If it's a feature your customers are asking for, it's difficult not to want to provide it. Although one of the benefits of public cloud computing is the ability to provision computing and storage resources from anywhere in the world on-demand, enterprises in Europe are wary that if their cloud-based assets are migrated to servers residing in the U.S., then they could (even if they never have yet) be subject to inspection by U.S. law enforcement authorities, even though the assets themselves are not American.
It's still the most controversial provision of the U.S. Patriot Act, signed into law in October 2001. Because of this, European cloud customers specifically request that their service providers (CSPs) block any live migration to U.S. servers. And because it's such a frequent request, CSPs including Zurich-based CloudSigma are offering what they call "Patriot-proof" clouds as a feature.
"I think it's largely a theoretical risk. I don't believe the U.S. Government is rampantly going around, getting data off of U.S. subsidiary-operated clouds," admits Robert Jenkins, CloudSigma's chief technology officer, in an interview with ReadWriteWeb. "But also, I think people do have a genuine concern, because the penalties are quite strict."
There's now raw data to verify the suspicion that European CSPs restricting all or some of their cloud services to geographies outside the U.S. - or even just to Europe - is costing Europe valuable investments and prestige. Last year, according to data from U.K.-based telecom analyst firm Informa, the Middle East/Africa region nearly pulled even with Western Europe in the number of operators offering viable cloud services. The rate of growth for European cloud services is among the lowest on the planet.
Prior to the Informa data's release, European Commission Vice President Viviane Reding asked her country's CSPs to refrain from making these offers, saying the free flow of data between nations is essential to healthy trade and a vibrant economy. But as CloudSigma's Jenkins tells us, some European CSPs actually don't have a choice. In Germany, for example, cloud customers may be subject to criminal sanctions if their cloud deployments expose personally identifiable data (PID) to any agency outside Germany.
"The reality is, there's a disconnect between the U.S. position and the European position at the moment," remarks Jenkins. "And the problem is that companies are in a position where essentially they comply with European law, but then they would break U.S. law if they work with a U.S. company, or vice versa. It's a big mess, and for sure, it needs clarifying."
Despite Comm. Reding's calls for CSPs to open up, Jenkins says the E.U. already has very clear laws mandating them to protect citizens' personal data - laws which are unlikely to ever be changed. Those laws state service providers must notify users and seek their permission before transferring their PID to any third party. This is the case, he says, not only for cloud service providers but conventional co-location providers as well.
Jenkins says CloudSigma has designed its IaaS servers to be separable by the customer when necessary. Although CloudSigma does have a U.S. subsidiary, there is not a free flow of data between its American and European servers. "We've done that deliberately to allow customers in Europe to say, 'I'm only using a European cloud, therefore I'm not exposing myself to U.S. jurisdiction.' Likewise, the U.S. company can [choose to] only use the U.S. cloud, and only expose themselves to U.S. jurisdiction because we're a U.S. company in the U.S... Our aim is to make it easy for the customer to understand what jurisdiction they are exposing themselves to."
For CSPs that provide PaaS and SaaS, the CloudSigma CTO points out, this level of compartmentalization is not so easy to achieve. Data replication is common in order to ensure resilience and service reliability, so it's conceivable that replicated data may cross jurisdictional boundaries. There will be no way, he predicts, for Google to be able to guarantee its Gmail or Google Apps customers that their data will never fall under some particular, questionable jurisdiction - say, China.
But how CloudSigma lets its IaaS customers approach the jurisdiction problem is during the account creation phase. This way, a customer who may need to operate services in Shanghai can easily be informed as to the possibilities of oversight by Chinese authorities. "It's not an anti-U.S. or pro-Europe question, 'Can I control who has access to my data?'" Jenkins says. "Our job is to try to make it as transparent and as controllable as possible, so a company can go open an account in a specific location, and that's their home jurisdiction. Then they can opt into other cloud locations as they see fit."
As an example, Jenkins offered the case of a Zurich-based customer who wants to add failover and geographic load-balancing in the U.S. That customer will see a warning saying that her customer records will be replicated in the U.S. as well, and explaining the implications of that data falling under U.S. jurisdiction. If both jurisdictions are linked together as one service, the explanation will also add that authorities in either location may have access to customer data from the other. A multi-national company which has offices across the globe, he adds, may actually not have the luxury of choosing an IaaS service that's centered in Zurich.
This opt-in approach, he believes, gives his company an advantage insofar as Europe is concerned. The flip side is that it may be a disadvantage for CloudSigma in the U.S.
"For us, it would be a very advantageous thing to have a consistent approach, as well as for the cloud in general. I think overall, we're a net winner because we're on the European side and we could potentially benefit. But [on the other hand], in Switzerland we don't because it puts people off of the cloud in general, and that's a bad thing. It's something that's in the interest of European cloud providers to resolve... I think finding some middle ground would be beneficial, maybe some sort of framework that goes between the U.S. and Europe. Maybe there's a way to provide some oversight in Europe that would make the E.U. people happy, and then the U.S. would feel like they have some level of access to prevent terrorism. There needs to be some sort of balance... [that] doesn't break either system fundamentally."