European Commission’s use of Microsoft 365 infringes data protection law for EU institutions and bodies - eviltoast

cross-posted from: https://lemmy.ml/post/13035348

Following its investigation, the EDPS has found that the European Commission (Commission) has infringed several key data protection rules when using Microsoft 365. In its decision, the EDPS imposes corrective measures on the Commission.

The EDPS has found that the Commission has infringed several provisions of Regulation (EU) 2018/1725, the EU’s data protection law for EU institutions, bodies, offices and agencies (EUIs), including those on transfers of personal data outside the EU/European Economic Area (EEA).

  • ShortN0te@lemmy.ml
    link
    fedilink
    arrow-up
    64
    ·
    8 months ago

    Imagine, all the money they are throwing to microsoft put towards a few teams that develops actively on open source projects to support independent and open source infrastructure.

    • admiralteal@kbin.social
      link
      fedilink
      arrow-up
      9
      ·
      8 months ago

      Man I wish Obsidian were open source. Or that someone would just fully knock them off. It’s the only notetaking app I’ve ever used that didn’t feel like it was constantly fighting with me. Joplin just doesn’t do it for me, especially with those jex files rather than just storing stuff in plain text.

      • Ephera@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        8 months ago

        I’ve heard Logseq is comparable to Obsidian and it’s open-source. It is the corporate kind of open-source, though, so no guarantees that it stays as such…

    • BearOfaTime@lemm.ee
      link
      fedilink
      arrow-up
      27
      arrow-down
      1
      ·
      edit-2
      8 months ago

      Right?

      The incompetence in the IT world is staggering. In the 90’s I complained about the direction SaaS would take us, and my peers just dismissed me as paranoid.

      Seriously, how do these people not see the issues with out sourcing your data/software hosting?

      It’s especially frustrating since it takes more network bandwidth to outsource this stuff, which is more risky (in my opinion - according to how I measure risk) than keeping it in-house, and with that much bandwidth you could easily support all your remote users anyway.

      (Of course I’m comparing simple network/cloud provider outage risks against the local data risks and management, it’s not really as simple as I’m making it. I just prefer the “keep as much local as you can” is better than distributing data, since it’s going to be local anyway, meaning you’re never free of those risks).

  • Evil_Shrubbery@lemm.ee
    link
    fedilink
    arrow-up
    14
    ·
    8 months ago

    Ohhh, interesting. And nice.

    It will be a confusing few years but transition away from big corp cloud services is an important thing.

    I really hope they eventually push self-hosting onto regulated entities as well.

      • Evil_Shrubbery@lemm.ee
        link
        fedilink
        arrow-up
        11
        arrow-down
        1
        ·
        edit-2
        8 months ago

        Yeah, I mean, neither are corporations, especially when there is no oversight, no sanctions, and no real alternatives for regular workers.

        Also not sharing data for profit or lending it for private sector AI training. And it’s not like developed countries get their data stolen as regularly as corps do. And eg financial regulators are pretty strict on data security (CISO things) + a lot of new directives concerning data are just about to come in force.

      • vsis@feddit.cl
        link
        fedilink
        English
        arrow-up
        3
        ·
        8 months ago

        Keys and tokens will be shared securely via singaporean hotels wifi.

  • a4ng3l@lemmy.world
    link
    fedilink
    arrow-up
    4
    arrow-down
    3
    ·
    8 months ago

    There goes my week and prolly the whole year… I look forward the internal assessment at my job but chances are local authorities will follow on this and the implications are crazy. At first read it puts the bars sooooo high on several principles that basically no existing IT intensive business will have a chance to survive similar audit.

    • troed@fedia.io
      link
      fedilink
      arrow-up
      19
      ·
      8 months ago

      The EU has made it very clear for a while now that European organizations cannot rely on American clouds or SaaS-providers. It’s perfectly possible to go without - it just means a lot of IT-orgs who have relied on having a career “in Microsoft” need to update their skillset.

      • a4ng3l@lemmy.world
        link
        fedilink
        arrow-up
        3
        arrow-down
        9
        ·
        8 months ago

        « Perfectly possible » but at what cost and with what compromises though ? Not specifically looking at Microsoft - the same would apply to similar products. Also a lot of the blame is on the commission itself and the lack of controls over its data - which also has nothing to do with where it’s being processed. Even if you do 100% in EU with open source software you can still fail many of the controls if you don’t track your data, have appropriate documentation to demonstrate it, did the required assessments… and those expectations are what bit them in the ass I think. And likely it will bit a lot of other actors that aren’t putting much effort in the same.

        • admiralteal@kbin.social
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          8 months ago

          Our of curiosity, which specific MS product is the one you see as most valuable / hardest to do without for IT security?

          I can’t imagine it’s word or excel or anything document-centric. That’s what most people think of when they think of MS Office, but in this day and age there are plenty of totally servicable alternatives. This from someone who both freely admits MS Word is the best wysiwyg editor and still refuses to use it. The sharing/collaboration stuff is pretty tight with MS Office, but my experience is that most people don’t use it and just email around attachments even though it makes more savvy people want to pull their hair out.

          I have to assume Outlook’s the big boy, right? Email & sync? And then, I assume, there’s lot of cloud services that typical end users don’t even know is there?

          • MonkderZweite@feddit.ch
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            8 months ago

            Our of curiosity, which specific MS product is the one you see as most valuable / hardest to do without for IT security?

            I can’t imagine it’s word or excel or anything document-centric. That’s what most people think of when they think of MS Office, but in this day and age there are plenty of totally servicable alternatives.

            You’ll be surprised. Company documents are usually all made in the shitty format that only really works in MS Office.

            And of course MSO doesn’t even provide .NET components so someone could create a converter tools using MSO, you have to work around it or use Libre Office’s soffice command, which provides limited support for proprietary MSO features. Don’t tell me that’s not on purpose.

          • Trainguyrom@reddthat.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            The biggest tool in the M365 suite will vary by organization.

            Outlook is huge. It integrates well with Microsoft Exchange which can either be self-hosted or you can just pay Microsoft to handle it (generally recommended these days) the calendar integrates with Microsoft Teams where you can create a calendar event, have it create a Teams Meeting, then add your attendees from your Outlook contacts (which will also have all accounts from Active Directory searchable) then after the Teams meeting you can directly email a followup to all meeting attendees within outlook. Outlook will also very nicely handle emailing files as SharePoint links and giving access to the users you’re emailing to (again, integrating with Active Directory for authentication and listing users to set permissions) and when you and another user are both editing a document on SharePoint it allows easy collaboration in Word/Excel/PowerPoint much like how Google Docs work when sharing with edit permissions. These workflows are huge for a hybrid/remote workforce or for inter-office collaboration.

            On the server & administration side of things Active Directory (AD) is a juggernaut. It has integrations into many web services (basically anything with a “sign in with Microsoft” button), many programs one might install onto a computer also support using your AD login as authentication, which means fewer passwords for users to remember and fewer passwords for admins to reset and manage for onboarding, offboarding and provide login assistance to. AD also directly integrates with file shares where you can set detailed permissions based on the users and groups in AD. AD also gives you access to Group Policies which allows you to heavily manage and configure your users workstations. This is where admins can restrict access to settings users should never touch, restrict the ability to install software, remove bloatware, restrict access to certain browser functions etc. and of course you manage all of this using Microsoft Remote Desktop Protocol or Microsoft Powershell which authenticates against AD. Most organizations use AD as a single source of truth on who works in the organization, with the HRMS (Human Resources Management Software) directly integrating with AD and automatically creating and deactivating users, applying groups based on the user’s job title, etc.

            For a real world example, I currently manage a SAAS product as one of my primary duties (it’s like Salesforce without being Salesforce) we have extensive permissions setup within this SAAS product which we have to manually apply for every user that joins, leaves or changes positions. I’m currently pushing for AD integration since I spend about 8 hours every week on concerns that would be automated away by integrating the SAAS product I manage with AD, letting AD groups automatically set the users permissions and using single sign-on with AD, and this would also tie into a larger upcoming project of shifting some shared accounts for high-turnover positions into named accounts as it would ideally integrate with an ongoing project that’s ramping up to overhaul our current HRMS workflow and automatically create/deactivate users with appropriate permissions as they join/leave the company. This is the power of AD, it’s a single, industry standard database and authentication server that often runs entire organization’s security and infrastructure because of it’s heavy integration and potential for automation

          • a4ng3l@lemmy.world
            link
            fedilink
            arrow-up
            3
            arrow-down
            3
            ·
            8 months ago

            I haven’t mentioned IT security at all have I?

            A lot of businesses (including my current employer) seem to enjoy the integrated ecosystem offered by ms from the office suite to sharepoints to mail indeed with a sprinkle of power bi and the form thingy.

            You can replicate all that but it is absolutely not trivial. And the end user also typically will find it less easy to interact with all the pieces.