To all the people saying that this is nothing new: to me the key point here is that the author of this article, Bert Hubert, isn't your average activist / purist linux hacker. He's at least somewhat influential in government circles, in that he has held various government IT consulting positions and is listened to by lots of government IT workers. He's one of the few people I know of who deeply understands how tech works, and also deeply understands how government works (at least the Dutch government). He's also a frequent guest in radio and TV shows and the likes.
I'm hoping that this article acts as a catalyst for the Dutch government, and other EU governments, to move everything away from American clouds.
I certainly don't blame the activists for governments refusing to listen, but this threat was clear at least 15 years ago and I would expect someone as knowledgeable as Bert Hubert to have perceived it at the time.
Is the idea that they're more ready to listen and take action because of recent executive changes in the US, even though the cost of doing so has gone up by 100-1000x and the possibility of a joint retaliation from US tech giants and the government working in concert is now much higher?
I hope you're right, but one of the rough dislocations of the present moment is the disconnect between how europeans conceive of their sovereignty and the reality of their economic, military, and cultural fragility in their relationship with the US and US companies.
No amount of grandstanding rhetoric and appeals to "courage" changes that if there are any serious economic consequences (caused by US/corporate coercion or otherwise), the government would likely fall and be replaced by someone more amenable to the status quo. What feels like a small price to pay for someone focused on security long-term may be an unacceptable price for someone focused on short-term outcomes in their political fortunes.
> Is the idea that they're more ready to listen and take action because of recent executive changes in the US, even though the cost of doing so has gone up by 100-1000x and the possibility of a joint retaliation from US tech giants and the government working in concert is now much higher?
I believe so, yes. I don't think Americans realize how profoundly the last few weeks have affected European political thought. It'll take a while before you see concrete changes. Europe is like a mammoth tanker, slow to change direction, but practically unstoppable. I believe that it's more likely now than ever before for European governments and businesses to sever their dependency on American technology. Lots of comments in this thread explain how hard this is, how big the feature gap between, say, AWS and OVH is, but as a European entrepreneur I gotta say, this looks a lot more like an opportunity than a problem to me.
The concerns expressed seem a bit silly, unless the various Euro systems didn't take the very basic approach of using open standards and avoiding lock-in. Oh, and they should be backing up their data somewhere besides "in the cloud".
If those very basic precautions had been taken, migrating to a Euro cloud, or a private environment (open cloud stack) would be trivial.
If not, a lot of people should be fired...but granted, there are a lot of stupid people out there...
All that said, I'd say the concerns around this are vastly overblown.
Why do you say that the cost of throwing out American tech giants has gone up by 100-1000x compared to 15 years ago?
I mean before everything became cloud/SaaS, American software companies were still essential to most European business and governmental operations. It was just on more traditional server/desktop systems?
I hope so too, but move where? Does Scaleway or UpCloud or any other EU cloud provider have comparable offerings? Sure, if everything you have is running on containers or VMs, the stuff is easy to port to Hetzner et al., but what to do with the cloud specific apps (Azure functions etc.)? Rebuilding those for other platforms is probably a no-go unless the Union pours billions into supporting this.
Though I've cursed it for years, I'm increasingly glad our org's cloud migration has been so slow that we've only now rolled out the first apps. Pretty much everything we've build can be run anywhere we want, so if it's time to drop the ball and go back to onprem, we've not wasted anything but time on setting up the base
Coming from IT land, the answer is simple: you don't use them in the first place, and you grit-and-bear the replacement cost if and when the time comes. This is a negative on my research notes, slide decks, and papers when it comes to evaluating various cloud platforms for our workloads, and yet it's also the number one reason we're forced into a specific provider (some leader loves their proprietary tooling, and forces us to use it).
Look, I'm not saying these proprietary tools are bad, per se, just that they have a steeper cost than initially presented to the consumer in terms of architecture complexity and inevitable migration. The very first question you should be asking before consuming niche or proprietary products from vendors is, "Can I do this in a standard way that's more portable?" For stuff like Azure Functions, the answer is emphatically yes - but it comes at the cost of managing additional infrastructure, which is often the main reason companies want to use those tools in the first place (a misguided notion about throwing out infrastructure to save money).
As for the solved problem of compute (VMs and Containers), well, literally any cloud provider should have that ready to go. The question is whether or not your org is willing to retain the talent needed to build and support your clouds internally, or if they'd rather pay higher outsourcing costs with vendor lock-in instead.
For hosting their government's own specific computing needs, and assuming a respectable GDP, they can build their own datacenters (pretty trivial) and hire contractors to build cloud computing environments (more challenging).
Open source cloud isn't too hard. There's OSS for about 80% of software needed for a cloud computing service provider, and you fill in the rest with proprietary and custom stuff. There's already several providers (one in the US, several in the EU/other countries) that offer "public cloud" using OpenStack. They literally give you, the customer, your own OpenStack cluster, and bill you for what you use. It's insanely easy and powerful. Yet everybody still uses the more popular providers (DO, Hetzner, Scaleway, etc), despite the fact that they all have proprietary interfaces, without anything close to feature parity with OpenStack. I guess people really like vendor lock-in and lack of features.
The hardware is more challenging to source; the chips all come from Taiwan or China, and the US and China make most of the good hardware.
For private business in their country, they might offer grants and tax incentives to EU companies to build out more local cloud hosting services. But since it's the EU I'm sure it's massively more complicated than that.
Scaleway at least is genuinely not a bad alternative for this kind of thing already today - they do have plenty of managed services like serverless functions, object storage, queues, etc, in addition to the simple VMs and container hosting.
OpenFaaS is one option for your functions. Knative is pretty good as well for the bulk of your applications without exposing developers to kubernetes directly. Between that and Crossplane I think you have all the pieces needed to move away to a self hosted solution where you are managing either metal or VMs through a hosting provider.
I’m not sure what this looks like outside of the US, but colocation providers offer racks of machines, or to host your machines, while providing access to cheap bandwidth and peering capabilities. It’s absolutely possible to move away from the major cloud providers. However, it will require a degree of investment within your organization to support these deployments no matter which you choose, which could be a new investment compared to using AWS, GCP or Azure.
> but what to do with the cloud specific apps (Azure functions etc.)?
Don't build them. Vendor lock-in is a real problem: even if there are no political issues, it's a business risk because they can charge you whatever they want.
Also, the cost of migrating off these things is usually overestimated. It's an HTTP request, for crying out loud.
People who build vendor locked applications are making a short-sighted decision. Call me old-school, but vendor lock-in benefits developers more than businesses. Agree that they can learn new shuny things. A well-built application should run seamlessly on any Linux-based system without unnecessary dependencies on proprietary ecosystems.
The real moat is Azure AD and Exchange. The government IT teams I know can operate a fleet of VMs just fine, but they need email and identity management handled for them.
The concern isn't new. I've been involved in several UK government projects that considered moving to AWS.
Each time the discussion on moving to a US based provider was a big consideration, particularly the use of managed services that involve data was a hot topic. Part of the risk assessment was considering what the consequences might be if the US government became a bad actor. It was seen as high impact but extremely low probability. Starting to look like we got that part of the assessment wrong.
I think it will take time for the impetus to move to US clouds providers to slow and reverse but I'm not sure I'd be surprised if it does happen now.
by the course of looking for programming job, i have scanned hundreds of job-ads, incl. governmental. everybody-and-his-dog requires AWS/Azure/GCP knowledge as if it matters thaaaat much. These cloud-y things have become a mandatory buzzword, and i am not talking about sysadmin/devops.
In my last gig the system was kept cloud-agnostic, so moving between providers or on-prem be possible at any time. And i as CTO kept that good thing, although had to resist some pushes. But seems such cases are few - most places now dream of hyper mega-giga-scale and Lambdas and Big-queries.. while doodling few thousands of requests.
Lets see if there's any wind change.. vendor-lock is a real thing, with much deeper (architectural or life-cycle) consequences than usually perceived.
The dependence was established sooner by using external infrastructure. The premises that this infrastructure is not under your control is exactly what he now derides.
Someone knowledgeable should have seen this before, this is a core issue when setting up a strategy for digital systems. And this isn't an issue between "purists" and the rest, that is a false dichotomy. The decision was simply to outsource infrastructure to systems you have significantly less control over.
Might work for 15+ years or it might not. I doubt anything will be done now, investments are probably too high. But it is an issue with lacking foresight.
Between countries and the main task for intelligence agencies is industrial espionage. The Dutch government, like many others, decided that exposing themselves is no issue.
I disagree that it has become a problem only now, this is due to his narrow view on politics and a bit naive in my opinion.
I understand the sentiment, but as a Dutch person: The only thing I am more worried about than the government moving all our data to US clouds, is the government trying to do anything IT related themselves. They do not have the skill and have proven that over and over again in a long list of bungled projects.
I'd rather have my data end up with Google/Amazon/CIA than it ending up everywhere on the internet due to poorly configured DIY servers (and at twice the cost probably).
If there really is no organizations competent to run government application in the Netherlands, then that is even bigger reason to start doing more of that in the country. I mean, computers are not going away! The competence and infrastructure does not magically appear. It requires consistent investment over time. Not being able to maintain computer based infrastructure is like not being able to maintain water supply of a country. Completely unacceptable.
Heck these days maintaining water supply at city scale is difficult without computers and networking...
I've been interviewing candidates using questions targeted at getting them to talk about experience instead of skill. Like asking about their involvement during production incidents, then drill down to see if there's anything interesting to focus on. Can probably also be gamed by AI but people are usually surprised about my approach and they often provide good feedback after the call, even if I have to decline their application so I guess it works somewhat well for both since it doesn't force anyone to just recite the same phrases.
The thing that gets me is the disingenuous parallel construction. Just say the truth.
Europe wants to improve its economy by growing their consumer tech industry. Some of these products like Google Analytics (the example he is upset about) are really hard to replicate (writing to a database on every visit to your website is an expensive thing to do, significantly more expensive than hosting the website!). So they've been slowly increasing the tariffs (disguised as privacy regulations) on US tech firms. It's gone poorly, even EU governments (let alone EU businesses) still use products like Google Analytics, and US tech firms have been able to engineer their way around the regulations, again doing a better job than EU governments who have been busted countless times for breaking GDPR with their own systems.
No one cares about any "data sharing agreement" or a "Privacy and Civil Liberties Oversight Board" no one has ever heard of that has never done anything. Its a tariff with various ways to pick winners and losers.
The only thing thats changed is there is a higher chance these privacy regulations will be recognized as tariffs by the US.
What you describe is true, and it can also be counterproductive vecause to be competitive you need the best and cheapest services, and raising the prices doesn't often result in a healthier tech ecosystem. Typical Eurocrat thinking.
But EU citizens genuinely care about privacy, in part because of decades of totalitarian and near-totalitarian regimes.
There is another risk underpinning this, I'm not familiar with this so it's mostly hearsay on my part, but foreign firms in the US routinely get completely screwed in US courts, and fear the seizing of their data in discovery processes or other ways. The data sharing agreement was made to provide some degree of clarity or assurances in this regard.
I've met managers who are convinced that if they're not careful, their IP and business data will get stolen by their US competitors through various legal or less-legal means. EU executives have been detained for days at the border on suspicions of terrorism to coerce them into selling US assets. I can't judge if this is paranoia, and maybe those companies could make use of better protection against Chinese hackers but there's certainly some truth to that.
It was never safe for any government to move any secrets to any cloud. The fact that the US government is okay with doing this with its own secrets surprises me to this day. You have no secrets from the person who owns your hardware.
It isn't uniform by any means but the US runs on a physically independent cloud, often in their own facilities, designed by the big cloud companies. When using the public cloud for unclassified work (e.g. working with outside vendors), the data is only allowed to reside in specific data centers that have been vetted by the government, not all US regions have the same authorization. For example, government data in an S3 bucket in the public cloud may only be accessed and processed within the same region, which can be annoying if your infrastructure is elsewhere.
The US is far ahead of most countries when it comes to government use of the cloud. Other developed countries often learn how to do it from the US but are less comfortable with the technical requirements, which slows down adoption.
This is a great point. For example, near where I live there’s a massive Google cloud warehouse out in the middle of a field next to the highway. Inside of that warehouse there’s a separate section for servers belonging to the US government that can benefit from all the electricity contracts Google has negotiated, the physical security and fences that Google has set up, and the fiber optic cables they’ve laid.
It’s the best of both worlds, they get the decades of research Google has put into systems engineering and fault tolerance while retaining the security of having their own servers.
Other developed countries are less comfortable because all the major cloud providers are US-owned companies and the NSA has a very, very long history of using US companies as information security weapons.
Not that they're the only ones. Israel has been busy stuffing investment cash into the pockets of Unit 8200 members so they can found security software and service startups coughSnykcough
Physical isolation is kind of irrelevant for the concerns being voiced here no? It's not like Europe's main worry is random people walking in and yanking hard disks out of servers in datacenters.
The US Gov't has their own GOV Cloud Datacenter Regions. It's run by azure and AWS but there are restrictions on who is allowed to use it. It's not really public
The US government’s secrets are routinely held and processed by contractors. The prototypical government secret is something like the plans of an airplane designed and manufactured by Lockheed Martin.
“Secrets” is a broad term that covers everything from payroll information to the history of CIA clandestine operations. Only some kinds of these are stored in the cloud.
The world literally has hard proofs of mass espionage by the NSA and CIA after Snowden and Wikileaks Vault 7. Moving your government secrets to the US cloud has been madness for at least 12 years.
This does raise a valid question of what secrets can or should the government have.
I think it's obvious that some secrets should be kept. It makes little sense to expose our nuclear secrets, counter espionage, or ongoing investigation efforts. But how far does or should that extend? Should everything the NSA/CIA/FBI/IRS does be secret? Should they stay secret for years or decades or forever?
IMO, the US goes too far in it's secrets. Stuff gets classified that just makes the government look bad and that's dangerous.
And that's where I'm somewhat less concerned about putting US secrets into the cloud. Sure there's highly sensitive stuff that shouldn't go there, but there's also a lot of stuff that shouldn't have been a secret in the first place.
“Transparency” as leaks from abuse is very, very different from transparency as a policy of easy access – and neither makes you necessarily better informed. In short, a biased selection of information can leave you worse off than having no information.
Isn't this just kind of willfully ignorant to the way the government cloud works?
GovCloud claims that it's used to "manage sensitive data and controlled unclassified information (CUI)."
I don't think the US government is dumping classified info onto corporate cloud environments judging by this description from GovCloud. But there's plenty of info that's sensitive but unclassified and the government does need to function in a lot of ways that doesn't involve state secrets.
For the former, confidential compute is far enough along that this data can in fact be secret from the hardware owner. This is vital even for on-prem hardware -- IT folks and techs with physical access shouldn't have access simply due to proximity.
For the latter, sure, but this is very expensive. It goes well beyond owning the hardware.
I think this is the key. It is cheaper and more convenient than ever to deploy and manage data critical services yourself, in a self hosted manner that is protected by whatever jurisdiction you are in. What matters is not who builds it, but who has access to the data, and ideally, that's only you!
> You have no secrets from the person who owns your hardware.
What if the hardware is physically located in your own country, and employees of cloud vendor are virtually "accompanied", and watched, any time they login to the hardware? That's called sovereign cloud and all cloud vendors have it.
That's not necessarily true if you use the appropriate tools and controls to safeguard data. Further, "any cloud" is a sweeping generalization and not all clouds are created equal. You raise valid concerns about trusting third-party hardware BUT.. come on, ease up on the alarmism.
To elaborate: robust encryption, dedicated hardware security modules (HSMs), and sophisticated key management safeguards data even if it resides on someone elses hardware.
If you design your system properly, even if the cloud provider manages the underlying hardware, your secrets remain secure because the keys and sensitive data are protected in a controlled, isolated environment.
I guess so, but based on current events, it doesn't seem like the US Govt. has any secrets that it places any value on. Between a bunch of glorified interns being given access to anything & everything and a bunch of known compromised department heads being appointed... it doesn't strike me that the US Govt. takes its national security very seriously at all.
The US Govt. seems empirically much more vested in what goes on in public restrooms than it does in what goes on in global affairs and military conflicts.
I feel like you've narrowed the original statement ("You have no secrets from the person who owns your hardware") when you scope it to just data storage at rest. I take hardware to mean significantly more than just at rest data storage in the context that it was used.
If your unencrypted data flows through any AWS memory or compute, or if your encryption key flows through any AWS memory or compute, then AWS *can* access that data.
This is nothing new, Microsoft signed an agreement with the French government to build a sovereign cloud called Bleu [1] operated by Orange and Capgemini using Azure and Microsoft 365 technology. The German government did something similar and launched Delos Cloud, operated by SAP and Arvato Systems.
The reasoning is that, with sufficient security, on premise (more or less) cloud technology is not much different in terms of sovereinty from sourcing your hardware from China.
That was such a low blow, given we have stellar companies like OVH that have demonstrated their skills and willingness to bring great hosting, and are fully local.
Good to see this attitude becoming increasingly prevalent. I'm used to being a Cassandra in IT world, and while I'd have greatly preferred being wrong in my 2019 research concerns about data sovereignty, cloud-repatriation, vendor lock-in, and a shifting geopolitical landscape, welp, here we are anyway. I cut my teeth in data center operations and defense contracting, and knew immediately the real cost of public cloud would be the forfeiture of sovereignty to whichever country (and companies) controlled the major providers - surprise surprise, I was right. The solution was never to outsource core government infrastructure to a third party, but to build it in house and recruit the talent needed to keep it running, something easily done on most developed governments' budgets; by outsourcing to public cloud service providers, they traded national sovereignty for empty promises.
Bookmark this comment, because my read is that in five years' time the question won't be whether or not public cloud providers can be trusted, but how to engineer infrastructure on cloud providers you cannot trust. How do you encrypt storage on a cloud platform when you can't trust the vendor's tooling to secure your keys? How do you orchestrate K8s clusters in a provider who knowingly gives a hostile foreign government access to your etcd or network layer? How do you handle data boundaries within your own org when multiple countries with competing standards demand residency of data and infrastructure? I worry it'll be the "Chinese Firewall" problem but on a global scale, as different regions carve out their own digital kingdoms and demand fealty or expulsion.
Canadian government IT is mostly all Microsoft. The government can't even send themselves email without it going through Microsoft, a company based in a country (USA) that wants to take over Canada. Insanity.
Since now? It was safe before, as in what is happening now was totally impossible before, and somewhat it happens anyway? Do they started to care about making backups after they lost data?
Risk is not about "something happened, so it may happen again", but if something bad can happen, if it is possible, and maybe weight it as probable or not. Black swans exists, and if you bet everything on that they not, you may lose everything.
And the process of moving government and societies to some controlled by a foreign power cloud takes time to get in, and to get out. And you can't tell that something bad was being done while showing a smiling face.
It is not something coming out of the blue. There was strong signals of intervention back to the start of internet, and a more or less official confirmation of what was happening in the shadow with Snowden's revelations. But somewhat is now when that is perceived as a risk.
The only clear difference between now and even not that long ago is the fair perception that the US has flipped from (probably) "lawful neutral" to "chaotic evil".
Secrets in US cloud were probably never fully safe.. but at least the US wasn't previously on a path to inflict pain on the rest of the world.
the US government was invading and bombing people for decades and the EU did nothing. "chaotic evil" my ass, the only reason they're moving now is because MAGA is threatening them directly via Greenland, or indirectly, by pulling out of NATO and backing Russia.
It has always been unsafe, it is very questionable under the GDPR (though governments are obviously excluded from the GDPR itself), and lots of governments and companies have been using or working on alternatives. But the temptation of of US clouds has been strong, and now is a good time to remember everyone who previously thought the benefits outweighed the risks
One oft forgotten thing is that the US government clouds rated for IL5/6 are secluded on SIPRnet and JWICS. These are totally separate networks with CDS’s being the only way to go from one net to the other.
In practice this means the US Government remains in control of the network backing their cloud. ITAR regulations make it treasonous to have foreign eyes on these clouds. Foreign governments are not afforded any of those protections when sitting on US clouds.
Even among FVEY, there are designations for data relative to member states and information is not as free flowing on JWICS as one might assume. It is more like a controlled stream than a raging river
Its never been a good idea. I do not think non-EU European countries can rely on EU cloud, not can EU countries can necessarily rely on each other.
The only effect the distrust of the current US government will have is a few articles. It expensive and difficult for this to be sufficient incentive to change anything.
We should probably grateful they have not put it all on Chinese clouds.
I work at an large Europe based multi-national and hosting has always been a concern due to the big differences in data protection and privacy rules. We never use a service not hosted in the EEA.
The current threats that the US is making to Europe about it's data protection, privacy, consumer protection, etc... laws is very much of concern and is already beginning to be a factor in our ongoing RFPs and procurement process. We're not just following the law, we also don't trust some companies with our reputation.
A lot of European companies and organisations use services provided by American companies but run on servers in Europe. In the UK the NHS uses AWS, the courts use MS teams, etc.
America is literally allying itself with Russia, trying to turn Ukraine into basically colony (by demanding their resources forever), threatening annexation of Canada (repeatedly). Oh, and in the process of starting a trade war.
Non-EU can trust EU waaay more then anyone except Russia can trust to America. American leadership made it clear that norms, laws or morality are only for suckers.
The levels of behaviors between the sides here are not symmetrical
EU also demands resources in exchange for military support such as the French+UK-led intervention into Libya. Saying US is an ally of Russia is a pretty big stretch, meanwhile the EU has members that are actually allied with Russia and lots of large Russia-aligned multinationals like Gunvor
> Two of the ideas were laid out in Volodymyr Zelensky’s “victory plan” with Trump specifically in mind, said people involved in drawing it up. The proposals were later presented to Trump when Ukraine’s president met him in New York in September.
So Trump agreed eventually and then Zelensky started a media storm about how Trump wants take their natural resources and turn them into a colony. And everyone somehow immediately forgot that the proposal originated with Ukranian government.
> The levels of behaviors between the sides here are not symmetrical
It comes from a fundamentally different perceptions of reality and politics. There is idea that things have to be just and fair. And when they are not we like to say "it's not fair" and someone comes and fixes it. I am afraid it just doesn't work like that past the childhood age.
> American leadership made it clear that norms, laws or morality are only for suckers.
When weren't they? You're thinking maybe everyone just finally woke up? Morality and laws do not apply in practice on the international arena. It would be nice if they did, I agree, but they don't currently.
EU should have always had it's own strong army, it should have never trusted the US and not relied on them for protection. But they also shouldn't have been buying energy from Putin and funding his operation for years.
Readit News
I'm hoping that this article acts as a catalyst for the Dutch government, and other EU governments, to move everything away from American clouds.
Is the idea that they're more ready to listen and take action because of recent executive changes in the US, even though the cost of doing so has gone up by 100-1000x and the possibility of a joint retaliation from US tech giants and the government working in concert is now much higher?
I hope you're right, but one of the rough dislocations of the present moment is the disconnect between how europeans conceive of their sovereignty and the reality of their economic, military, and cultural fragility in their relationship with the US and US companies.
No amount of grandstanding rhetoric and appeals to "courage" changes that if there are any serious economic consequences (caused by US/corporate coercion or otherwise), the government would likely fall and be replaced by someone more amenable to the status quo. What feels like a small price to pay for someone focused on security long-term may be an unacceptable price for someone focused on short-term outcomes in their political fortunes.
I believe so, yes. I don't think Americans realize how profoundly the last few weeks have affected European political thought. It'll take a while before you see concrete changes. Europe is like a mammoth tanker, slow to change direction, but practically unstoppable. I believe that it's more likely now than ever before for European governments and businesses to sever their dependency on American technology. Lots of comments in this thread explain how hard this is, how big the feature gap between, say, AWS and OVH is, but as a European entrepreneur I gotta say, this looks a lot more like an opportunity than a problem to me.
If those very basic precautions had been taken, migrating to a Euro cloud, or a private environment (open cloud stack) would be trivial.
If not, a lot of people should be fired...but granted, there are a lot of stupid people out there...
All that said, I'd say the concerns around this are vastly overblown.
Though I've cursed it for years, I'm increasingly glad our org's cloud migration has been so slow that we've only now rolled out the first apps. Pretty much everything we've build can be run anywhere we want, so if it's time to drop the ball and go back to onprem, we've not wasted anything but time on setting up the base
Coming from IT land, the answer is simple: you don't use them in the first place, and you grit-and-bear the replacement cost if and when the time comes. This is a negative on my research notes, slide decks, and papers when it comes to evaluating various cloud platforms for our workloads, and yet it's also the number one reason we're forced into a specific provider (some leader loves their proprietary tooling, and forces us to use it).
Look, I'm not saying these proprietary tools are bad, per se, just that they have a steeper cost than initially presented to the consumer in terms of architecture complexity and inevitable migration. The very first question you should be asking before consuming niche or proprietary products from vendors is, "Can I do this in a standard way that's more portable?" For stuff like Azure Functions, the answer is emphatically yes - but it comes at the cost of managing additional infrastructure, which is often the main reason companies want to use those tools in the first place (a misguided notion about throwing out infrastructure to save money).
As for the solved problem of compute (VMs and Containers), well, literally any cloud provider should have that ready to go. The question is whether or not your org is willing to retain the talent needed to build and support your clouds internally, or if they'd rather pay higher outsourcing costs with vendor lock-in instead.
For hosting their government's own specific computing needs, and assuming a respectable GDP, they can build their own datacenters (pretty trivial) and hire contractors to build cloud computing environments (more challenging).
Open source cloud isn't too hard. There's OSS for about 80% of software needed for a cloud computing service provider, and you fill in the rest with proprietary and custom stuff. There's already several providers (one in the US, several in the EU/other countries) that offer "public cloud" using OpenStack. They literally give you, the customer, your own OpenStack cluster, and bill you for what you use. It's insanely easy and powerful. Yet everybody still uses the more popular providers (DO, Hetzner, Scaleway, etc), despite the fact that they all have proprietary interfaces, without anything close to feature parity with OpenStack. I guess people really like vendor lock-in and lack of features.
The hardware is more challenging to source; the chips all come from Taiwan or China, and the US and China make most of the good hardware.
For private business in their country, they might offer grants and tax incentives to EU companies to build out more local cloud hosting services. But since it's the EU I'm sure it's massively more complicated than that.
I’m not sure what this looks like outside of the US, but colocation providers offer racks of machines, or to host your machines, while providing access to cheap bandwidth and peering capabilities. It’s absolutely possible to move away from the major cloud providers. However, it will require a degree of investment within your organization to support these deployments no matter which you choose, which could be a new investment compared to using AWS, GCP or Azure.
I guess you can say the code is still backdoored / untestable but it seems that could be audited.
Don't build them. Vendor lock-in is a real problem: even if there are no political issues, it's a business risk because they can charge you whatever they want.
Also, the cost of migrating off these things is usually overestimated. It's an HTTP request, for crying out loud.
On premises.
Replace (most, not all) crusty apps with a web version - sounds good to me. Put it in the cloud - that's optional.
Deleted Comment
Each time the discussion on moving to a US based provider was a big consideration, particularly the use of managed services that involve data was a hot topic. Part of the risk assessment was considering what the consequences might be if the US government became a bad actor. It was seen as high impact but extremely low probability. Starting to look like we got that part of the assessment wrong.
I think it will take time for the impetus to move to US clouds providers to slow and reverse but I'm not sure I'd be surprised if it does happen now.
Was that before or after 2016?
by the course of looking for programming job, i have scanned hundreds of job-ads, incl. governmental. everybody-and-his-dog requires AWS/Azure/GCP knowledge as if it matters thaaaat much. These cloud-y things have become a mandatory buzzword, and i am not talking about sysadmin/devops.
In my last gig the system was kept cloud-agnostic, so moving between providers or on-prem be possible at any time. And i as CTO kept that good thing, although had to resist some pushes. But seems such cases are few - most places now dream of hyper mega-giga-scale and Lambdas and Big-queries.. while doodling few thousands of requests.
Lets see if there's any wind change.. vendor-lock is a real thing, with much deeper (architectural or life-cycle) consequences than usually perceived.
Someone knowledgeable should have seen this before, this is a core issue when setting up a strategy for digital systems. And this isn't an issue between "purists" and the rest, that is a false dichotomy. The decision was simply to outsource infrastructure to systems you have significantly less control over.
Might work for 15+ years or it might not. I doubt anything will be done now, investments are probably too high. But it is an issue with lacking foresight.
Between countries and the main task for intelligence agencies is industrial espionage. The Dutch government, like many others, decided that exposing themselves is no issue.
I disagree that it has become a problem only now, this is due to his narrow view on politics and a bit naive in my opinion.
I'd rather have my data end up with Google/Amazon/CIA than it ending up everywhere on the internet due to poorly configured DIY servers (and at twice the cost probably).
Europe wants to improve its economy by growing their consumer tech industry. Some of these products like Google Analytics (the example he is upset about) are really hard to replicate (writing to a database on every visit to your website is an expensive thing to do, significantly more expensive than hosting the website!). So they've been slowly increasing the tariffs (disguised as privacy regulations) on US tech firms. It's gone poorly, even EU governments (let alone EU businesses) still use products like Google Analytics, and US tech firms have been able to engineer their way around the regulations, again doing a better job than EU governments who have been busted countless times for breaking GDPR with their own systems.
No one cares about any "data sharing agreement" or a "Privacy and Civil Liberties Oversight Board" no one has ever heard of that has never done anything. Its a tariff with various ways to pick winners and losers.
The only thing thats changed is there is a higher chance these privacy regulations will be recognized as tariffs by the US.
But EU citizens genuinely care about privacy, in part because of decades of totalitarian and near-totalitarian regimes.
There is another risk underpinning this, I'm not familiar with this so it's mostly hearsay on my part, but foreign firms in the US routinely get completely screwed in US courts, and fear the seizing of their data in discovery processes or other ways. The data sharing agreement was made to provide some degree of clarity or assurances in this regard.
I've met managers who are convinced that if they're not careful, their IP and business data will get stolen by their US competitors through various legal or less-legal means. EU executives have been detained for days at the border on suspicions of terrorism to coerce them into selling US assets. I can't judge if this is paranoia, and maybe those companies could make use of better protection against Chinese hackers but there's certainly some truth to that.
The US is far ahead of most countries when it comes to government use of the cloud. Other developed countries often learn how to do it from the US but are less comfortable with the technical requirements, which slows down adoption.
It’s the best of both worlds, they get the decades of research Google has put into systems engineering and fault tolerance while retaining the security of having their own servers.
Not that they're the only ones. Israel has been busy stuffing investment cash into the pockets of Unit 8200 members so they can found security software and service startups coughSnykcough
Very few actually qualified and capable techies here trust any of the US-based cloud providers.
https://aws.amazon.com/govcloud-us/?whats-new.sort-by=item.a...
https://learn.microsoft.com/en-us/azure/azure-government/doc...
Deleted Comment
Deleted Comment
I make the parallel with "gold." Whoever has your gold, got you by the hanging spheres.
Given the importance of data today, I am baffled common citizens are not familiar with the "Data at rest" principle.
That should scare everyone given his propaganda machinery aimed at elections he does or doesn’t like
Except if any of the bits are flipped you're f-d; especially so if your adversary is a nation.
I think it's obvious that some secrets should be kept. It makes little sense to expose our nuclear secrets, counter espionage, or ongoing investigation efforts. But how far does or should that extend? Should everything the NSA/CIA/FBI/IRS does be secret? Should they stay secret for years or decades or forever?
IMO, the US goes too far in it's secrets. Stuff gets classified that just makes the government look bad and that's dangerous.
And that's where I'm somewhat less concerned about putting US secrets into the cloud. Sure there's highly sensitive stuff that shouldn't go there, but there's also a lot of stuff that shouldn't have been a secret in the first place.
https://reason.com/2024/12/26/foia-for-all/
GovCloud claims that it's used to "manage sensitive data and controlled unclassified information (CUI)."
I don't think the US government is dumping classified info onto corporate cloud environments judging by this description from GovCloud. But there's plenty of info that's sensitive but unclassified and the government does need to function in a lot of ways that doesn't involve state secrets.
https://aws.amazon.com/govcloud-us/ for more of a description of what GovCloud actually is.
There are cloud environments specifically for classified info:
https://aws.amazon.com/federal/secret-cloud/
https://techcommunity.microsoft.com/blog/coreinfrastructurea...
For the former, confidential compute is far enough along that this data can in fact be secret from the hardware owner. This is vital even for on-prem hardware -- IT folks and techs with physical access shouldn't have access simply due to proximity.
For the latter, sure, but this is very expensive. It goes well beyond owning the hardware.
This fact conveys information. Namely, how tightly bound these supposedly independent services like AW GovCloud are with the government itself.
Which also tells us how much direct access the government has to all the AWS (and all other providers) infrastructure.
Deleted Comment
[1]https://rclone.org/crypt/
Why would encrypted data, which the provider holds no keys to, be a dangerous way For a government to hold a secret?
What if the hardware is physically located in your own country, and employees of cloud vendor are virtually "accompanied", and watched, any time they login to the hardware? That's called sovereign cloud and all cloud vendors have it.
To elaborate: robust encryption, dedicated hardware security modules (HSMs), and sophisticated key management safeguards data even if it resides on someone elses hardware.
If you design your system properly, even if the cloud provider manages the underlying hardware, your secrets remain secure because the keys and sensitive data are protected in a controlled, isolated environment.
The US Govt. seems empirically much more vested in what goes on in public restrooms than it does in what goes on in global affairs and military conflicts.
Dead Comment
Dead Comment
Dead Comment
Dead Comment
Dead Comment
If your unencrypted data flows through any AWS memory or compute, or if your encryption key flows through any AWS memory or compute, then AWS *can* access that data.
[1] https://www.globenewswire.com/en/news-release/2021/05/27/223...
[2] https://www.bertelsmann.com/news-and-media/news/first-sovere...
This is somehow funny.
https://cyber.gouv.fr/decouvrir-les-solutions-qualifiees
then they didn't do what the article is suggesting
this will be an overpriced nightmare
Bookmark this comment, because my read is that in five years' time the question won't be whether or not public cloud providers can be trusted, but how to engineer infrastructure on cloud providers you cannot trust. How do you encrypt storage on a cloud platform when you can't trust the vendor's tooling to secure your keys? How do you orchestrate K8s clusters in a provider who knowingly gives a hostile foreign government access to your etcd or network layer? How do you handle data boundaries within your own org when multiple countries with competing standards demand residency of data and infrastructure? I worry it'll be the "Chinese Firewall" problem but on a global scale, as different regions carve out their own digital kingdoms and demand fealty or expulsion.
Although with Microsoft's recent breakthrough in their quantum processor, I'm not sure whether quantum will be a help or a hindrance.
same companies that also happen to have advertising and data mining as primary functions. is there any surprise they made this call?
Risk is not about "something happened, so it may happen again", but if something bad can happen, if it is possible, and maybe weight it as probable or not. Black swans exists, and if you bet everything on that they not, you may lose everything.
And the process of moving government and societies to some controlled by a foreign power cloud takes time to get in, and to get out. And you can't tell that something bad was being done while showing a smiling face.
It is not something coming out of the blue. There was strong signals of intervention back to the start of internet, and a more or less official confirmation of what was happening in the shadow with Snowden's revelations. But somewhat is now when that is perceived as a risk.
Secrets in US cloud were probably never fully safe.. but at least the US wasn't previously on a path to inflict pain on the rest of the world.
Dead Comment
In practice this means the US Government remains in control of the network backing their cloud. ITAR regulations make it treasonous to have foreign eyes on these clouds. Foreign governments are not afforded any of those protections when sitting on US clouds.
Even among FVEY, there are designations for data relative to member states and information is not as free flowing on JWICS as one might assume. It is more like a controlled stream than a raging river
The only effect the distrust of the current US government will have is a few articles. It expensive and difficult for this to be sufficient incentive to change anything.
We should probably grateful they have not put it all on Chinese clouds.
The current threats that the US is making to Europe about it's data protection, privacy, consumer protection, etc... laws is very much of concern and is already beginning to be a factor in our ongoing RFPs and procurement process. We're not just following the law, we also don't trust some companies with our reputation.
Non-EU can trust EU waaay more then anyone except Russia can trust to America. American leadership made it clear that norms, laws or morality are only for suckers.
The levels of behaviors between the sides here are not symmetrical
> trying to turn Ukraine into basically colony (by demanding their resources forever)
Keep in mind it was Ukraine that proposed the idea of offering their resources back in October 2024[0]
0. https://www.cfr.org/expert-brief/zelenskyys-victory-plan-ukr...
It was Ukraine/Zelensky who suggested that first not Trump. It was back in November. But we tend to forget such things for some reason...
From https://www.ft.com/content/623c197f-6952-4229-bfbc-0a96e43d6...
> Two of the ideas were laid out in Volodymyr Zelensky’s “victory plan” with Trump specifically in mind, said people involved in drawing it up. The proposals were later presented to Trump when Ukraine’s president met him in New York in September.
So Trump agreed eventually and then Zelensky started a media storm about how Trump wants take their natural resources and turn them into a colony. And everyone somehow immediately forgot that the proposal originated with Ukranian government.
> The levels of behaviors between the sides here are not symmetrical
It comes from a fundamentally different perceptions of reality and politics. There is idea that things have to be just and fair. And when they are not we like to say "it's not fair" and someone comes and fixes it. I am afraid it just doesn't work like that past the childhood age.
> American leadership made it clear that norms, laws or morality are only for suckers.
When weren't they? You're thinking maybe everyone just finally woke up? Morality and laws do not apply in practice on the international arena. It would be nice if they did, I agree, but they don't currently.
EU should have always had it's own strong army, it should have never trusted the US and not relied on them for protection. But they also shouldn't have been buying energy from Putin and funding his operation for years.