June 01, 2023

Addressing data residency challenges with InCountry and AWS Outposts

Addressing data residency challenges with InCountry and AWS Outposts

Organizations and companies of all sizes are increasingly looking to leverage cloud technologies to facilitate data management scenarios and their flows. However, some sensitive data sometimes must remain in its country of origin or cannot cross domestic borders due to regulatory, contractual, or information security reasons. This is often the case with financial services, healthcare, oil and gas, automotive, and other highly regulated industries. A hybrid cloud architecture allows the benefits of both public cloud and on-premise data centers to be combined. This allows organizations to run workloads and applications across multiple cloud environments while taking advantage of the scalability and flexibility of public clouds, maintaining full control over sensitive data, and complying with security and privacy regulations.

Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud provider, offering over 200 fully featured services from data centers globally. AWS offers a continuum of cloud services that empower you to run applications and data wherever they are–in the AWS Regions, in large metro areas, on-premises, or at the edge. As one of the AWS hybrid and edge offerings, AWS Outposts allows companies to run some AWS services locally and connect to a broad range of services available in the parent AWS Region. In this blog post, we will discuss how companies can innovate and accelerate the development of cloud solutions while meeting even the most stringent data residency requirements with AWS Outposts and InCountry Data Residency.

The ever evolving compliance landscape

The compliance landscape is radically changing from year to year. The number of countries that are introducing regulations around how data can be stored and processed is rapidly growing. The evolving changes in data protection regulations add to the complexity that compliance engineers must keep up with. Moreover, the range of imposed compliance requirements can seriously affect the operation of any company using AWS services for building their cloud apps and solutions.

The compliance question is becoming increasingly tricky for multinational companies operating globally, forcing them to consider various new, but important issues including:

  • Local storage of regulated data within the country of origin can cause fragmentation of customer data across countries and seriously complicate the processing of this data for reporting purposes.
  • Local processing of regulated data without leaving its domestic borders dramatically affects even the simplest operations like data validation, making reporting a hard-nut-to-crack task.

It has become more challenging for multinational companies to effectively reach and serve their customers while adhering to regulatory obligations. For example, it is critical to maintain compliant handling of customer data (ie. personally identifiable information) in email marketing, which creates technical challenges if customer data cannot reside in the main application’s database outside of the regulated country. 

Addressing these issues requires a significant investment of effort and resources for companies which can significantly slow down their business expansion to new regions. The specifics of each country’s data regulations require technical systems that can adequately respond to these evolving challenges and that enable adjustments in the operation of their cloud applications to country-specific data handling flows.

AWS Outposts overview

AWS Outposts is a family of comprehensive solutions delivering AWS infrastructure and services to virtually any on-premises or edge location for a truly consistent hybrid experience. With Outposts, applications and workloads can be run on-premises using familiar AWS services, tools, and APIs. Outposts support workloads and devices requiring low latency access to on-premises systems, local data processing, data residency, and application migration with local system interdependencies. Outposts is currently available in 74 countries and territories with availability to more countries and territories coming soon.

With Outposts, applications can be written once and deployed anywhere with minimal application changes, improving developer productivity and time to market. Outposts also reduce the time, resources, operational risk, and maintenance downtime required to manage IT infrastructure with a fully managed experience. Moreover, AWS takes on the service burden, including management, maintenance, monitoring, support, and upgrade of Outposts infrastructure.

Coming into two varieties – AWS Outposts Rack and AWS Outposts Server, provide powerful computing, storage, and networking services and resources to address any development or deployment needs at once. Outposts is available in a variety of form factors, from 1U and 2U Outposts servers to 42U Outposts racks.

AWS Outposts is an extension of a customer’s Amazon Virtual Private Cloud VPC (Amazon VPC) in a nearby AWS Region to the customer’s geographical location that has no AWS cloud services coverage yet. Customers can seamlessly connect from their AWS Outposts to the rest of their applications or any other AWS service in an AWS Region.

How AWS Outposts helps solving data residency challenges

AWS Outposts is designed to help solve the challenge for customers who want to take advantage of cloud benefits on-premises. With AWS Outposts, companies can control where their workloads run and data resides, with low-friction movement between cloud and edge locations to easily adapt to regulatory changes. This offers a data residency-friendly approach that could be used to address critical compliance issues when dealing with Personal Information (PI), including Personally Identifiable Information (PII), Personal Financial Information (PFI), and Personal Health Information (PHI)). AWS Outposts provide customers with a simple plug-and-use approach to meet essential compliance regulations introduced in various countries.

InCountry for AWS Outposts

Customers from the Fortune 500 list are already taking advantage of InCountry today to localize and distribute regulated and sensitive data in countries with stringent data regulations, such as China, Saudi Arabia, Australia, and Turkey. The InCountry platform has now been optimized to run on AWS Outposts, delivering to customers its comprehensive offering of tools and capabilities for compliant data handling and management, on-premises.

The InCountry platform provides the full stack of components to address any data residency challenges the business encounters when operating in highly regulated markets. This includes a variety of tools and technical solutions for the following:

  • web services
  • encryption and tokenization
  • identity
  • data search
  • resident functions
  • reporting
  • e-mail handling

With all these components, companies can easily integrate them into their web applications or other platforms.

Web services

Businesses frequently use web services to transfer regulated and non-regulated data back and forth between the application server and the client browser. The InCountry Border component allows for seamless integration with applications to redact or unredact regulated data on the fly by proxying data requests through Border. No need to refactor the program code or write thousands of code lines just to implement CRUD operations within applications.

Encryption and tokenization

With the increased scrutiny on data privacy and protection from governments and local regulators, companies need to properly secure their stored regulated, and sensitive data and take all the possible precautions against unauthorized access. The InCountry platform provides a variety of mechanisms to reliably secure data within domestic borders, forbid its replication, and totally anonymize it. InCountry for AWS Outposts offers AES-256 encryption for sensitive data, tokenization for complete depersonalization of personal data, hashing or pseudonymization for cross-border data transfers, and replication to third-party data lakes. Depending on companies’ business needs, they can choose the appropriate method to secure and protect their regulated and sensitive data from unauthorized viewing and processing.

Identity management

The platform covers all the essential access control approaches, including RBAC (Role-Based Access Control), ABAC (Attribute-Based Access Control), and PBAC (Policy-Based Access Control). This can be fine-tuned to access regulated records and their corresponding fields stored on the InCountry platform within a company’s Outpost or to regulate cross-system data communication for specific user roles or based on more complex attributes.

Regulated data search

Record search and reporting become a severe challenge of the distributed storage environment when data is stored in multiple places and the regulated data is fragmented. The InCountry platform provides two options:

  • Single-source search or reporting when search or reporting is performed against regulated data stored on the InCountry platform if needed, companies can also replicate non-regulated data to the InCountry platform to provide more accurate search results when search or reporting operations combine both regulated and non-regulated data.
  • Composite search or reporting when users perform a search or reporting against regulated data stored on the InCountry platform and then further filter or enrich this dataset with non-regulated data stored in corporate systems. Such an approach implies technical limitations and does not support data aggregation which should be considered.

Resident functions

Like AWS Lambda provides serverless functions, the InCountry platform provides the capability to use a similar solution – resident functions. It may be necessary to use them when regulated data cannot leave its domestic borders, and processing of data outside its country of origin is not permitted. These resident functions allow for the performance of essential operations on regulated data (such as validation or calculation) within the domestic borders so as to remain in compliance with local regulations. Resident functions are built with JavaScript and run within a temporary container, guaranteeing the highest level of security and immediate execution even under heavy load.

Compliant e-mail handling

Email remains one of the crucial communication channels between companies and customers, unfortunately, email addresses are frequently viewed as personal information, hence a regulated data element. The InCountry platform bundles Email Gateway, which can either redact inbound emails and save their content to the InCountry Resident Vault or unredact outbound emails by querying regulated data from the data vault, swapping redacted data with clear-text values before delivering emails to their actual addressees.

The rich toolkit provided by InCountry for AWS Outposts solution enables companies to overcome any challenges related to data compliance and residency in any jurisdiction.

If you have any questions or need a free consultation, please don’t hesitate to drop an email to contact@incountry.com, and we will reach out to you shortly.