TKLBAM cannot be directed to S3 store in specific AWS Region

[OnePressTech]

In Australia a number of organisations require that all personal data remain in Australia. This is likely to be the case in other countries especially with the recent U.S. NSA scandal.

The Turnkey hub uses GeoIP to backup data nearest to the server requesting the backup. Legally, though, Australian clients requiring data to remain in Australia would need to know definitively that data was being backed up in Australia.

If Turnkey Hub supported user-configurable S3 AWS region selection this requirement would be met.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[JedMeister]

Whilst I think it is a valid feature request. I don't think that will be enough to resolve your concerns...

AFAIK under the current free trade agreement between Australia with US (as of circa 2001), all data stored by trans-national companies like Amazon (with offices in US) is fair game under US law... So even if it the data is physically hosted in Australia, as for data security it may as well be hosted in the US (this also applies to UK). So if you have some data privacy requirements then you may need to look at backing up to servers/storage hosted by a purely Australian company...

[OnePressTech]

You are absolutely correct Jeremy...however...there are two reasons why this feature request is important to clients:

1) Data leaks by AWS in Australia come under Australian privacy law, data leaks by AWS in another country may not necessarily fall under Australian law 2) Lawsuits associated with data leaks from AWS in Australia can be litigated in Australia. Lawsuits associated with data leaks from AWS in other countries may need to be litigated in the non-Australian country

For this reason it is important to be able to say to clients with certainty that their data is not stored overseas. After all...security is mostly perception and if the clients ask for their data to be stored in Australia it is not for me to argue...enlighten certainly...but not argue. It's their call after all.

Regarding American vs.. non-American company involvement I have read varied opinions. Due to bilateral agreements other countries may request access to Australian information even if stored in Australia by Australian companies so it is not clear that there is more or less exposure to privacy access from other countries whether the company involved is Australian or non-Australian located in Australia. The jury is still out on that one.

A more interesting question is whether the data moves directly from server to AWS storage or is relayed via Turnkey Linux hub and if so which country is the hub in!

Kind regards, Tim

Tim Hibberd - Managing Director OnePressTech Pty Ltd M: +61 (0) 407 248 131 E: mailto:tim.hibberd@smartservicescrc.com.au tim.hibberd@onepresstech.com

---

From: Jeremy Davis [mailto:notifications@github.com] Sent: Wednesday, September 04, 2013 6:12 PM To: turnkeylinux/tracker Cc: OnePressTech Subject: Re: [tracker] TKLBAM cannot be directed to S3 store in specific AWS Region (#98)

Whilst I think it is a valid feature request. I don't think that will be enough to resolve your concerns...

AFAIK under the current free trade agreement between Australia with US (as of circa 2001), all data stored by trans-national companies like Amazon (with offices in US) is fair game under US law... So even if it the data is physically hosted in Australia, as for data security it may as well be hosted in the US (this also applies to UK). So if you have some data privacy requirements then you may need to look at backing up to servers/storage hosted by a purely Australian company...

Reply to this email directly or view https://github.com/turnkeylinux/tracker/issues/98#issuecomment-23772741 it on GitHub. https://github.com/notifications/beacon/jF9b_9J7WW99jEVZlECuIAd3sUCy60_SBkm MW_JEDzDiHMLVqTn3z2POelLeXRxu.gif

[JedMeister]

Nice one Tim. Good argument! :)

[lirazsiri]

Thanks for suggesting this Tim. Backups in Australia should always stay in Amazon's Australian datacenter but I suggest doing a test backup and logging into your Hub account to see where it is stored, just to make sure the GeoIP code is doing the right thing.

I like the suggestion but I can't fix this just by patching TKLBAM, because the Hub currently determines in what region to store your backup archives. I'll have to talk with Alon about adding the ability to pass a region to the Hub.

In the meantime, the new TKLBAM version makes it easier to bring your own storage back-end if you want (e.g., S3 bucket anywhere in the world, ftp/rsync/ssh servers, etc.).

Regarding whether or not TKLBAM archives go through the Hub, no your backup data goes directly to Amazon S3, it doesn't pass through our servers first. Also your backup archives are encrypted first on your local machine by Duplicity before being uploaded so nothing gets sent in the clear and privacy-wise it shouldn't matter whether or not someone (e.g., the NSA) intercepts the traffic in transit.

[OnePressTech]

Thanks Liraz. I suspected that was the case but I needed to ask to make sure. For some unknown reason clients get nervous when you start a sentence with "I think..." :-)

Regarding auto-routing, TKLX auto-routing for my Australian AWS client does route automatically to Australia but my non-AWS client does not even though they are hosted on Australian servers with Australian service providers and using Australian domain names and an Australian IP address. The client's DNS servers are in the U.S. though so that might be the cause of the errant routing.

Thus the request for the option in the hub U.I. or TKLBAM U.I. in Webmin to set the target location at least by country.

As always, thanks for the stellar work and solid engineering. We clients are always a pain aren't we...asking for more...always more :-)

[OnePressTech]

Oops. Strange user interface "Close & comment"...I thought it meant close the comment edit session not the issue!