Legalities of Cloud Computing
Let's take a moment to talk about some of the legalities of cloud computing. The biggest obstacle that you will encounter when moving to a cloud-computing model, is that of data security and protection.
There are some interesting things to consider here.
Firstly, let's look at how AWS is set up.
AWS hosts its servers in 'regions'. Te current AWS regions are:
US-East (Northern Virginia)
US-West (Northern California)
EU (Ireland)
Asia Pacific (Singapore)
As you can see, the four regions cross three separate country boundaries.
Note
When provisioning a resource within the AWS cloud, Amazon guarantees that your data will never leave the geographic region in which it was initially placed.
It is unclear as to what AWS will have committed to in terms of liability. What laws apply to data stored, for instance, in Northern Virginia? The AWS contract stipulates that the State of Washington will govern the AWS Customer Agreement, however, what does this mean for your data?
At this point, Amazon is reluctant to commit to anything other than their click-through agreement (http://aws.amazon.com/agreement), and this will be a big stumbling block for some organizations.
However, in November 2009, AWS completed a SAS70 Type II audit (http://aws.amazon.com/about-aws/whats-new/2009/11/11/aws-completes-sas70-type-ii-audit), and as such passes the requirements for the storage and management of customer details and credit card data.
Sarbanes Oxley and HIPAA are also both areas of interest in relation to cloud services. While Amazon does briefly mention both of these in its security papers, neither is addressed directly.
Note
If your organization deals with government or health data, please note that Amazon advises companies to obtain separate legal advice before hosting their applications within the AWS cloud.
Amazon has released a security white paper located at: http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf.