This content is part of the Essential Guide: An admin's guide to AWS data management

Amazon Aurora could build a 'Safe Harbor' for data

Amazon's Aurora database now offers encryption at rest, which could help with international data security concerns as European law is clarified.

Some AWS shops hope encryption at rest within the Amazon database will help them when doing business in Europe, but experts say the outlook is murky.

Amazon Aurora, launched a year ago, has always encrypted data in transit using AES-256 encryption. But encryption protection for the back-end database, logs, backups, snapshots and read replicas wasn't available until this month. AWS also introduced encryption support for Elastic Block Store boot volumes when new Amazon Machine Images are created.

It's no surprise to see Amazon add this table-stakes feature to Amazon Aurora, offered through the Relational Database Service.

"It's a big requirement for all [software as a service (SaaS)] providers, especially for SaaS providers that have customers located outside the United States," said Theodore Kim, senior director of SaaS operations for Jobvite Inc., a talent acquisition firm in San Francisco.

Users can manage their own encryption keys through the AWS Key Management Service -- and potentially outsource their management to a local third party in Europe.

"If you take those encryption keys and have them managed by, let's say, a foreign third party ... we can't decrypt the data, even if we're compelled by a subpoena or U.S. court order," Kim said.

Anyone that has a cloud that spans jurisdictional boundaries should team up to provide a level of guidance for their tenants.
Edward HaletkyCEO, Virtualization Practice LLC

Moreover, according to Amazon's documentation, users cannot copy an encrypted snapshot from one region to another or replicate encrypted DB instances across regions; this matches up with European laws that dictate that personal data cannot be moved out of its home country. Amazon has also opened a region in Frankfurt to accommodate German customers subject to such data privacy laws, and plans to open a data center region in the U.K. in 2016.

While it's a step in the right direction, it remains unclear whether encryption at rest is enough to allow U.S. companies to host data originating in the European Union in the post-Safe Harbor era. The European Parliament just this week approved data protection reform legislation that will be published in full in January 2016 and will take effect two years later.

Previously, companies had operated under the Safe Harbor Agreement between the United States Department of Commerce and the European Union that regulated how U.S. companies could handle the personal data of European citizens. This year, the European Court of Justice overturned that agreement.

"The overarching message right now is the safest way to do things is to set up a presence in-country to do things, particularly if you've got a large customer base there," said Penny Jones, senior analyst for European Services with 451 Research, based in New York. "There are workarounds at the moment, but whether these can be maintained in the long term really depends on what comes out of a lot of the regulation that's handed down next year."

The search for international help

Other analysts called on cloud providers, including Amazon, to offer more guidance to users doing business internationally.

"Anyone that has a cloud that spans jurisdictional boundaries should team up to provide a level of guidance for their tenants," said Edward Haletky, CEO of the Virtualization Practice LLC in Austin, Texas. "I'm talking about default policy settings based on current interpretation of law ... a warning that pops up that says ... you may violate jurisdictional boundaries, you should check with your own attorney -- provide me a warning so I know what to think about."

Jobvite's Kim remains unsure whether he will have to host data in the AWS region in Frankfurt.

"With the invalidation of the Safe Harbor agreement, there is a substitute for data privacy controls for data importers such as AWS and us in the form of the Model Clauses that we need to sign with each of our EU customers," he said.

There is also a Safe Harbor 2.0 agreement in the works, but Germany may still go it alone and institute even stricter data privacy standards, Kim said.

"I think, eventually Germany will fall in line with the rest of the EU," he said. "If they don't, Jobvite will have to make a business decision to host in AWS Germany in order to support our customers there."

Amazon declined to comment on this story.

Beth Pariseau is senior news writer for SearchAWS. Write to her at [email protected] or follow @PariseauTT on Twitter.

Next Steps

What impact does the end of Safe Harbor have on data privacy?

AWS data center locations still lacking

Knowledge leads the way in AWS compliance

Dig Deeper on AWS database management