Arsgera - Fotolia
Early adopters have sung cloud's praises of elasticity, scalability and flexibility for years now, and enterprises are finally taking notice. But just as the public cloud is becoming more mature, concerns about privacy and data sovereignty are tripping up cloud deployments for organizations with international users.
Cloud providers like to cultivate an image of the cloud as an infinite resource that transcends terrestrial realities of physical location and geopolitical jurisdictions. But nothing could be further from the truth. Just because your data is in "the cloud" doesn't mean it's not governed by the law of the land, whatever land that may be. Furthermore, last year's revelations about the extent of U.S. government spying have cast a pall on many organizations' willingness to use public cloud services, in particular those offered by U.S. companies.
The problem is particularly acute for organizations with customers in Europe, with its stringent data privacy rules, but it is by no means limited to them, said Jo Peterson, vice president for converged cloud and data centers at Clarify360, a cloud and data center sourcing consultancy. If a company's customers are subject to certain regulations, such as safe harbor laws, by extension, so is the company.
"It's a flow-down-the-hill sort of thing," Peterson said.
That causes a lot of bellyaching, time-consuming due diligence and suboptimal workarounds, which all translate to higher costs for cloud consumers, said John Treadway, senior vice president at Boston-based cloud consulting firm Cloud Technology Partners (CTP).
"It slows things down to have to go to the general counsel," Treadway said. "Right now, users of cloud are paying a premium to deal with these issues."
It's 11 o'clock. Do you know where your data is?
There's a huge incentive to take advantage of a cloud service provider's data centers in remote locations. For organizations with users or customers far from their home bases, the chance to use someone else's infrastructure to get data closer may help them avoid significant capital costs.
When an organization looks at entering a specific geography, the first thing to consider is the technical characteristics of a given data center, such as latency, connectivity, data-sharing and application interdependencies, and mobility, said Peterson.
But even if hosting a workload remotely is technically possible, there's still the legal aspect, "and that's where [customers] get stopped," Peterson said. Ultimately, data sovereignty rules are often the deciding factor for whether a would-be entrepreneur decides to compete in a given market.
"They ask, 'Do we want to serve this market or not? Is there enough revenue [to offset extra costs]? Because if the answer is yes, then we have to play by the rules,'" Peterson said.
Indeed, different countries have very different ideas about where and how the personal data of their citizens should be stored and managed. They also have different laws about how that data should be stored, moved and protected. Sometimes referred to as "safe harbor," data sovereignty laws vary wildly from country to country -- in fact, even among provinces and states.
In Canada, the province of British Columbia has distinct laws for public and private-sector organizations, said Kelly Beardmore, CTO at Carbon60 Networks, a Canadian managed hosting provider. Public sector data cannot leave the province, whereas other provinces aren't as strict, he said.
Similarly, Massachusetts has a law on the books prohibiting data about its citizens from leaving the state, although "nobody pays attention to it," said CTP's Treadway.
The canonical -- and arguably most significant -- example of safe harbor laws is Germany. As a member of the European Union, Germany should in theory be guided by the EU Directive 94/46/EC, or the Data Protection Directive, which governs privacy and the flow of data beyond the confines of member nations.
In fact, Germany goes above and beyond the EU laws and insists that data about German citizens stay within its own borders, even for maintenance and disaster recovery purposes.
That leaves organizations that do business with Germany, the largest economy in Europe, in a bind. Should they locate all their data there, or should they segment out German data in a German data center while using another data center for the remainder of their data?
Cloud providers, meanwhile, are all over the map in terms of their data center resources. Amazon Web Services (AWS), for instance, already has seven global regions and 26 Availability Zones to cater to international customers. Others are a work in progress.
For example, IBM SoftLayer currently has 13 data centers, only two of which are outside of the U.S. -- one in Amsterdam and one in Singapore. But the company plans to invest $1.2 billion to increase its footprint to 40 data centers around the world, with an initial focus on Hong Kong, London, Toronto, Mexico City, Frankfurt and Paris, said Mark Jones, IBM SoftLayer vice president of product innovation.
In places such as Canada and Australia that prohibit personal data from leaving country borders, the company plans to build multiple data centers so customers can move data within the IBM SoftLayer cloud, remaining within the country's borders for maintenance or disaster recovery reasons without fear of running afoul of data sovereignty laws.
About the Author
Alex Barrett is editor in chief of Modern Infrastructure. Write to her at firstname.lastname@example.org.
Part two: Amazon makes no promises of cloud data sovereignty
Part three: International cloud providers cash in on U.S. scandals
Dig deeper on Cloud governance