The Boundaries of Cloud Computing: World, Nation or Jurisdiction?

Andrea Di Maio
VP Distinguished Analyst
12 years at Gartner
25 years IT industry

Andrea Di Maio is a vice president and distinguished analyst in Gartner Research, where he focuses on the public sector, with particular reference to e-government strategies, Web 2.0, the business value of IT, open-source software… Read Full Bio

The Boundaries of Cloud Computing: World, Nation or Jurisdiction?

by Andrea Di Maio  |  October 2, 2009


I have been writing before about the geopolitics of cloud computing (see here and here), and I am planning to write a fully fledged note for Gartner clients. This topic keeps emerging with clients at state, provincial and local level, who expect future IT investments to be directly or indirectly connected to economic recovery, and can't quite articulate how cloud computing can help locally in that respect.
Besides that, yesterday I had an exchange with a few Gartner colleagues about the thorny issue of data location. Vendors like Google claim they will be able to provide government clients in the US cloud services that comply with federal security requirements (FISMA) and run on servers that are physically located in the US. Our discussion was whether this will be enough also for state & local as well as international government clients to be moving their email or desktop applications into "the cloud". Of course this does not apply only to Google but to any vendor providing cloud services of sort.
None of us is a legal expert, although a few have a legal background, nor is Gartner supposed to provide any sort of legal advice. However there a number of issues that apparent in discussion with clients. For instance:

• what if, during an investigation in a particular jurisdiction (say, a state), law enforcement authorities need to seize data concerning a subject who is being investigated? Could they seize data located in a different state (as opposed to data on a local desktop)?
• what if a server seized for an investigation in a particular jurisdiction contains data concerning subjects who reside in a different jurisdiction? Would this infringe their data protection rights?

Should this not be an issue within the US (I frankly do not know), it certainly is across different countries.This, combined with the desire of showing a positive impact of government IT spending on local economies, creates an interesting set of issues for cloud service providers.
The question is whether cloud computing can still deliver its potential benefits if clients are granted data location control at a pretty granular level. Of course this is not a problem if clients are federal government agencies and the jurisdiction is the whole US. But if you think about Europe, with its many countries, some of them being in turn federal, things get far more complicated.
This is particularly relevant for private and community cloud services. The large public cloud vendors, such as Google, Amazon and Microsoft, will compete with infrastructure utility providers, such as HP or IBM (that already run infrastructure and application services for several government clients) as well as with government-owned shared service centers aiming to become cloud service providers for their jurisdictions. Whereas the scale of large global-class infrastructures from the former should provide a better price-performance ratio, procurement decisions will be influenced by a variety of other criteria, including data location control and public value impact.
Definitely the jury is still out on who will win this race.