One of the fundamental concepts underpinning cloud computing is that the location of the servers and other physical infrastructure running the software and storing the data is entirely irrelevant.
That’s why it borrowed the metaphor of the cloud from old telecoms network diagrams, in which the telephone network (and later the internet) was represented by a cloud, to show that the technologies and locations of this part didn’t matter.
But it turns out that geography matters quite a lot when it comes to cloud computing. While the — mostly US-based — big cloud computing companies envisaged giant economies of scale by delivering services to customers from datacenters anywhere in the world, it hasn’t quite turned out that way.
Increasingly, cloud services are being delivered from, and for, specific geographies. In part, that’s down to the issue of latency: the time it takes the data to travel to and from the datacenter, an issue for applications like stock trading. It’s also partly due to privacy regulations and other local legislation.
As it grows, cloud computing is having to grapple with the geopolitical realities and limitations of delivering services to users across many borders. Rather than being an anonymous cloud of computing power, most companies prefer (and are often obliged) to use infrastructure much closer to home.
For example, there has been a lot of growth in cloud computing services offered from within Europe (EU rules set a high standard for data protection), which are set to increase further the with the arrival of the new GDPR legislation next year. There have also been concerns that US law enforcement could request data held in the datacenters of US companies, even if that data is not stored in the US.
As a result, some companies are changing their approach significantly. Last year, Microsoft started offering its Azure cloud services from two new German datacenters where, unlike its standard cloud computing option, the customer data was stored under the control of a “data trustee”, in this case T-Systems International, an independent German company and subsidiary of Deutsche Telekom. Microsoft cannot access data at the sites without the customer’s permission.
And IBM recently announced it is overhauling the way it manages data stored in one of its European cloud computing datacenters, in order to give European customers tighter control over who can access it. The company is adding new controls so that access to customer data in its Frankfurt datacenter is controlled by EU-based IBM employees only. EU-based staff will also review and approve all changes from non-EU based employees that could affect clients’ data.
The location of the company offering a cloud service is something that has come under particular scrutiny recently. For example, the UK government’s National Cyber Security Centre (NCSC) warned about the use of some cloud-based antivirus products from Russian companies, but also warned more broadly about the use of cloud services within the government supply chain.
“The country of origin matters. It isn’t everything, and nor is it a simple matter of flags — there are Western companies who have non-Western contributors to their supply chain, including from hostile states. But in the national security space there are some obvious risks around foreign ownership,” NCSC CEO Ciaran Martin wrote in a letter to civil service chiefs.
The NCSC noted that government departments might not even be aware they are using cloud-based services: “It’s easy to overlook the nature of these cloud interactions, and the security implications. You should understand if and how your deployed products interact with cloud services — almost all of them will in some way. This begins with the operating system itself, as well as the products installed on it.”
Not all cloud products will create a security risk, it noted, but added that government agencies should consider where a product is used and what they know about its capabilities. Depending on the data that the service is collecting and where that data is being stored, protection of the data may be governed by different legal jurisdictions.
“For this reason, it is important to know what data is being collected and where it is being stored to ensure continuous compliance with all applicable legal requirements. Inappropriate protection of user data could result in legal and regulatory sanction, or reputational damage.”
And then there are other examples of cloud providers have also been required to change the way they deliver services because of local laws. One of the most high profile of these is AWS. Last month the company sold some of its other cloud computing infrastructure in China to Sinnet in a deal worth $300m, a move it said was necessary in order to comply with the country’s tech regulations: Chinese law forbids non-Chinese companies from owning cloud computing technology. This month AWS opened a second China (Ningxia) Region, operated by Ningxia Western Cloud Data Technology.
While the services available at both AWS China regions are the same as those available in other AWS regions, the China regions are isolated from all other AWS regions and operated separately.
Consultants Accenture has warned that for global businesses the risk is ‘digital fragmentation‘ will result as different countries enact legislation to protect privacy and improve cyber security.
It argues while the aims of the laws is laudable, the impact is to raise costs for businesses. Three quarters of the 400 CIOs and CTOs surveyed expect to exit a geographic market, delay their market-entry plans or abandon market-entry plans in the next three years as a result of increased barriers to globalization.
More than half of the business leaders surveyed believe that the increasing barriers to globalization will limit their ability to use or provide cloud-based services (cited by 54 percent of respondents, versus 14 percent that disagree); use or provide data and analytics services across national markets (54 percent versus 15 percent); and operate effectively across different national IT standards (58 percent versus 18 percent).
Over half said these increasing barriers will force their companies to rethink their global IT architectures (cited by 60 per cent) physical IT location strategy (52 per cent); cybersecurity strategy and capabilities (51 per cent); relationship with local and global IT suppliers (50 per cent).
Still, for vendors this tweaking of cloud computing services for a particular country or region is also a reflection of the success; adoption of cloud services continues at a rapid pace, and is growing fast in countries like China.
“It’s proliferation not fragmentation,” said William Fellows, VP at 451 Research. The analyst firm predicts that 60 percent of workloads will be running in some form of hosted cloud service by 2019, up from 45 percent today.
“Wherever a new datacenter opens, there is accelerated growth in that country/region. Sovereignty matters for some workloads in terms of execution/data storage — ie where it happens. But location matters for all in terms of the audit process, whether there is a specific sovereignty requirement of not,” he said.
Analyst IDC has estimated that worldwide whole cloud revenues will reach $554bn in 2021, more than double those of 2016.”The most obvious takeaway from this forecast is that the shift to the cloud consumption model — in all its forms — is a mass movement, and will continue to be such over the forecast period,” said Frank Gens, senior vice president and chief analyst at IDC.
“Equally important, though, is the steady drumbeat of tech innovation that is coming from the major public cloud suppliers, making it virtually impossible for enterprises and developers seeking advantage through IT not to embrace the public cloud.”