> This is something AWS is scrambling to address with its recent announcement of a €7.8 billion investment in an AWS European Sovereign Cloud, expected to launch its first region in Germany by the end of 2025. But will that be enough to regain the trust of European corporations
Given the CLOUD Act and FISA, no it should not be enough to regain the trust of those European corporations that look for data sovereignty. As long as those exist, all proposed "sovereignty" guarantees by vendors that have their (or their parent company's) HQ in the US are entirely worthless and should be ignored.
What difference does that make, if the parent company is in the US and its executives can be physically compelled to send orders to the local operator?
They license the software to run the cloud , they don’t act run it . Basically a white labeled solution for DC software like OpenStack
This is not a new idea and is how Azure(or AWS) always operated in China. The Azure Fabric software is licensed to DCs owned and operated by 21vianet a Chinese company. Microsoft has no control over what happens there.
No amount of legal[1] US pressure can make Microsoft give access to those DCs as they don’t have it in the first place
This is why you cannot just provision hardware in China in AWS/Azure, you have to enter into separate contract with the Chinese operator first and comply with any government restrictions that the Chinese state may require
[1] illegal/unauthorized tapping is a different matter and preventing that is not the intent of sovereign clouds .
Thanks for explaining. But it sounds like the European version will be less watertight. European customers will be able to “store sensitive data and run critical workloads on AWS infrastructure that is operated and supported by AWS employees located in and residents of the European Union (EU)” [1].
The operator isn't under the other company, so if they say "we need this data" they can just say no.
Now potentially they could try to trick the operator, but I'm not sure a company could be compelled to do so under US law. While there doesn't appear to be any relevant cases, this would fall under compelled speech (https://en.m.wikipedia.org/wiki/Compelled_speech) and it seems like it would fall on the impermissible side to me.
It seems like they're doing it differently than they did for e.g., China.
Note that the money is simply a matter of a contract (e.g., we will hire your company, which is located in China to operate our cloud region. We'll give you X dollars, and you'll give us Y revenue).
For the Germany region, they're using a mixture of technical controls (e.g., the AWS user has to sign off on accesses in a way that's technically not circumventable (think like a phones unlock screen or something protecting the data on the device) and only allowing AWS employees located in the EU to operate it (presumably the goal being that employees physically located in the EU can't be compelled in the same way as those located in the US).
Amazon licenses the technology to the other company and finances their related infrastructure, in exchange for most of the profit they make from it, or something along those lines, I would guess. It’s a contractual agreement.
Do you mean a local subsidiary, e.g. "AWS Europe" or "Microsoft Europe"? Those are included in those acts all the same. If not, what kind of local operator are you thinking that e.g. AWS will use?
Microsoft tried the same (working with Deutsche Telekom) a few years ago. It offered only half the services (mainly "raw" compute, not the cloud services) and was about 30% more expensive and (by design) did not interact with the "regular" Azure. You can imagine how that went.
Given the CLOUD Act and FISA, no it should not be enough to regain the trust of those European corporations that look for data sovereignty. As long as those exist, all proposed "sovereignty" guarantees by vendors that have their (or their parent company's) HQ in the US are entirely worthless and should be ignored.