European Union EU is, and have been for many years, very strict on where, how and what information you can store regarding its citizens. Now it is even worse with the GDPR regulations (although already implemented) that will be enforced during spring 2018. GDPR is in many matters common sense but it will force companies take have control over their information regarding personal information. To some degree I believe that the Cloud has received an unfair amount of fear in regards to these regulations as the regulations affect all companies no matter on where you host your data. From a security standpoint I sincerely doubt that your own data centers are playing in the same league as the big cloud vendors. Just consider earthquake protection, facility security, data security, replication, active threat detection and your data will not be safer with your local hosting provider or even the big local players. I have also been at places where you can just follow a person into a corporation facility, they will likely also hold up the door for you, find an empty room and connect a computer to the network. So yes, while GDRP will forever change our ways we design solutions they apply for all solutions no matter where you host them.
I myself ran into problems concerning data residency at one customer a couple of years ago when I could not guarantee that their Azure Active Directory could be located in the US even if I set up an Azure AD for France. My suggested solution did therefore not comply with corporate regulations that the customer information needed to retain solely inside the EU region.
However Microsoft are no fools and it is nice to see that they learn from such experiences and now have quite few services that leaves the selected region that you create them in.
As an example, I have spent some time with Azure AD B2C (there will likely be a few post on this later) and noticed that the location of the data is actually kept within European region if you create a B2C AD for a EU country. This guarantees that the user information will reside in EU only (it will also apply for US to prevent the data from leaving US data centers). This will make it much easier for us to design solutions that are compliant with regulations for azure AD B2C, which is great because the B2C service is really nice.
Sources:
- https://docs.microsoft.com/sv-se/azure/active-directory-b2c/active-directory-b2c-reference-tenant-type
- https://azure.microsoft.com/en-us/blog/azuread-b2c-ga-eu/
So what services can I trust resides in the selected region?
Microsoft trust center has a page that defines what services are kept within a region and which ones that cannot be guaranteed at http://azuredatacentermap.azurewebsites.net/. This is a useful page to revisit regularly as in my own case above Azure Active Directory may still be problematic for EU as for Europe (where Active Directory data is stored in Europe or the United States) and I am not sure if you can now decide to only have it in Europe.
More information about GDPR
GDPR is of course so much more than just a question on data residency and security. It covers topics as how a person can see what data is stored about him/her, how it can be removed, policies on who can access the data and much more. For all of us that claim to be EU (Azure-/IT-/Enterprise-) Architects there is a need to keep updated with the GDPR regulations. This may also affect you if you operate in other regions also and have European customers. I recommend that you start reading up at these links:
Peter in the Azure sky 