Bolstering the Data Security of Public Authorities Thanks to On-Premise Solutions

As recently as this past April, the European Data Protection Supervisor (EDPS) ordered the European Commission to put a stop to its use of Microsoft 365. The Swiss Federal Audit Office is now following suit by recommending government uses Microsoft Office without the cloud for as long as possible.

Up to now, the key ‘Cloud Enabling Office Automation’ project (CEBA for short) rolled out by the Federal Chancellery’s Digital Transformation and ICT Steering DTI Sector had been working under the assumption that the use of Microsoft Office as a local application would no longer be possible after 2026. This is why a move to the cloud was decided. In a recent report, the Swiss Federal Audit Office voiced concerns regarding data protection, pointing out that the cloud poses risks that it was impossible to assess comprehensively at the time of their inspection, let alone accept. It also stresses that the risks linked to the use of cloud computing can be considerable.

The Swiss Federal Audit Office’s main criticism is that by moving to Microsoft Office 365, the federal administration became dependent on the software company in a way that jeopardises data protection. The Office therefore recommends looking into alternatives to mitigate this issue. Microsoft Cloud’s security isn’t alone in the crosshairs: procurement managers too are called out, and quite severely so. Too many public authorities adjust their IT strategy to align with Microsoft’s agenda. This is despite their having a duty to comply with stringent procurement rules and it being in their own interest to monitor data sovereignty, costs and licences as well as IT dependency aspects.

Needs-based procurement goes out of the window

The Swiss Federal Audit Office’s criticism is justified, as procurement by the public sector is bound by fiscal legislation to pursue the overarching objective of saving financial resources and cutting costs. The fiscal principles of frugality and profitability are in the interest of the public purse and remain the basic guideline for procurement.

However, this is often ignored by those involved, who fail to examine alternatives closely and put forward spurious arguments preventing them from purchasing the right software solution. The federal government’s attitude illustrates this, as they have been accepting Microsoft’s announcements without questioning them and have rushed headlong into cloud-based services. Even before this, the Software Assurance the American behemoth offers was often deemed ‘essential’ despite updates rarely being carried out. This option is unnecessary and only restricts competition.

The best option: used on-premise licenses

In Europe, software licenses are tendered and purchased directly from providers to the tune of several billion euros, without any checks being carried out to examine whether this makes financial sense or even complies with fiscal or procurement legislation. Such an oversight results in massive financial losses. All those involved could avoid this plight by turning to on-premise software, as in many cases, even the latest version can be available ‘second-hand’.Doing so would alleviate any data protection concerns linked to the cloud while bolstering competition.

Another relevant aspect in this discussion is the fact that very often, not all features are actually necessary. Most public bodies only need one or another item in the comprehensive toolbox offered by Microsoft, i.e. just the hammer and NOT the pliers, the spanner AND the file. What they also generally don’t need is the assurance that they will be able to swap superfluous tools for other, new and shiny but unnecessary tools as soon as they become available. The range of features alone makes many solutions more expensive than the issue they are trying to solve.

Rethinking procurement practices

In a nutshell, procurement practices tend to follow a very traditional pattern, which dealers and authorities have been following blindly instead of challenging it as should have been the case. Software companies and wholesalers also tend to put pressure on public authorities, who surrender to what they believe to be their fate. Financial resources are thereby redistributed, with money flowing from public bodies to private software companies whose business units earn billions in sales every year or even gain a monopoly. The discussions about the ensuing market distortions are often very heated. One example: the announcement by VMware and Citrix of their new compulsory subscription that left attendees of the ITAM Congress in Engelberg absolutely baffled.

Against this backdrop one can only welcome the criticism voiced by the Swiss Federal Audit Office regarding public procurement practices. The auditors’ recommendation to opt for on-premise solutions for as long as possible (in line with decisions of similar competition bodies) is therefore both smart and forward-looking.