microsoft has oh-so-willingly cooperated with the NSA to power for years.
Not quite. This thing is a response to: https://en.wikipedia.org/wiki/... [wikipedia.org]
Basically, Microsoft has been fighting this case for years now. If the US wins, then it can mandate that Microsoft must turn over data anywhere in the world with just a warrant. That doesn't pass muster with EU laws. So, if the US wins, then all of a sudden it becomes illegal for an EU business to use any Microsoft cloud service, or at least extremely risky for them to do so.
This new service is something where they can tell the US government, "We phisically can't do that." Just like how Apple will probably push out an IOS upgrade that prevents flashing new firmware to a phone while locked without wiping the device.
Re: (Score:1)
And I have a bridge to sell you... (Score:2)
" Only for special purpose [sic] like a support call from a customer..."
Or the NSA, FBI, CIA...
Re: (Score:3)
It doesn't have to be an American 3-letter agency - it's not as if the BND doesn't have a track record of violating German citizens' privacy.
Year of Linux (Score:5, Funny)
US Government: "We will fine you until you comply with the order giving us access to the servers."
Microsoft:"Those aren't our servers. We don't have access."
Government: "Comply or be fined a million dollars a day."
Microsoft files bankruptcy in AD 3276.
Thus begins the first Year of Linux on the Desktop.
Re:Year of Linux (Score:5, Insightful)
More like:
US Government: "We will fine you until you comply with the order giving us access to the servers."
Microsoft:"Those aren't our servers. We don't have access."
US Government: "Fine have it your way."
three weeks later
German Government: "We will fine you until you comply with the order giving us access to the servers."
Deutsche Telekom: "Fuck you, Microsoft, take your servers back."
Re: (Score:2)
Store fragments of the data in different countries.
Re:Year of Linux (Score:5, Insightful)
Re: (Score:2)
German Government: "We will fine you until you comply with the order giving us access to the servers." Deutsche Telekom: "Fuck you, Microsoft, take your servers back."
Sure, if a German court orders the data to be provided, Deutsche Telekom would comply. So? The problem Microsoft is trying to solve is solved.
Re:Year of Linux (Score:5, Interesting)
The point is to put the servers under the control of the government which is deemed more trustworthy by the customers. And it doesn't even have to be all or most customers - just a subset. Say, those in EU.
Hopefully, there will be more similar centers opening in other countries in the future, so that customers can actually shop around, and pick the country with surveillance laws and/or track record that they're most comfortable with.
Untrustable (Score:2, Interesting)
Re: (Score:2)
I would say the most annoying part about the Win 10 upgrade notifications is that I ran the compatibility test and failed but does that mean I stop getting the upgrade notifications and Win 10 ads... NO!
Re: (Score:2)
Trust, but verify.
The Gipper was on to something. If Microsoft announced that the EFF had the unfettered ability to monitor and audit MS and DT, then I would say this is the change we've been hoping for.
Follow the money (Score:2)
Like most things this I'm guessing this comes down to money (not that that's always a bad thing).
In many market segments (think government, healthcare) data residency requirements are build into any contracts. Having a European data center likely allows them to big and win business in these markets.
Re: (Score:2)
While your point is accurate, the Feds often don't want to do what the foreign agencies require in order to get the exchange. So it's not pointless. And there are legal liability issues, so again it's not pointless.
Now if what you mean is that the customer's data isn't being protected anyway, you're probably right. But that's not what you said.
Re: (Score:2)
No! They're so big and strong!
Oh, protect me from the Germans!
Time warp (Score:1)
so DTAG announced this in November here [telekom.com] and MS did it here [microsoft.com] with availability of H2 2016.
I wonder if there is any discount for ex employees of that small, unheard of 260000 (iirc in 2006) people employing obscure German company.
To paraphrase Homer Simpson (Score:2)
Could Microsoft open up an Azure cloud so that even it can't access it?
Apparently, the answer is yes.
(not that I'm buying in to this, whether US authorities will have access to the data, the German ones most certainly will, and they have been very co-operative with NSA et al.)
Microsoft Opens Up Azure Cloud in Germany (Score:1)
Re: (Score:2)
Smart move for them (Score:4, Interesting)
Microsoft's betting on Azure being the next IBM mainframe-style lock in device for IT. It seems to me like their goal is to get IT people thinking in Azure terms whenever they design anything, such that it becomes one of only a couple of ways to get anything deployed. Look at Windows Server 2016 and the upcoming Azure Stack -- Microsoft is basically telegraphing that the days of an on-site server not controlled by the Azure resource manager are on the way out. I'm betting Server 2016 is one of the last "monolithic" server releases, and the rest is going to be an Azure-y collection of services that you turn on and off either in the cloud or in your own datacenter.
Given that, and given Germany's privacy laws, it makes perfect sense that they would essentially build a "Public Azure Stack" to work around that detail. Whether every single company decides they're not afraid of the public cloud or not is in question, but Microsoft's looking to control that conversation and slowly bring everyone into the ongoing monthly charges model. Makes sense too -- either collect one fee for Windows Server one time, or sell it over and over again in monthly installments forever -- the choice seems obvious!
It's Windows 10 (Score:3)
They don't need access to your data in the Azure Cloud any more. They will just read all your data directly from within Windows 10, when you're using it in its unencrypted form.
Re: (Score:2)
If you don't trust Windows 10 on your VMs then either:
A. Set up a firewall at the host level to stop if from talking to non-trusted servers.
B. Use enterprise edition, which is trusted by people like Amazon (which owns AWS) not to snoop on private information
C. As part of a major corporation negotiate rights to look at the source code for Windows.
D. Install linux on Azure (just make sure you use updated hyper-v drivers in your distro).
Similar setup in China (Score:2)
They did a similar setup in China, but for a different reason. The Chinese government wanted one of their service providers to have access to everything. Same separation of ownership, completely different outcome.
Germany friendlier? (Score:2)
Who really thinks that the Germans are more friendly about privacy and encryption? European laws might grant individuals some recourse about the use of data by corporations, but don't count on corresponding constraints on government. The difference between what ends up in German vs American government hands has more to do with how developed their snooping infrastructure is, not on whether the legal environment is more "friendly"
Deutsche Telekom (Score:2)
You may also know it by it's international Name "T-Mobile".
Here's an idea (Score:2)
Stripe the data on the servers. Put two bits in Germany, two in Russia, two in China, and two in Taiwan.
Nobody has access to all the data, and they're never going to cooperate to get the missing pieces.
Needs to be a way to retrieve data (Score:1)
If anyone (*anyone*!) other than yourself has access for any amount of time to your unencrypted data, your storage provider is doing it wrong.
There needs to be a backup way to retrieve data. Otherwise you get cases like the system that needs seven people to do certain critical things, and one day one of them walks in front of a bus.
Deutsche Telekom and privacy (Score:2)
Deutsche Telekom is roughly the German equivalent of AT&T: a former government-sponsored monopoly. It is in bed with the German government; they are actually still 30% government owned. You can bet that if you put your data on that cloud, the German government, intelligence agencies, and police are going to get full access to it.
Not if there is a single American admin (Score:2)