Independent journalism about VU Amsterdam | Since 1953
24 November 2024

Column
& Blog

‘You never switch to the cloud for its security features’

VU Amsterdam is currently migrating all employee and student data to the Microsoft cloud. Yes, that’s right: the same company whose email servers (Exchange) were hacked earlier this year, with disastrous consequences. So, how safe will our VU data be in the near future?

All files saved to OneDrive, emailing exclusively via Exchange servers and Teams for working together. In other words, new digital working – the Microsoft way – is the future for both VU Amsterdam students and employees.

Everything is moving to the cloud or, in reality, a number of earthbound servers owned by the American tech giant – the very same tech giant that was hacked earlier this year (quite possibly with Chinese government knowledge). The cyber attack hit tens of thousands of businesses, governments and hospitals around the world. “Microsoft cannot be blamed for this”, says Fabio Massacci, professor of Foundational and Experimental Security at VU Amsterdam, via Zoom. “Every tech company on earth is under attack.”

Wouldn’t this be a good reason to store data at home? No, says Massacci, because hackers can also access your home computer. “Data is generally safer at Microsoft, for the simple reason that the company has more administrators and better facilities. As a result, services including virus protection and authorization are usually up to date.”

As an Italian, food comparisons are easily made: “It is like dismantling your own kitchen and agreeing to eat at a certain restaurant every single day. “The cook is better, the hygiene is great, etcetera. But there is a trade-off: the restaurant decides what is on the menu. So Microsoft can suddenly decide that some software will be integrated into Teams or that apps by other companies no longer work properly – or at all.”

How secure is your research data?

And there are other caveats, because the cloud is not exempt from possible data leaks and ransomware attacks. “Employees can always choose to store their data locally, which theoretically leaves them vulnerable to theft and ransomware attacks. I myself store part of my research material on a local server. This is data I do not share with others and that I am able to secure properly myself.”

I myself store part of my research material on a local server’

But won’t VU Amsterdam want its employees to store their data on Microsoft servers? “Maybe, maybe not. Look, all available information about the curriculum, all student evaluations and policy documents are highly suitable for the cloud, but there may be individual differences when it comes to research data. Those capable of protecting their own data and intellectual property may choose to do so. But if you don’t have the skills to do that, you’re better off uploading everything to the cloud.”

Just to make things clear, Massacci says: “You never switch to the cloud for its security features. If you are willing to spend extra money as an institution, the best idea is to secure your data locally. You choose the cloud for its functionality, because it allows you to access your data from anywhere and because you can easily share it with others.”

What if the US claims our emails?

At the end of 2019, the rectors of all Dutch universities, including VU Amsterdam’s Vinod Subramaniam, warned against deals with tech giants that might use data for their own benefit. Last June, a group of eighteen Dutch professors sounded the alarm, also warning against the misuse of data.

And yes, as you may have guessed, Microsoft has access to all files and emails. “Otherwise they would not be able to provide the required services. But it would be different if they scanned and forwarded everything to their marketing department. This is difficult to prevent from a technical standpoint, but in legal terms there are options. It is illegal to use someone else’s data for commercial gain, so we have to assume Microsoft does not do this. But it is also possible for one of VU Amsterdam’s own system’s managers or someone from another institution to access data and sell it to third parties, to name just two possibilities.”

‘I fear that the NSA or the American government will get their way sooner or later’

What Massacci is more concerned about is something that also worries the above-mentioned eighteen professors: the possibility that the US government may demand access to files and emails. “While tech companies are likely to refuse access initially, I fear that the NSA or the American government will get their way sooner or later, even if the data is stored in the European Union. The American parent company may choose to overrule branches in Europe. In addition to requesting data, the US government could also choose to impose limitations, such as prohibiting email traffic with Iranian or Chinese students. This might very well become a reality.”

Will you ever truly be rid of Microsoft?

And then there is the issue so eloquently articulated by The Eagles in the song ‘Hotel California’: you can check out any time you like, but you can never leave. In other words: you may decide to terminate your contract at some point – perhaps due to changing conditions or to switch to another cloud service – but how easy is it to do that? Will you ever truly be rid of Microsoft?

Massacci: “What if terminating your contract means that you lose all of your emails, for example? What if switching to another company turns out to be very costly? Although the service is free in theory, Amazon is known to charge customers  for the network traffic needed to make the switch. It is still too early to speak of a structural problem, as institutions have only been working with tech companies for a few years. It remains to be seen what the future will bring.”

Comment?

Stick to the subject and show respect: commercial expressions, defamation, swearing and discrimination are not allowed. Comments with URLs in them are often mistaken for spam and then deleted. Editors do not discuss deleted comments.

Fields with * are obligated
** your email address will not be published and we will not share it with third parties. We only use it if we would like to contact you about your response. See also our privacy policy.