Geolocation and the Cloud—An Oxymoron?
At the end of the day, cloud computing is all about abstracting the underlying hardware and software infrastructure. Users aren’t supposed to worry about where the systems are actually located or know much more than when you connect, they respond quickly and appropriately. Or that is the theory anyway.
Real life is never that simple, and nowhere is this truer than cloud computing. As cloud computing services become more widely accepted by the enterprise, regulatory compliance, geolocation, and corporate governance issues that are non-existent or ignored by end users or smaller local companies suddenly loom large. Global companies using cloud services have a need to know where their data is actually located.
Geolocation has recently become a major issue, particularly in Europe and Canada. Many countries are passing data sovereignty laws that require certain sensitive information about their citizens remain within the country’s borders. Canada requires that all medical records and personal information about Canadian citizens be stored in Canada. Germany has a similar constraint.
These requirements are in direct conflict with core cloud computing principals of anywhere and anytime availability. To address the issue, the W3 Standards Organization is currently working on creating a standard for encoding geolocation information.
For companies interested in creating cloud applications on IaaS and PaaS platforms, geolocation requirements are typically easier to achieve. It is a matter of working with a cloud service provider that has multiple data centers around the world and making sure that the service level agreement fits the data location requirements for your specific needs.
Many of the larger providers that commonly work with enterprise customers already have the basic certifications and processes in place to make it relatively easy to achieve the desired geolocation requirements. A provider that will not agree to these conditions and thus will not pass an audit doesn’t belong on the short list.
SaaS providers are somewhat more problematic. In the past their services were geared to companies that had less need for globalization, so typically they did not share details about the location of their data centers or underlying architectures. In addition, it is not uncommon for them to be located in only a few data center locations. Until a few years ago, one major ERP SaaS provider had servers in only one data center in the Bay Area, something that would be totally unacceptable today.
Look for providers that cater to global enterprises. They should be more aware of the regulations and more willing to provide auditable services. If they aren’t willing or able to meet these requests, it’s time to move on.
To add complexity to the problem, the US has long been the leader in data center facilities management due to its plentiful cheap power, highly trained data center support staff, and readily available land. Since the passage of the Patriot Act in 2001, there has been growing unease among many nations about the wisdom of locating data in a country that has laws giving it the right to access private data seemingly at whim.
Even though the reality is quite different, the perception has given many global enterprises reason to reconsider the notion of relying exclusively on US-centric facilities. In response, Canada has become a popular alternative.
This is where cloud service providers with a global presence shine. By building tools and rule sets that ensure data stays in the location it is supposed to and offering auditable service level agreements to back it up, enterprises with a global footprint can be confident that they will meet the regulatory requirements of the countries in which they do business.