MICROSOFT 365. To keep sensitive data managed by government departments out of the reach of any attempt at foreign interference, the Government prohibits its employees from using Microsoft’s cloud solution.
The management of data (personal or economic) is a sensitive matter that cannot be entrusted to just anyone. This is in essence the message sent on September 15 to the secretaries general of the ministries by the interministerial director of digital (Dinum), Nadi Bou Hanna. In practice, according to this document posted on the Public Actors website, this means that the State has decided to prohibit its administrations (and therefore its employees) from using the Office 365 offer, offered by Microsoft on its own cloud infrastructures (Azure), replacing office solutions and messaging (MS Exchange in particular) deployed on its servers. Clearly, state employees will still be able to use Microsoft’s Office suite, but not in its cloud version, that is to say hosted remotely.
The problem? It is that of data protection and confidentiality and in this case what certain foreign laws authorize, starting with those of the United States. Indeed, according to the Cloud Act, the United States arrogates to itself the right to consult all data stored in Europe by American companies, regardless of where this data is hosted. A practice that applies to both professional and personal, public and private activities. For a long time apathetic on this subject, the French authorities no longer hear it that way. In May 2021, the Government presented its new doctrine. Baptized “Cloud in the center“, this now obliges ministries and administrations to use only clouds that are secure and immune to extra-community regulations (outside the EU).
Objective: digital sovereignty
The state ban concerns the Microsoft 365 cloud offer (formerly Office 365). However, this decision suffers from a few (temporary) exceptions and suggests prospects for solutions for users who really do not want to do without Microsoft 365. First of all, this ban does not apply to migration projects that were already “very advanced” to July 5, 2021 (date of publication of the circular n ° 6282-SG, text to which the note of September 15 refers). In this case, a request for exemption may be addressed to the minister of the administration concerned. However, this request can only relate to “only messaging and personal drive services”. These functions are in fact not yet integrated into the interministerial offer. Snap (the public official’s digital backpack). A digital work environment built around French and open-source solutions, compliant with the “Cloud at the center” doctrine, and which already includes documentary, collaborative, instant messaging, audio-conferencing, videoconferencing and other services. webinar. Then for users “addicts” at Microsoft 365, it is recommended to wait for the deployment of the cloud from the Blue consortium.
If it is built on Microsoft cloud technologies (Azure and Office 365), Bleu is a project created, managed and operated by Orange and Capgemini which aims to comply with the doctrine “Cloud in the center” and obtain the valuable certification SecNumCloud. This so-called certification “trusted cloud” is issued by theANSSI (the National Information Systems Security Agency). Today, only three companies (Oodrive, OVHcloud and 3DS Outscale) hold this label. Otherwise, Microsoft 365 users, forced to abandon their preferred software suite, will be able (will have to) fall back on an internal state cloud solution. If they may seem complex, these regulatory convolutions have the merit of highlighting the strategic issues, and therefore very important, linked to what is commonly called “digital sovereignty”.
This concept, more and more claimed in Europe and in France, designates the application of the principles of sovereignty to the field of information and communication technologies. Thus, in a context similar to the ban which now targets Microsoft 365, the Government has notified in November 2020 its intention to disengage from the Health Data Hub (a sensitive data hub that is health data) hosted by … Microsoft. Despite everything, reading the note released on September 15 and centered on Microsoft, it is possible to be surprised at the absence of other services which, like Google Workspace, Salesforce, Zoom or Box, do not shine either. more by their compliance with the doctrine “Cloud in the center” established by the French Government …