Amazon Web service's European vocation
Amazon is making EC2 available in two new EU-based availability zones, giving the cloud community its first "regulation compliant" infrastructure. What does it mean to the future of cloud computing and the law?
Amazon today used the Le Web 3 conference as an opportunity to announce the availability of EC2 in the European Union, along with several associated services. Details are available from the Amazon Web Services blog:
We've created a new region for Europe, separate and distinct from the existing region in the United States. For fault tolerance, data separation, and stability, each EC2 region is an entity unto itself; issues within one region won't affect the other one. This means that Amazon Machine Images (AMIs), security groups, and SSH keypairs must be created anew in each region. We're working on tools to make it easy to move this information between regions. Also, as we learn more about how customers use multiple regions, we will add APIs to make it even easier for them to do so.
With the exception of support for Microsoft Windows and for Amazon DevPay (both of which will be ready before too long), every feature of EC2 is available in the new region, including Elastic Block Storage and Elastic IP Addresses.
This announcement would actually be rather boring if it weren't for the importance of the EU's privacy regulations on cloud computing.
Most of you probably know this already, but it bears repeating: EU regulations require that personal data collected from EU residents must remain in the EU. Many individual countries have even tougher regulations. This is one of the great test cases of old school government legislating the new world of the global Internet.
I've written about the effect of legislation on data storage within the U.S., and hinted at the EU issues as a part of my "Follow the Law" thesis, but this is the first time enterprises and Web businesses alike have an opportunity to play with geographical data policies in a large-scale cloud environment. Amazon is providing two "Availability Zones" within the EU, with the aim of providing a redundant cloud infrastructure that guarantees processing and storage within EU geographical boundaries. One interesting aspect is that each EU region is a standalone AWS instance--AMIs and keys must be re-created in each zone. (This is interesting because it is, in part, a way to bypass the Patriot Act.)
What I am most interested in here is what the effects of having geographical control over cloud deployment will have on the evolution of a "regulation-aware cloud," a concept I have been playing with ever since the "Follow the Law" days. Initially, all regulation policy will be managed manually, but with CohesiveFT and others already supporting the EU EC2 world, how long until a simple checkbox appears on some of these management consoles that says "data must comply to EU privacy regulations"? After that, how long until generic dynamic policies appear that allow arbitrary regulatory requirements to be declared by EC2 customers? Finally, when will government step in and define such policies for the cloud, allowing users to simply describe the contents of their data and processing, leaving the regulatory management of workloads to the underlying cloud?
Or is that even desirable? The alternative is that the technical community architects ("Code is Law") or lobbies for "voluntary" regulatory compliance on the Internet, and provides governments with auditing metrics to allow them to enforce compliance--sort of an OSHA for compute workloads.
Or perhaps I'm missing yet another viable alternative?
Congratulations to the Amazon team for leading--yet again--with a cloud feature that will be ubiquitous one day. Are all the rest ready to catch up?