Quantifying the Cost of Forced Localization

Network Security
Written By Alex Muentz

Leviathan is proud to announce the release of our fourth whitepaper on cloud security: "Quantifying the Cost of Forced Localization."

For this whitepaper, the fourth borne of Leviathan's collaboration with Google to study the security impacts of forced localization laws, we chose to focus on the direct costs to companies of forced localization laws--the actual economic disadvantage inflicted by a country on its businesses when it chooses to require that all data be stored within its borders. As we discussed in our previous work, the harms of forced localization to data confidentiality, integrity, and availability can be devastating, and this can have significant added economic impact--but we wanted to know how much it costs, on day 1, to cut one's country off from the cloud.

We focused on the public Infrastructure-as-a-Service cloud providers--those providers that let you sign up without an exclusivity agreement, a non-disclosure agreement, or other major barriers to entry, and allow you to use all of their features. There are seven of these public IaaS providers: Amazon Web ServicesDigitalOceanGoogle Compute EngineHP Public CloudLinodeMicrosoft Azure, and Rackspace Cloud Servers. We compared equivalent services--each provider's standard virtual machines running Linux, without "high-performance" or GPU services, and without premium operating system choices of any type, in bands based on the amount of RAM for each instance. (For more on the exact comparison, please see the Methodology section in our whitepaper.)

The results have been extraordinary.

"...[W]e find that for many countries that are considering or have considered forced data localization laws, local companies would be required to pay 30-60% more for their computing needs than if they could go outside the country's borders."

This is devastating. Businesses rely on data and computation for every aspect of their business; most businesses cannot afford to increase a base cost of doing business 30-60%, and when the business grows, so too will their computing costs. In addition, as the European Centre for International Political Economy noted, this is "friendly fire"--an entirely self-inflicted wound on a country's economy.

One of our outputs from this research is a visualization that we believe will help to crystallize the issues in play. We've taken all the pricing data from the seven public IaaS providers, along with all the locations of their datacenters, and put them onto a map; anyone can simply select the quantity and type of computer they'd like to use, then see where that type is available--and click on a country to find the pricing, the providers that offer it, and the extra cost of using only providers in that country.

View fullsize

Something we did not expect to find from this work was that the public cloud providers use only 12 countries to host their datacenters. This leaves no datacenters in huge swaths of the world, as you can see both in the map and in our visualization.

We hope that our research will contribute to policy discussions already in progress regarding the path for countries to take with regard to the Internet.

"A significant design principle of the Internet was, and remains, that the Internet should be able to route around damage in order to ensure that communications between people should never be entirely stopped. It would be a painful irony to allow politics to curtail the resilience of the Internet in pursuit of short-term goals."

Check out our work here.

Alex Muentz
Previous

Guidance - Flash Vulnerability CVE-2015-5119
Next

Strengthening the Nation’s Defense