11 comments

[ 2.8 ms ] story [ 22.7 ms ] thread
The encryption requirement makes sense on paper, but it basically breaks the whole value proposition of SaaS. If you need true end-to-end encryption where the provider can't see plaintext, you lose search, real-time collaboration, most of the AI features everyone's been bolting on lately, etc. You're essentially left using these services as fancy file storage with your own crypto layer on top.

Which is fine for IaaS use cases - spin up VMs, encrypt your disks, manage your own keys. But for productivity software like M365? The Swiss government is basically saying "yeah you can use it but only in a way that makes it almost pointless."

The Cloud Act part is what really matters here though. US providers can be compelled to hand over data regardless of where it's physically stored, and they've been pretty clear they'll comply with US law over local data protection rules when push comes to shove. For a foreign government storing legally confidential citizen data, that's a real problem. I suspect this will get quietly ignored like the previous declarations, because the alternative is either building everything in-house or relying on local providers that frankly don't have the same feature set or reliability.

I can already write the headline of what this will be in five years...

"Swiss Government Moves Back to Cloud After Discovering Cleaning Staff Had More Physical Access Than IT Security Team"

A lot of Swiss government services do not need to be available 247 outside of the country.

There is no need for the SBB (Swiss national railway) to use cloudflare or AWS when the same can be provided by a local provider that also has the ability to deal with large DDOS and cap off the outside when it comes down to the wire. It is more important for someone in Switzerland to be able to purchase a ticket than someone planning a trip from abroad.

> the same can be provided by a local provider that also has the ability to deal with large DDOS and cap off the outside when it comes down to the wire

Local providers often can be 2-3x to 10x+ expensive compared to hyperscalers for the same featureset. If you're willing to compromise on features, you can get down to 2x but with basically vendor lock-in and Swiss German support (!= German - which in Switzerland can fly if you're a medium-small company, but if you want to attract talent you'll need also English). I'm not sure there's any local provider capable of mitigating large-scale DDOS either.

Hyperscalers understood the need for local presence despite being located right across the border and in EU (Germany, Italy, France): Azure, AWS and Google all opened up locations in Switzerland in the past 3-4 years.

Basically every medium/big Swiss client I've worked for was or is still in the process of migrating away from local providers (even the big-S one) due to costs. Add to that that most companies use some form of AD and most were already using Outlook or the Office suite, you can integrate everything with less costs via Azure. If you are a big company and have multiple locations all over the world, you anyway also need hyperscalers to allow the team in Spain, US or India to interact with familiar tools.

EDIT: replying to the "local services, local tools" part: I wouldn't like to be stranded at 2am in Zurich kanton in some god-forgotten town I went to exactly once, because the SBB app relies on a local provider which has a small team of on-call people that still need to wake up. There's also people interacting with government services at all times, I've seen logs of people trying to access apps at 3:30 in the night. While I can agree it can be fixed the next morning, the question becomes: why spend more for the lesser choice?

I'm impressed how USA companies became untrustful. Maybe this comes since Snowden whistle blowing, but it looks like the tendency is accelerating.
> I'm impressed how USA companies became untrustful.

They started stealing user data, at first discrete, then a bit more shameless and, this days, without even the slightest care.

It is funny that the article cannot be read without accepting marketing cookies
(comment deleted)
This cracked me up:

> a de facto ban on the use of these services as comprehensive Software-as-a-Service (SaaS) solutions whenever particularly sensitive or legally confidential personal data is involved. For the most part, authorities will likely only be able to use applications like the widespread Microsoft 365 as online storage

Since when is Microsoft 365 the bastion of modern privacy?

This is good news.

At EPFL we observe worrying trends that all services are moved to Microsoft (e-mails, cloud).

What happened to universities to host elemental services themselves?

EPFL also partnered up recently with Omnissa Work Space One to strengthen security of IT on campus. Mandatory (American) software which EPFL IT office wants to install on machines...

Unfortunately(?), the original headline was just wrong. The DPOs did not impose a ban, the DPO community of Switzerland just recommended to move out of the cloud. This is not exactly news either, they have been leaning towards more restrictions for quite a while. But in most situations they can only issue recommendations, not binding rules.