EU AWS Hosting: Data Residency, Regionality, Digital Sovereignty, GDPR

This article sheds light on the intersection of legal and technical aspects when hosting data on AWS as a European company.

The trend continues unabated. Companies continue moving data and applications to the cloud, harnessing the advantages of scalability, time to market, cost and many more.

But why are many European companies still reluctant to move over to hyper-scalers like AWS?

To answer that question, let’s take a look at the following concerns that many security-conscious companies have: 

• Data Residency - Where is data hosted for European companies and by whom?
• Regionality - Does data stay in Europe?
• Digital Sovereignty - Is the company and nobody else in control of the data?
• GDPR compliance - Is it ok from a legal point?

Data Residency - Where is data hosted for European companies and by whom?

Since July 2018, Amazon.com Inc. has been selling services to European companies through its European subsidiary Amazon Web Services EMEA SARL, ("AWS Europe"). The AWS Europe hosts content in various European data centers (locations in Ireland, Sweden, UK, Germany, Italy, France and Spain (in preparation).

Regionality - Does data stay in Europe?

The customer can impose that data stays in Europe. 

Regionality is a feature enabled through AWS key attributes. As a result, data can only be decrypted in regions where it has been authorized.

The AWS KMS has a specific attribute for keys called 'Regionality'. The customer can set this attribute to single or multi-region keys. The latter might be necessary when data needs to be read in various regions. With a single region setting for the EU, the data will not be decryptable outside the EU boundaries.

Digital Sovereignty - Is the company and nobody else in control of the data?

The term digital sovereignty “refers to the degree of control an individual, organization or government has over the data they produce and work with” (Atos). The degree of control depends on the strategy which the user chooses in managing data encryption. In order to be in control of the data across various platforms, a safe way is to bring your own key (BYOK). It ensures to a high degree that employees of the CSP or third parties can not access unencrypted data. They simply do not have access to data in an unencrypted form. 

Technically, even a subpoena from a US American body should not be successful, simply because a third party manages the keys on behalf of the customer, has the ownership and is in control of the keys - not Amazon. Even a subpoena from a US American body should not be successful, simply because Amazon cannot decrypt the data outside Europe.

GDPR compliance - Is it ok from a legal point?

The Regional Court of Karlsruhe (Oberlandesgericht) gave an interesting court verdict for exactly such as case, where the hoster is a European subsidiary of a US company and data is hosted in Europe.

The court ruled that doubts in trustworthiness cannot be justified simply with the fact that a CSP is a subsidiary of a US group. Customers do not need to assume that - due to the group affiliation - the subsidiary would receive and follow illegal instructions from the US parent company.

Based on the “in-dubio-pro-reo” principle (in cases of doubt, favor the accused), customers do not need to doubt the conduct of the CSP in relation to GDPR compliance.

This verdict is an important precedent for EU-based companies as it gives companies the legal backup for hosting data on the European AWS cloud.

Why Integrate Cryptomathic’s AWS BYOK Service for AWS Storage Services?

Cryptomathic’s AWS BYOK Service is designed to keep data protected and out of the reach of unauthorized third parties, including AWS employees unable to retrieve user plaintext keys. These keys are never written to the disk. Instead, they are only used in volatile memory in the HSM. The user keeps a secure copy of the keys, where the keys can be re-imported or exported when needed.

Using Cryptomathic’s AWS BYOK Service on the European AWS cloud offers ownership and a high level of control over the permissions and lifecycle of the users’ keys. AWS provides users with the scalability of their databases while Cryptomathic allows for automatic scaling to manage multiple keys and use when needed to keep keys secure. The service defines the data residency and ensures the customer’s digital sovereignty over the data. A comfortable audit reporting feature empowers the customer to substantiate its compliance with European law, i.e. GDPR.