The post-Snowden tightening of data sovereignty regulations around the world, notwithstanding this month’s ruling by an EU court to invalidate Safe Harbor rules for transatlantic data transfers, gave cloud services a physical dimension that perhaps wasn’t as pronounced in the past.
Both customers and service providers now have to give a lot more thought to questions like where customer data and applications are stored, where those applications’ users are, and what set of rules governs data transfer and storage in any particular location.
In delivering its fairly new Platform-as-a-Service offering called Bluemix to developers around the world, IBM took an approach that, in a way, preempted the European Court of Justice’s ruling that Safe Harbor violated European citizens’ privacy rights. Users have full control of where their data resides, and they can choose to store it on either side of the Atlantic, Tim Vanderham, VP of cloud platform services at IBM, said.
The company claims Bluemix is the single biggest deployment of the open source Cloud Foundry PaaS, which originally came out of VMware but was eventually spun out into an independently governed open source project. There are three deployment models for Bluemix: public, dedicated, and on-premise. Dedicated Bluemix servers can be in an IBM SoftLayer data center anywhere around the world, and the on-prem version can be in any data center around the world, including customers’ own or third-party colocation facilities. Both of the two options give the user full control of their data location and configuration of network links that carry it to its destinations.
The most sensitive option is the public PaaS, because it is a multi-tenant cloud infrastructure, where users share servers controlled exclusively by IBM. Bluemix public today runs in data centers in Dallas and London. The company announced this week a partnership with Chinese data center provider 21Vianet to operate the service in China and plans to launch a Sydney location in the near future, Vanderham said.
Even with the public cloud option, however, if you choose an instance in London, you can rest assured it will not exchange data with any location you haven’t requested, he explained.
With a single account, a user can define where their application is deployed and, importantly, where services used by that application will be delivered from. While one of the things that make the PaaS valuable is development environment and the automated infrastructure it runs on, the rest of its value comes from the 100-plus application services available to developers, including among other things IBM’s Big Data analytics and cognitive computing services called Watson.
Your application may be hosted in London, but you may choose the services to be delivered from an IBM data center in Germany, for example. If you need to store your own data accessed by your application that runs on Bluemix in a specific location, you can use either a dedicated instance in a SoftLayer data center, or, if there isn’t a SoftLayer data center in that location, you can deploy a local instance in a data center of your choice.
IBM’s response to the Safe Harbor ruling so far has been similar to the response by other major cloud providers. It posted a notice on its website telling customers they can rely on the alternative set of data transfer rules for EU members – the so-called Model Clauses – to continue to operate legally if they move data between US and Europe. This would be for companies that run their own services on top ofIBM's cloud infrastructure and need to move data across the Atlantic.
More than 20 IBM services covered by Model Clauses are on IBM’s list, and “clearly, Bluemix is going to go in that direction,” Vanderham said. All the application services available through Bluemix will over time move to the Model Clause model as well, he added.
Overall, IBM prefers to deploy Bluemix and other cloud services in its SoftLayer data centers. That’s not possible everywhere, however. In China, for instance, a foreign company must partner with a Chinese company if you want to set up shop there.
“Laws and rules set forth by the Chinese government require that you … have a cloud service delivery certification, and that has to be done by a Chinese national company,” Vanderham said. “While we continue to investigate the options to bring SoftLayer to China, we chose to partner with 21Vianet because of our previous relationship with them, which we had since 2013 around cloud managed services.”
The Chinese data center company provides IBM’s managed services in China. It has a similar relationship with Microsoft, providing its Azure and Office 365 cloud services out of its data centers in the country.