Canton Zurich has deemed it safe for its entities to use Microsoft 365 in the cloud.
This is great news at a time when the issue of data protection is highly topical.
Before making such a decision, the Zurich executive analyzed the risks of taking such a step.
An interesting argument, which we invite you to discover in this article. 
Why has the canton of Zurich given the go-ahead for Microsoft 365?
The canton of Zurich recently published the arguments that led to its decision to authorize its public administration to use M365 cloud services.
It’s worth remembering that, in addition to being a Swiss public authority, Microsoft is first and foremost an American hyperscaler subject to the Cloud Act.
There are several reasons for this decision.
Is the cloud a necessity?
First of all, it has to be said that it’s hard to do without.
The canton recognizes the advantages of working with the cloud and of the evolving range of IT suppliers in Switzerland.
More and more security solutions are available exclusively for the cloud.
Microsoft Teams is proof of this.
The canton of Zurich sees no alternative to this development, which it describes rather vividly: without the cloud, the canton would be “on the technological bangs” because it would be “closed to technological progress“.
These are the reasons why the Canton is aware of the need to adopt the cloud, to avoid putting itself out of step with private sector companies and other public authorities in this area of IT .
Not to mention the risks to be taken in terms of digitization and collaboration, security and attractiveness if the canton were to oppose the cloud.
A Cloud Act risk
As mentioned above, since Microsoft is a provider subject to the Cloud Act, the Canton wanted to estimate the risk of foreign authorities gaining access to their cloud-hosted data.
The canton of Zurich therefore established a risk calculation based on David Rosenthal ‘s risk assessment model, which enables the possibility of successful legal access by a foreign authority to a cloud project to be determined in a structured way.
A calculation based on figures and statistics that yielded a rather conclusive result for the canton.
Over a 5-year period, the probability of accessing the canton’s most sensitive data is just 0.74%, and it would take 1,552 years for illegal access to occur at least once.
The Canton of Zurich was therefore confident that there was little or no chance of Microsoft accessing their data stored in the cloud.
A strong argument that probably tipped the balance.
Towards the appointment of a cloud security manager for the canton
In addition to giving Microsoft the green light to host its data in the cloud, the government has taken the decision to recruit a cloud security manager with the aim of ensuring cloud compliance, monitoring risk evolution and developing measures to minimize these risks.
Indeed, the Government Council is aware that this risk assessment is not a matter of “shoot and forget”.
Rather, what is required is “determined, ongoing monitoring and constant risk assessment”.
To this end, the Board has decided to create this position.
What we can conclude from this is that it’s a decision that remains interesting in a context where the US Cloud Act and the sovereignty of government cloud environments are being debated. Sources: ICTjournal – Datenrecht
