1 Data localization requirements, which mandate that data stay in a particular jurisdiction, or that a copy of all data be maintained in the jurisdiction at all times, often require the construction of expensive and potentially redundant cloud-infrastructure.
2 Governments and customers may have concerns over the routing of their traffic through potentially hostile or otherwise unsafe territories, worrying that their data may be vulnerable to interception, destruction, and even manipulation while transiting such jurisdictions. These requirements may force providers to route data in less-optimal network pathways, deviating from their practice of making routing decisions to optimize the speed and efficiency of services.
3 For example, being required to facilitate government access to data under one country’s laws and being prohibited from doing so under another’s.
4 See: Barton Gellman and Ashkan Soltani, “NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say,” The Washington Post, October 30, 2013, https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html.
5 The localization of data in-territory does not guarantee its security. Data security is attained through encryption and robust zero-trust system architectures.
6 See: IBM, “Network security architecture,” IBM, n.d., https://www.ibm.com/cloud/architecture/architectures/network-security-arch and Ciara Gallager, “Data in motion – how to protect it – 5 Key Considerations,” Microsoft Pulse, n.d., https://pulse.microsoft.com/en-ie/technology-lifestyle-en-ie/na/fa3-data-in-motion-how-to-protect-it-5-key-considerations/.
7 The Internet Society’s “Mutually Agreed Norms for Routing Security (MANRS),” whose members include Akamai, AWS, Cloudflare, Google, and Microsoft (among other key stakeholders, such as internet service providers), sets out 6 security-enhancing actions for cloud providers and Content Delivery Networks. These include: (1) ensuring the correctness of routing announcements issued by their peers and customers (this can be achieved through explicit ingress filtering, using RPKI and IRR as validation protocols) and whenever possible, checking that the announcements originate from legitimate sources; (2) implementing anti-spoofing controls to prevent traffic with illegitimate source addresses from leaving the network (aka, egress filtering). This will require monitoring and controlling what their customers, who are using virtual machines, can do on the network; (3) registering routing information in public routing repositories (e.g., IRRs and RPKI). Doing so will motivate third parties to do the same, which will enable other network operators to validate routing announcements on a global scale; and (4) offering routing monitoring and debugging tools to peers and if possible, to the wider public. See: MNRS, “MANRS for CDN and Cloud Providers,” MANRS, March 1, 2021, https://www.manrs.org/cdn-cloud-providers/.