Why Microsoft customers don’t need to worry about EU-US Safe Harbour/Harbor

When European Courts judged the 15-year-old EU-US Safe Harbour/Harbor treaty to be invalid last October, Internet news sites started to report how terrible this was for EU companies placing data into cloud services offered (mostly) by American companies. For some, that may be true, but that assumes Safe Harbour is the only protection in place.

This week, IT news sites are at it again. The Register (the tabloid newspaper of IT news sites) has an article titled Safe Harbor 2.0: US-Europe talks on privacy go down to the wire but the actual URI belies a much more dramatic title of “Safe Harbor countdown to Armageddon”. Sensationalist at best, some might even say irresponsible.

I’m no lawyer but, for my customers, who are implementing Microsoft cloud services, there seems to be nothing to worry about and I’ll explain why in this blog post. Of course, Microsoft is just one of many cloud services providers – and for others there may be valid concerns.

The United States Export.Gov website currently displays the following text regarding Safe Harbor:

“On October 6, 2015, the European Court of Justice issued a judgment declaring as ‘invalid’ the European Commission’s Decision 2000/520/EC of 26 July 2000 ‘on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.’

In the current rapidly changing environment, the Department of Commerce will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework. If you have questions, please contact the European Commission, the appropriate European national data protection authority, or legal counsel.”

EU Model Clauses trump Safe Harbour

Microsoft President and Chief Legal Officer, Brad Smith, issued a statement on 6 October 2015. Quoting from that article:

“For Microsoft’s enterprise cloud customers, we believe the clear answer is that yes they can continue to transfer data by relying on additional steps and legal safeguards we have put in place. This includes additional and stringent privacy protections and Microsoft’s compliance with the EU Model Clauses, which enable customers to move data between the EU and other places – including the United States – even in the absence of the Safe Harbor. Both the ruling and comments by the European Commission recognized these types of steps earlier today.

Microsoft’s cloud services including Azure Core Services, Office 365, Dynamics CRM Online and Microsoft Intune all comply with the EU Model Clauses and hence are covered in this way.”

There’s also a follow-on post which talks in general terms about the wider issues and privacy beliefs but the key point is that Microsoft offers EU Model Clauses within its contracts, which go beyond Safe Harbour. Microsoft also has an FAQ on the EU Model Clauses that is worth a read.

Quoting again from the 6 October 2015 statement:

“We wanted to make sure all of our enterprise cloud customers receive this benefit so, beginning last year, we included compliance with the EU Model Clauses as a standard part of the contracts for our major enterprise cloud services with every customer. Microsoft cloud customers don’t need to do anything else to be covered in this way.”

That suggests to me that customers who have signed up to Azure Core Services, Office 365, Dynamics CRM Online or Intune since early 2014 already have greater privacy protection than was afforded by Safe Harbour – and that protection meets the EU’s current requirements. In short, Microsoft customers don’t need to worry about Safe Harbor (sic).

Microsoft #TechDays Online 2015

Last week, was Microsoft UK’s TechDays Online conference, held over three days with thousands of virtual attendees watching/listening to sessions on a variety of topics, starting off in the IT Pro arena with a keynote on Windows 10 from Journalist and Author Mary Jo Foley (@MaryJoFoley), Windows Server, on to Intune, Office 365, progressing to a variety of Azure topics, containerisation and DevOps with a keynote from Microsoft Distinguished Engineer Jeffrey Snover (@JSnover) and eventually into full developer mode with a keynote from Scott Hanselman (@SHanselman).

This is the fourth year that Microsoft has run these events and I was fortunate to be invited to watch the sessions being recorded.  I attended the first afternoon/evening and the second day – driving my Twitter followers mad with a Microsoft overload. For those who missed it, here’s a recap (unfortunately I couldn’t commit the time to cover the developer day):

(I later retweeted this:)

And we continue…

Actually, he didn’t – I later published this correction:

And back to my stream of Twitter consciousness:

Sadly, I missed Mary Jo Foley’s keynote (although I did manage to get over to Microsoft’s London offices on the second evening for a Live recording of the Windows Weekly podcast and caught up with Mary Jo after the event).

Sessions were recorded and I’ll update this post with video links when I have them.

Microsoft Management Summit 2010 highlights

This week sees the annual Microsoft Management Summit (MMS) taking place in Las Vegas, with over 3500 attendees from around the world, even though there are many people stranded by the current flight restrictions in Europe.  According to Microsoft, that’s 50% up on last year – and those delegates have access to 120 break out sessions to learn about Microsoft’s vision and technology for IT management – across client devices, the datacentre and the cloud.

The keynote presentations are being streamed live but, for those who missed yesterday’s keynote (as I did) and who are waiting to hear today’s news, here are the main highlights from the event, as described by Paul Ross, a Group Product Marketing Manager for System Center and virtualisation at Microsoft.

Cloud computing is a major trend in the IT industry and many customers are trying to balance new models for elastic computing with trying to get the best TCO and ROI from their existing investments.  There are those who suggest Microsoft doesn’t have a cloud strategy but it’s now 5 years since Ray Ozzie’s Internet Service Disruption memo in which he set out Microsoft’s software plus services approach and Steve Ballmer reinforced Microsoft’s Cloud Services vision earlier this year.

For many years, Microsoft has talked about the Dynamic Systems Initiative (DSI), later known as Dynamic IT and the transition to cloud services is in line with this – model driven, service focused, unifying servers and management, thinking about services instead of servers, and automated management in place of manual approaches. Meanwhile, new deployment paradigms (e.g. virtualisation in the data centre) see customers shifting towards private and public cloud environments.  But customers are experiencing a gap in the consistency of security models and application development between on premise and cloud services – and Microsoft believes it is the key to allowing customers to bridge that gap and provide consistency of infrastructure across the various delivery models.

Some of the new products announced at this year’s MMS include the next version of System Center Virtual Machine Manager (SCVMM), slated for release in the second half of next year, and which will take a service centric approach to management – including new approaches to deploying applications. Alongside SCVMM, System Center Operation Manager (SCOM) will also be updated in the second half of 2011 – itself making the transition to a service-centric model.

Before then, June 2010 will see the release to web of the Dynamic Infrastructure Toolkit for System Center which provides enterprise customers with the foundations for creating a private cloud with concepts such as on demand/self-service provisioning, etc.

Today’s keynote will focus on the shift from device-centric computing to a user-centric approach.  Many organisations today operate separate infrastructures for different client access models – and there is a need for unification to manage IT according to end user requirements.  Central to this vision is the need to unify the products used for security and management of the infrastructure, reducing costs and focusing on user-centric client delivery for the cloud.

Earlier this week, we heard about the beta for Windows Intune – offering security, management, Windows Update and MDOP benefits within a single subscription for small to medium sized businesses.  Today’s headlines are enterprise-focused and will include the announcement of the beta for System Center Configuration Manager (SCCM) 2007 R3 – focused on power management and unified licensing for mobile devices alongside traditional desktop clients.  SCCM vNext (again, scheduled for the second half of 2011) will be focused on user-centric management – offering a seamless work experience regardless of whether applications are delivered via App-V, VDI, or using a traditional application delivery approach.  In addition, SCCM vNext will incorporate mobile device management (currently in a separate product – System Center Mobile Device Manager), allowing a single infrastructure to be provided (so, to summarise: that’s licensing changes in SCCM R3, followed by the technology the next release).

In other news, we heard yesterday about the release of System Center Service Manager (SCSM) 2010 and System Center Data Protection Manager (SCDPM) 2010 – both generally available from June 2010.  SCSM is Microsoft’s long-awaited service desk product – with 57 customers in production already and around 3000 on the beta – which Microsoft hopes will disrupt service desk market that they describe as being “relatively stale”.  Built as a platform for extension by partners SCSM includes the concept of process packs (analogous to the management packs in SCOM) and Microsoft themselves are looking to release beta compliance and risk process packs from June, helping to grow out the product capabilities to cover a variety of ITIL disciplines.  As for SCDPM, the product gains new enterprise capabilities including client protection (the ability to back up and recover connected client systems) – and both SCSD and SCDPM are included within the Enterprise CAL and Server Management Suite Enterprise licensing arrangements.

For some years now, Microsoft has been showing a growing strength in its IT management portfolio – and now that they are starting to embrace heterogeneous environments (e.g. Unix and Linux support in SCOM, ESX management from SCVMM), I believe that they will start to chip away at some of the territory currently occupied by “real” enterprise management products.  As for that image of a company that’s purely focused on Windows and Office running on a thick client desktop, whilst that’s still where the majority of its revenue comes from, Microsoft knows it needs to embrace cloud computing – and it’s not as far behind the curve as some may believe.  The cloud isn’t right for everyone – and very few enterprises will embrace it for 100% of their IT service provision - but, for those looking at a mixture of on-premise and cloud infrastructure, or at a blend of private and public cloud, Microsoft is in a strong position with a foot in either camp.

Introducing Windows Intune

This is the week of the Microsoft Management Summit in Las Vegas and, as well as the whole load of System Center-related announcements that we can expect this week, Microsoft has formally announced the beta of a new cloud-based PC management service called Windows Intune.

Designed for customers who have 25-500 PCs, Windows Intune is intended to provide a cloud-based desktop management service in the way that BPOS does for business productivity applications.  Aimed squarely at the mid-market, Windows Intune (formerly known as System Center Online Desktop Manager) allows smaller organisations to gain some insight over what’s happening in their PC estate, avoiding the high infrastructure costs associated with enterprise products (and even System Center Essentials needs a server on site).

All that’s required on the PC is an Internet connection (and an agent, which Microsoft described as “lightweight”) but also included in the service is a license for Windows 7 Enterprise Edition and the MDOP technologies – that’s a single license purchase for a lot of functionality!  Microsoft is making the beta available today but interested customers will have to move quickly – it’s limited to 1000 users in the US, Canada, Mexico and Puerto Rico only – Europe and Asia will follow within a year.

For those organisations that are not quite ready for Windows 7, the license with Intune can be downgraded to Windows XP Professional or Windows Vista Business.

Administrators simply need an Internet connection and a Silverlight-capable browser to access a console which provides a system overview showing a rolled-up status including malware protection, updates, agent health (offline clients) and reports on operating system alerts (e.g. disk fragmentation) along with a number of workspaces – currently:

  • Computers – which may be organised into groups and subgroups (e.g. to assign policies and reports). Any groups are completely inside Intune and are nothing to do with Active Directory (a computers can exist within multiple groups). It’s also possible to drill down and expose details for each computer (updates, alerts, malware status. etc.).
  • Updates – a roll-up of all updates together with the ability to drill down on update type (i.e. security, critical, definition, service packs, update rollups, mandatory updates) and to filters to see which updates are waiting to be approved.
  • Malware protection – showing which clients have been infected and any resulting action – including integration with the endpoint protection encyclopedia (with the Microsoft Malware Protection Center)
  • Alerts – for malware protection, monitoring, notices, policy, remote assistance, system or updates.
  • Software – an automatic inventory reports details about the machine itself and installed software, which may be printed or exported as a CSV file.
  • Licenses – the ability to to track licenses within Software Assurance (SA) agreements by entering the agreement numbers correlating installed software with purchased software (for Microsoft products only).  Microsoft were keen to highlight that privacy will be taken seriously with third party audit ensuring that the information is private to customers and not used by Microsoft to enforce its licensing.  In addition, the entering of SA agreement details is optional and the service will function without this information.
  • Policy – controlling how Intune and clients function including agent settings (template driven, but not using
  • Group Policy – indeed Group Policy will override in any conflict), tools settings, and firewall settings (Intune communicates over HTTP, and the agent installation will also open remote management functionality).
  • Reports – providing a snapshot of status.
  • Administration – each computer is identified by a download/installation and multiple administrators may be defined for the service, with notifications on particular alerts (i.e. by e-mail).

From a client experience perspective, the Windows Intune Tools can be used for an end user to request help from Easy Assist (by sending an urgent alert to the Intune service – this has to be user-initiated and the administrator cannot arbitrarily take control of a client) and the end user can also check the update status with regards to Windows Update and malware protection.

Those who have worked with Microsoft Security Essentials may be interested to note that:

  • Windows Intune will work on servers, but is not supported.
  • Malware protection is provided by the common malware protection engine (from Forefront) with the user interface from Microsoft Security Essentials (“at the moment”).  The use of the Forefront  scanning engine allows for reporting and policy control that is not present in Microsoft Security Essentials.

In summary, Windows Intune is intended as an easy-to-use cloud-based solution for small-medium businesses that requires little or no infrastructure and remains up-to-date.  It is not an enterprise solution (it’s certainly not a replacement for System Center Configuration Manager) but it is a useful way to license Windows 7 and prepare for Windows 8.

For more information as the beta progresses, check out the Windows Intune Team Blog.