The only way is Office: UK Parliament to migrate to Microsoft cloud

Update The UK Parliament is migrating to Office 365, which will become the default option for email, file-sharing, hosted apps and storage services for MPs and parliamentary staff from May 2015.

Like many organisations, Parliament has decided that moving to the cloud offers the potential for financial savings. A January meeting of House of Lords Management Board (see section 7.2 of the minutes) acknowledged data sovereignty and security issues need to be tackled for the plan to be pulled off successfully.

PICT [Parliamentary ICT Service] and Speaker’s Counsel had been exploring the legal issues surrounding the Cloud and data sovereignty. There were two separate sets of questions: political and jurisdictional; and technical, relation to data security. The Board asked to be kept informed as discussed on these issues progressed.

Only a small amount of House data needed a high level of security. The House should put more thought into how much data it created and stored and how long it was retained for.

A May meeting of the House of Lords Management Board (minutes, PDF, see section 4.3) reveals a subsequent decision to standardise with one version of Microsoft's Office productivity tools.

The Board endorsed the deployment of Microsoft Office 365 to members and staff. The Board agreed that, from the 2015 election, Office 365 would be the only version of Office offered.

"While that's the Lords management board, that decision covers both Houses," Sam Smith, a privacy and transparency expert who tipped us off about the decision told El Reg. "The Commons has made a similar decision (as it's a joint system), but that decision is hidden in RESTRICTED access minutes."

Office 365 is a subscription-based online office software and services suite built around the Microsoft Office platform. It includes hosted versions of Exchange, Lync, SharePoint and Office Web Apps.

Smith told us that Parliament has a Bring Your Own Device policy that means that IT technicians will attempt to extend email and calendaring access to whatever equipment MPs, peers and their staff have or prefer to use. However the default services offered by Parliament matter because that's what parliamentarians (seldom the most tech-savvy of people) tend to use in practice.

It would be possible for someone working at the House of Commons to use an encrypted open-source file sync-and-share service, for example, but most users can be expected to stick with the default Sharepoint option that would come with Office 365.

Parliament's IT function was not procured through G-Cloud, the procurement framework for government.

More details of the IT services Parliament intended to migrate to the cloud, and hoped for savings, are found in notes from a January House of Lords Management Board conflab (PDF, see section 2.4).

Email and office services. A business case would be brought forward by spring 2013, which could lead to savings of up to £300,000 per annum.

The location of all data hosting would be considered. Not all parliamentary data could be hosted in the cloud (the assumption for maximum cloud storage was 80 per cent of all data) and the cost of doing so varied across the market. Further work would need to be completed before a business case with firm figures for potential savings could be developed.

Business applications. A “cloud first” policy would enable different parts of the Administration to use cloud-based business applications where appropriate. This could provide some savings or improved functionality and service.

By June the plan was coming together and the Snowden revelation did not prompt a rethink, as minutes from a House of Lords management board briefing (PDF, see section 3.4) reveal.

PICT had reviewed its advice on data sovereignty and cloud computing following news stories about PRISM and was content that the risk was unchanged.

A paper presented an October meeting (PDF) of the committee didn't raise any particular security issues with the Office 365 rollout, even going so far as to suggest it might improve security. "The move to Office 365 and cloud-based technology had the potential to deliver security benefits but this would depend on how the new system was implemented," the management board was told.

The view of those running IT systems for UK legislators contrasts sharply with attitudes ion German and Brazil, where revelations about spying on government leaders have prompted calls to retain data and internet services within the borders of the two countries.

Moving confidential parliamentary systems to the cloud might mean emails, files and parliamentary diaries of MPs and peers would be stored on systems not under the control of the UK government and hosted outside the country.

Some politicians have already expressed concerns about moving to a cloud-based system. Liberal Democrat MP Dr Julian Huppert, who sits on the Home Affairs Select Committee, told the Daily Mail: "I think there are huge concerns about how you maintain the security of information like this.

"There are very real risks with a cloud system if it crosses international boundaries."

If you can't beat them, join them

Not everybody in the Palace of Westminster is a long-term fan of Microsoft's office productivity technology.

Redaction errors in a recent FOIA request response from Parliament revealed that they've spent a couple of years building a custom word processor for Hansard, the official record of parliamentary proceedings. The software development project was abandoned because they couldn't get the spellcheck to work. The business case for a custom word processor in the first place rested on removing dependence from Microsoft for upgrades and processes.

Legacy Systems/Apps: – [Microsoft 2002 Word XP] upgraded to 2003 then upgraded to 2007 & includes VBA Why change? [Word]-based authoring has been adequate for the print requirements of Committee Reports for many years. However, reliance on [Word] templates leaves Parliament dependent on the upgrades and support lifecycles dictated by [Microsoft] .

Attempted but failed redactions appear within square brackets [] in the above quote.

"Given the language they use in their Microsoft cloud businesses cases, there's some degree of hypocrisy and cognitive dissonance here," Smith, who filed the FOIA request, opined to El Reg. ®

Update

El Reg requested a comment on the issues from both Parliament and Microsoft last week.

In particular we wanted to know what safeguards can be taken to prevent foreign intelligence agencies (such as the NSA) from reading emails and stored data.

We asked the House of Lords press office about how it would ensure the security of MPs' correspondence and other Parliamentary material on a cloud-based systems hosted outside the UK.

A Lords spokesman got back to us after the publication of the piece to say that data would be hosted "within the EU". Microsoft data centres in the region are based in Ireland and the Netherlands.

Asked what safeguards could be taken to prevent foreign intelligence agencies (such as the NSA) from reading emails and stored data, he added that this had already been factored into considerations.

"We’re well aware of data sovereignty risks, and have taken legal advice, which indicates in the case of Office 365 that the risks are low. Appropriate security measures are in place to mitigate against unauthorised access," he added.