Blog post

The Boundaries of Cloud Computing: World, Nation or Jurisdiction?

By Andrea Di Maio | October 02, 2009 | 2 Comments


I have been writing before about the geopolitics of cloud computing (see here and here), and I am planning to write a fully fledged note for Gartner clients. This topic keeps emerging with clients at state, provincial and local level, who expect future IT investments to be directly or indirectly connected to economic recovery, and can’t quite articulate how cloud computing can help locally in that respect.

Besides that, yesterday I had an exchange with a few Gartner colleagues about the thorny issue of data location. Vendors like Google claim they will be able to provide government clients in the US cloud services that comply with federal security requirements (FISMA) and run on servers that are physically located in the US. Our discussion was whether this will be enough also for state & local as well as international government clients to be moving their email or desktop applications into “the cloud”. Of course this does not apply only to Google but to any vendor providing cloud services of sort.

None of us is a legal expert, although a few have a legal background, nor is Gartner supposed to provide any sort of legal advice. However there a number of issues that apparent in discussion with clients. For instance:

  • what if, during an investigation in a particular jurisdiction (say, a state), law enforcement authorities need to seize data concerning a subject who is being investigated? Could they seize data located in a different state (as opposed to data on a local desktop)?
  • what if a server seized for an investigation in a particular jurisdiction contains data concerning subjects who reside in a different jurisdiction? Would this infringe their data protection rights?

Should this not be an issue within the US (I frankly do not know), it certainly is across different countries.This, combined with the desire of showing a positive impact of government IT spending on local economies, creates an interesting set of issues for cloud service providers.

The question is whether cloud computing can still deliver its potential benefits if clients are granted data location control at a pretty granular level. Of course this is not a problem if clients are federal government agencies and the jurisdiction is the whole US. But if you think about Europe, with its many countries, some of them being in turn federal, things get far more complicated.

This is particularly relevant for private and community cloud services. The large public cloud vendors, such as Google, Amazon and Microsoft, will compete with infrastructure utility providers, such as HP or IBM (that already run infrastructure and application services for several government clients) as well as with government-owned shared service centers aiming to become cloud service providers for their jurisdictions. Whereas the scale of large global-class infrastructures from the former should provide a better price-performance ratio, procurement decisions will be influenced by a variety of other criteria, including data location control and public value impact.

Definitely the jury is still out on who will win this race.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • This conversation came up quite a lot at last week’s COSAC Security Conference here in Ireland, and I covered quite a few of the issues during my presentation: It is a huge issue in Europe due to the EU Data Protection Act as well as the public sector extraterritoriality issues you mentioned above.

    What will happen is that many cloud users will roll their own solutions to this, but it still can’t keep the data isolated to a particular locality or jurisdiction. Seizure of assets is only one issue, and with large cloud providers is actually unlikely to happen in practice. The scale and jurisdiction issues will prevent doing this on a practical level. All of the seizure procedures and laws are geared towards the assumption that your datacenter is bounded by 4 walls that can be easily identified. In the cloud environment, this assumption is clearly false.

    From a pragmatic point of view, most cloud users are encrypting the information they store on cloud providers anyway, so even when the information is shipped around the world, it is effectively useless and opaque should it be captured or archived. While there are groups at the UN level looking at some of these cross-jurisdictional issues, any effective changes will take quite some time to materialize, and there will always be those countries that aren’t part of the agreement.

    You’re right that these issues can initially sway a cloud discussion towards a more traditional managed services agreement with some of the larger vendors. However, I think that a lot of organizations won’t be able to ignore the cost savings and the other benefits of more global cloud solutions vs. the price point that managed services could provide. Besides, the US Government has a Federal Computing Cloud for just this reason already. Whether it makes sense for smaller EU nations or other parts of the world to do this remains to be seen.

  • Isn’t it about time to redefine the definition of “location” when referring to digital data? At a micro-level, location is a fuzzy concept anyway, keeping various RAID levels, disk striping and data virtualization in mind. Pinning data down to one disc is almost impossible these days. However, once storage arrays span geoclusters over WAN – and that will happen sooner or later – pinning data down to one datacenter will get harder and harder. What if “location” of digital data would instead be defined in terms of the owner of the data? If this is combined with a data “boundary” definition in terms of encryption, wouldn’t that give us the hooks into the existing legal frames?