Cloudflare delivered an early holiday gift to customers with the launch of its namesake Data Localization Suite. Through Cloudflare’s global cloud network, the new set of tools give enterprise customers the helicopter-parent control they need to manage where data goes and ensure it stays where it should. 

Seventy-six percent of countries across the globe have implemented or are planning to implement complex and, to some extent, confusing data residency laws to address data access, protection, and privacy, and ensure that national and residential data is stored inside the country, according to the United Nations Conference on Trade and Development (UNCTAD). While progress has been made in policy and protection, it has simultaneously created a new breed of security concerns as companies struggle to set data controls at the regional level and navigate regulations in nearly 150 countries.

Cloudflare contends that the Data Localization Suite will help businesses better comply with local laws and regulations globally, providing customers with the tools to set where data is encrypted, decrypted, and inspected, as well as in which geography the private keystore is held.

“The preference or requirement for data localization is growing across jurisdictions such as the [European Union], India, and Brazil; over time, we expect more customers in more places will be expected to keep data local,” said Jon Levine, product manager at Cloudflare. “Until now, businesses that wanted to localize their data had to choose to restrict their application to one data center or to one cloud provider's region. This is a fragile approach, fraught with performance, reliability, and security challenges.” 

Given how encryption is unreadable and unusable until it is decrypted, protection of cryptographic keys is important. Nevertheless, many businesses struggle to control where their private secure sockets layer (SSL) key material is stored.

The Data Localization Suite features a Geo Key Manager tool that allows customers to define specific locations to store private keys. 

To run its web firewall (WAF), or detect malicious bot traffic, Cloudflare said it has to decrypt and inspect HTTPS traffic in its edge data centers to provide services such as distributed denial-of-service (DDoS) protection. Now customers can manage where their traffic is inspected through the Regional Services offering. 

Customers that use the recently launched Cloudflare Workers Durable Objects, which preserves the state of code running on the service and enables stateful services, can now configure jurisdiction restrictions. For applications on Cloudflare’s serverless infrastructure, jurisdiction restrictions give users some peace of mind in ensuring their Durable Objects do not store data or run outside of a given jurisdiction.

Cloudflare also plans to add its Edge Log Delivery service, which is currently in beta testing. This will allow customers to send logs directly to the point where they are processed, whether that is an on-premise server or a local cloud bucket.