Amazon's EU Cloud: Disconnected operation not yet tested by BSI

Contents

It almost seems as if Amazon's cloud service provider AWS has been driven by its customers in the concept of its “European Sovereign Cloud” (ESC): AWS has promised its customers from the outset that data would not be moved to other regions and has always adhered to this, says AWS CEO Matt Garman on Thursday at the presentation of the new EU cloud in Potsdam. No one would have access to the workloads, Garman emphasizes. Customers want to use the cloud. However, they are faced with regulatory requirements, and they do not want a watered-down version of Amazon's cloud service.

AWS representatives repeatedly emphasize this Thursday at the Hasso Plattner Institute in Potsdam-Griebnitzsee that it has always been about security – both technological and organizational security, that truly no one has access to data or can shut it down. As a testimonial for the performance and resilience of AWS's previous offerings, Garman has brought a video of the former Ukrainian Minister of Digital Transformation, Mykhailo Fedorov, who has just been appointed Minister of Defense. He praises Amazon Web Services, a service that provided Ukraine with a digital refuge for government data after Russia's major attack almost four years ago.

The data has remained entirely in Europe, says Garman. The message: AWS is secure – and the new European sovereign cloud is even more secure, for those customers for whom the security promise alone is not enough.

Plattner: “We have to test this now”

The ESC is intended to run completely separately. An important milestone has been reached with the official launch of the sovereign cloud, says Claudia Plattner, President of the Federal Office for Information Security (BSI), on Thursday afternoon in Potsdam. The technical and organizational measures, such as those that AWS has introduced with its European Cloud. She wants to see them in every company with which the BSI works. They will have listened very carefully to Google, Microsoft, Delos, and others and will check whether they could be included.

And AWS also still has the real acid test ahead of it with the ESC, as Plattner says. Because the European Sovereign Cloud is also supposed to function even if all connections to the USA are severed. “We have to test this now,” says the BSI President. In other words, this has not happened so far, even though the first customers have been active on the platform for about six weeks.

Regulatory Pressure

There is little doubt that AWS is powerful. Nor is there any doubt that the Amazon subsidiary is subject to US law. And AWS has so far earned well from European customers; the business could even run even better. Because many in the EU see potential for more cloud usage, including AWS. But regulatory requirements have become stricter and are expected to tighten further in the foreseeable future.

It is obvious that this applies particularly to critical infrastructures, financial service providers, energy companies, and government organizations. They must comply with the tightened conditions of DORA, NIS2, C5, and other regulations – under adverse geopolitical conditions. A problem that affects not only, but especially Amazon.

“Radioactive customer data”

At the same time, customers should be able to continue using the services they want to use. 90 of the 240 services running on AWS are available at the start in the Parental Zone Brandenburg. This is to be supplemented soon by a Dutch, a Belgian, and a Portuguese subsidiary zone – in other words, data center clusters located geographically in different places, all subject to the ESC regime rather than normal AWS operation, where even greater emphasis is placed on encryption and unreadability of metadata such as users, roles, and access rights.

“Customer data is radioactive; we don't want to be near it,” explains Colm MacCarthaigh, the approach that has always applied. And a wealth of experience has been incorporated into the new structure after many important steps had already been taken with AWS Nitro and many other measures.

ESC better than normal AWS?

A balancing act for the company representatives: They have to praise the new ESC – but without denigrating normal AWS. AWS ESC could leverage the entire spectrum of prior knowledge. Because many customers feel primarily obligated to be able to prove that they have complied with the rules applicable to them.

Sarah Duffer explains in Potsdam the role that the “European Sovereign Reference Framework” plays in this: the formal description of the concepts with which AWS ESC ensures independence. Such criteria, along with documentation, are relevant for many users when it comes to liability issues. It's about verifiability by independent third parties, says Duffer, Director Security Assurance at headquarters. In terms of compliance, they see themselves as well-positioned.

It is already becoming apparent that this will not be the end of the development. However, for many customers who have hesitated so far, the EU-AWS options could be a welcome step. And given the political climate in the USA, even existing standard AWS users from the USA might consider whether this could be an alternative for them. Financially, according to the model calculations presented, the use of ESC is still priced slightly below standard prices. How long this will remain the case remains to be seen.

(dahe)