Concerns about cloud governance and data sovereignty are stumbling blocks for many enterprises with an international customer base. But it's not just a question of locating the data appropriately; it's also a question of getting the guarantees -- in writing -- that the data won't move, even for low-level maintenance activities.
Amazon participates in safe harbor programs and commits to not moving data out of selected AWS Regions as part of its
A U.S.-based staffing provider recently undertook a project to consolidate its CRM software from 16 instances worldwide into Salesforce.com, plus custom code running on Amazon Web Services (AWS), where it already has a significant presence. Getting Salesforce to sign off on safe-harbor regulations was "a piece of cake," said the IT director responsible for the technical rollout, but dealing with AWS "was a disaster."
"AWS is really not interested in talking about safe harbor, security, international data and where you want to store it," said the IT director, whose company prohibits employees from speaking publicly.
Over the course of multiple meetings and email exchanges, it appeared to the IT director that AWS was uninterested in the topic. "It didn't appear that they were doing anything about [data sovereignty]. Every single question was a unique event," he recalled.
Rather than give up on using AWS, the staffing firm decided to work around the problem and store all of its data encrypted in the U.S., which legal counsel felt allowed the company to meet its obligations to international users.
While that may seem like a graceful solution -- and one that's well liked by security professionals -- it's also a burden on IT. To avoid assuming liability, AWS refused to manage this customer's encryption keys, as it sometimes does for other services like its Relational Database Service (RDS). "The security guys love [the encryption]. I just wish it were easier to manage," the IT director said.
Meanwhile, other service providers are starting to emphasize their transparency when it comes to data sovereignty. For example, iLand is a VMware vCloud provider with data centers in the U.S. and U.K. that makes a point of highlighting its data movement policies.*
"One 'feature' of some clouds is load-balancing across regions and not necessarily telling you about it," said Lilac Schoenbeck, iLand vice president of product management and marketing. With her company, on the other hand, "we can load-balance if you want, for example for DR purposes across the pond, but that's an explicit decision on the part of the customer."
In contrast, AWS not only doesn't provide that information, it is also opaque about what exactly it does do, Schoenbeck said. "That's almost worse than not having the assurance," she said.
Amazon declined to comment on the record for this story.
About the author
Alex Barrett is editor in chief of Modern Infrastructure. Write to her at firstname.lastname@example.org.