Our corporate lawyers say otherwise. The laws applying to data at rest is determined by the jurisdiction where the data is physically stored. That's why we couldn't use GCP for years. Google would never guarantee your data would only be stored in the continental US (mandated by our legal department). Now they can do that, so we use GCP. At an organization I was at previously they had the same legal requirement and so they went all-in on AWS. Google is unlikely to get any of their business anytime in the foreseeable future.
That sounds to me like the epitome of foolishness. Making a law about where your data rests requires a severe misconception of the risks of that data being revealed to your adversaries.
Depends on who your adversaries are. I have no doubt that all top cloud providers (AWS, Azure, GCP and OCI) are doing a great job keeping my data secure. But they need to obey US authority, and considering what is happening right now is not very reassuring. At the bare minimum, if I need to pick a cloud region, I will pick one within the EU. But after the cloud act (see: https://www.justice.gov/criminal/cloud-act-resources) not even Europe is secure. So, no is not foolishness.
Whether it's foolish or not, it's not my decision. There are three groups in an organization that'll have a significant impact to your solution approach:
- Legal
- Cybersecurity
- Enterprise Architecture
You can influence these groups, but ultimately, they set the mandates.
I'm having so much trouble making sense of this comment. Besides that we're not talking about a law, it's common practice for European companies to require their SaaS products and themselves to only have EU data residency, so it's not that foolish, especially if that data is very sensitive. What are you talking about with severe misconceptions and adversaries?