With the Data Localization Suite, Cloudflare is making it easier to control where your data is stored and if you’re authorized to view data depending on where you are accessing it from. It’s a feature that lets you take advantage of Cloudflare’s products, such as serverless infrastructure, while complying with local and industry-specific regulation.
For instance, the Data Localization Suite seems particularly relevant following this year’s EU ruling that ended the Privacy Shield. If you’re operating in a highly regulated industry, such as healthcare and legal, you may have some specific data requirements as well.
Let’s say you’re building an application that should store data in the European Union exclusively. You could choose to run your application in a single data center, or a single cloud region. But that doesn’t scale well if you expect to get customers all around the world. You could also suffer from outages.
With Cloudflare’s approach, everything is encrypted at rest and in transit (if you enforce mandatory TLS encryption). You can choose to manage your private keys yourself, or you can choose to set different rules for your private keys.
For instance, a private key that lets you inspect traffic could be accessible from a European data center exclusively. Now that the Privacy Shield is invalid, this setup makes it easier to comply with European regulation.
Cloudflare inspects network requests in order to know what to do with them. For instance, the company tries to reject malicious bot requests automatically. You can choose to inspect those requests in a region in particular. If a malicious bot is running on a server in the U.S., the request will be sent to the closest Cloudflare data center in the U.S., routed to a data center in Europe and then inspected.
As for traffic logs and metadata, you can use Edge Log Delivery to send logs directly from Cloudflare’s edge network to a storage bucket or an on-premise data center. It doesn’t transit through Cloudflare’s core data centers at all.
Finally, if you’re using the recently announced Cloudflare Workers Durable Objects, you can configure jurisdiction restriction. If you run an app on Cloudflare’s serverless infrastructure, you can choose to avoid storing durable objects in some locations for regulation purposes.
As you can see, there are several tools and services in the Data Localization Suite. Some of them have already been live and others are brand new. But it’s interesting to see that Cloudflare is thinking about locality even though it thinks serverless computing and edge data centers are the future.