In an ideal world, we might be able to think of the cloud as a vast undifferentiated pool of compute and storage resources. Users wouldn’t have to care about the what and the where of the underlying infrastructure; they’d just spin up as many servers as they need or upload whichever files they want to store, and that would be that. In an era of plummeting prices, the commodification of cloud resources, and the prevalence of open standards, users wouldn’t even have to care much about which vendor they chose to handle their company’s workloads.
If you work in corporate IT, the above scenario probably made you wince. For you, the global cloud is just pie in the sky. You are deeply concerned with the what and the where of infrastructure deployments — particularly the where. Data sovereignty is key to mitigating the regulatory and business risks of infrastructure deployment. It matters where data is stored and processed because it matters which legal and regulatory frameworks will apply — countries across the world have radically different privacy and security standards for data. Companies can find themselves in serious trouble if they plan for adhering to EU or Canadian standards within those jurisdictions only to find that chunks of their users’ data is sitting on servers in the US or elsewhere.
In fact, because of a recent US court ruling, the stakes are even higher. A US magistrate recently ruled that US companies have to comply with search warrants issued within the US, even if compliance involves handing over data held in data centers outside of the US. The result is that data may be up for grabs by US authorities even if it has never touched data centers in the United States. Issues of judicial overreach aside, this should give cloud users pause for thought when it comes to choosing a vendor.
User privacy and responsible data sovereignty strategies become ever more essential as the Internet and cloud itself grow to take a central place in business’ interactions with their customers. However far forward the technological and infrastructural underpinnings of the cloud advance, it’s unlikely that large companies will be able to disregard the location of their data in the foreseeable future.
It will remain crucially important that companies choose IaaS and other cloud service providers who are capable of giving them reassurance that data will remain where it is supposed to, under the legal and regulatory frameworks of their choice.