Government Agencies Lack Exit Strategy for American Cloud Services

By Netvora Tech News

---

A recent investigation by BNR reveals that multiple government agencies in the Netherlands have no exit strategy for using American cloud services. The radio station examined the cloud usage of 17 major government organizations, including the Dutch Healthcare Authority (NZa), the Dutch Central Bank (DNB), the Employee Insurance Agency (UWV), and the National Institute for Public Health and the Environment (RIVM). All of these agencies were found to be using American cloud services and have not taken concrete steps to discontinue their use. The government agencies claim that the data is legally protected because it is physically stored within the European Economic Area (EEA) and is therefore subject to European regulations. However, security experts argue that this is not a sufficient solution. "What you're seeing is that many organizations are using a kind of trick," says security expert Bert Hubert. "They say, 'We're storing all our sensitive data in America, but we're keeping a little bit of it separate. We're storing it somewhere else.' And that's not how it works." Hubert emphasizes that the American authorities can access data stored in the cloud, even if it is physically located in Europe. "The American legislation says that Microsoft must comply with the American government's demands, and there's no footnote that says 'unless the server is in Ireland.' We've collectively added that footnote, and that's why many people are satisfied with that. But then they say, 'Oh, we're storing it on a special server in Europe.' If you ask Microsoft if the American legislation still applies, they'll respond with a lengthy letter saying that it still applies. It's a Band-Aid on a bullet wound." Hubert believes that the location of the server is not as important as who is managing the server. "Even if the server is in your attic, it's irrelevant. What matters is that the server is managed by the American company Microsoft." Many government agencies justify their use of American cloud services by citing convenience and ease of integration with their workflow. However, security experts argue that this is a weak excuse, especially when dealing with sensitive data. "You should be extra vigilant when it comes to sensitive data, but that's not happening," Hubert says. The current national cloud policy states that organizations are responsible for their own cloud usage. The use of American cloud services is allowed as long as data security is ensured. The policy is set to be revised mid-year. Additionally, the policy is not mandatory for independent administrative bodies (zbo's).