China’s data localization laws hurt cloud security: report

3 min read
(Image credit: BigStock/ BackyardProductions)

The Asia Cloud Computing Association (ACCA) published a report in May on public procurement guidelines which argued that data localization, a legal requirement for cloud operators in China, “on balance weakens data security.”

The ACCA is a trade organization that represents the cloud industry in Asia. The authors of the report are executives and public policy experts working at major players in the Asia cloud market, including Amazon Web Services (AWS), Google, Microsoft, Equinix, and Salesforce.

However, these companies have relatively small cloud operations in China. According to the International Data Corporation, a US market intelligence firm, Microsoft held 5% and Salesforce 4% of the Software as a Service market in 2018; AWS held 6% of the Infrastructure as a Service market.

“China—and other economies—have put in place data localization policies, citing various reasons,” Lim May-Ann, executive director of the ACCA, told TechNode. They are “using reasons such as protection of data and cloud security as rationales,” she said. Lim added that data localization was not the best way to address these issues.

The Multi-Level Protection Scheme (MLPS), the regulation which outlines security requirements for different types of data, requires all network operators wishing to provide cloud services in China to store data in infrastructure within the country’s borders. They are not absolutely prohibited from moving the data overseas. To transfer “important” data across international borders, Chinese law requires a security assessment. The law defines “important” data as those that are critical to national security or personal data that can identify Chinese citizens.

The ACCA recommends that “policymakers should not require data localization on security grounds,” arguing that the physical location of data does not contribute to their security from cyberattacks. The report argued that storing important data locally can weaken security.

Local storage creates gold mine data centers that can be targeted by hackers, the authors said. More flexible storage regimes allow companies to implement moving-target security approaches such as the Melbourne shuffle, which aims to hide patterns that arise from using data in the cloud by by rearranging it across data centers in different locations.

The report also argued that decreasing competition among IT companies around the world will “reduce incentives” to secure infrastructure and make best-in-class cybersecurity solutions less available.

The report says that where data is stored is not as important as how it is stored, and that policies which place restrictions on the location of data could draw resources away from building more effective defenses against hackers.

Kevin Ji, senior director of research at Gartner, an international research and advisory firm, said that China’s goal is not localization but rather data sovereignty. The Chinese state seeks absolute control over data generated within its borders; localization keeps this data within Chinese jurisdiction but is not an absolute measure.

Many companies are concerned about China’s rules on the transfer of personal data, Ji said. However, it is legal to transfer metadata about individuals, so long as it is not raw data that can be associated with a Chinese citizen’s identity. “If you want to perform data analytics on personal information and move [the metadata] outside China, that is okay,” Ji said.

China’s physical size alone justifies holding data within the country, Ji said: “If companies leverage global sites, the latency would be unacceptable.” China is so big that storing data abroad would cause severe delays in signal transmission between the host server and cloud tenant.

“The challenge is not technical anymore, it is about compliance,” Ji said, referring to the various localization and sovereignty laws that have popped up around the world, such as the EU’s General Data Protection Regulation. Cloud providers must now see how their data is classified according to local laws, and secure them as different legal frameworks require, many of which demand localization. For this reason, “data sovereignty has a negative impact on globalization,” Ji said.