Learn how AWS Hybrid Cloud Services and InCountry Enable Data Sovereignty

Cloud computing has transformed how businesses store, process, and analyze data. However, cloud growth in many markets has been hindered by data sovereignty regulations, a lack of local cloud infrastructure, or a combination of both. In many cases, it is expensive and complex to deploy and maintain a multi-jurisdiction solution across several countries.

This post demonstrates how InCountry’s data residency solution, coupled with AWS Hybrid Cloud services from Amazon Web Services (AWS), enables organizations to achieve data sovereignty effectively.

InCountry is an AWS Partner, provides “Data Residency for AWS Outposts” service through AWS Marketplace. AWS Marketplace simplifies the customer procurement process by providing a centralized platform where you can find, purchase, deploy, and manage third-party software. The platform facilitates billing, invoicing, and payments, making it easier for customers to handle all transactions directly through their AWS account.

InCountry data residency solution on AWS Outposts/Local Zones, showing data flow from Cairo and Lagos with masked customer details.

Figure 1: Managing identity data with InCountry and hybrid cloud services

AWS hybrid cloud services deliver a consistent AWS experience wherever you need it. You can select from a broad set of compute, networking, storage, security, identity, monitoring, and others to build hybrid architectures that meet your specific requirements.

AWS Local Zones brings AWS infrastructure closer to your end. Meets data residency requirements for regulatory and compliance-sensitive workloads.
AWS Outposts is a family of fully managed solutions delivering AWS infrastructure and services to virtually any on-premises location for consistent hybrid experience.

Solution overview: InCountry Data Residency-as-a-Service solution

InCountry Data Residency-as-a-Service offers secure storage, processing, and management for identity data, using hybrid cloud services with AWS.

Arch of InCountry data flow from Cairo and Lagos via AWS Outposts/Local Zones to AWS Region services with masked details.

Figure 2: Localized identity data management architecture with InCountry and hybrid cloud

Prerequisites

For this solution walkthrough, you need:

An AWS account
An Outposts anchored to your account
A request to purchase InCountry for AWS Outposts from AWS Marketplace
Familiarity with setting up an Amazon EC2 instance on AWS Outposts
Familiarity with Node.js, JavaScript and REST communication

Solution walkthrough

In this walkthrough, we highlight the decision-making process, the sovereignty framework, and the methodologies used to handle identity data securely while complying with data residency regulations across different markets.

1. Distinguish identity data

The first step is to identify which fields are regulated. This usually depends on the country’s regulations, the industry, and the company’s requirements. In many cases, identity information such as names and email addresses are subject to regulation, whereas nonidentity information such as order status and timestamps typically are not.

It’s important to isolate only the data affected by identity regulations because isolating numerous nonregulated fields can consume unnecessary resources. It requires additional investments in edge computing for non-regulated data, which can affect your agility, scalability, and overall cost structure.

While there is no one definition of data sovereignty, InCountry has distilled key themes from listening to customers and regulators:

Data residency – Knowing where all data is stored and controlling where it is transferred.
Operator access restriction – Preventing operators and foreign governments from accessing data in the cloud.

AWS meets customers where they are with its cloud continuum. Both Outposts and Local Zones are powered by the AWS Nitro System, which by design has no operator access. AWS operators only have access to a limited set of authenticated, authorized, logged, and audited administrative APIs, none of which provide access to customer data. These are designed and tested technical restrictions built into the Nitro System, ensuring no AWS operator can bypass these controls and protections.

2. Isolate identity data with InCountry solution

InCountry’s software fully isolate identity data from an external application. The application’s client continues to communicate with the backend for authentication, authorization, control flow, nonidentity data, and rendering.

The application can use either a proxy or direct REST APIs to fully isolate identity data using hybrid cloud services in a country. For that you need to follow the Data Residency-as-a-Service tutorial for Outposts.

There are two ways you can integrate InCountry service into the application:

On demand redaction – In this case, you explicitly call the InCountry API from your application where needed and replace the original values with tokens obtained from the response.
Transparent redaction – In this case, use the InCountry proxy that automatically processes the data on the way to your server and back.

Those options are not mutually exclusive and can be used together to cover more use cases.

Diagram of InCountry data flow, from regulated data in AWS Outpost to anonymized data in a U.S. application, via InCountry Vault.

Figure 3: InCountry vault and data firewall core services on AWS Outposts

Edge services provided by InCountry include:

Encryption and tokenization – Flexible tokenization, hashing, and masking algorithms plus key management with AWS Key Management Service (AWS KMS)
Identity and authorization – Coarse-grained and fine-grained authorization based on identity
Create, read, update, and delete (CRUD) – CRUD support for regulated data
Search – Local search of regulated data that can be combined with unregulated data.
Analytics – Local aggregation of regulated data
Artificial intelligence (AI) – Masking of regulated data for consumption by global AI systems
Functions – Local processing on regulated data
Email – Inserts true email address, name, and other fields for a global email system
Files – Local management of files, which can be mapped to Amazon S3 on Outposts
Payments – Interface to a local payment processor

The combination of these edge services enables multi-jurisdiction applications to fully delegate management of regulated identity data to Outposts or Local Zones.

3. Extending applications with InCountry

InCountry offers two methods to extend an application with a user interface:

Low-code web service proxy
REST APIs

If an application uses well-formed web services to communicate between front-end and backend, it can be extended with no-code by directing web services calls that manage identity data through the InCountry web service proxy. Using the InCountry portal, the developer can define fields that should be redacted and anonymized for creating and updating requests.

Diagram showing client REST calls routed to InCountry Vault, where regulated data is hashed before reaching the application

Figure 4: Extending applications with InCountry’s web services and application APIs

For read and search requests, the proxy can match the request, search local data within the country, and automatically reinsert the local data.

Diagram of user search process, showing regulated data flow from InCountry Vault to application, with data firewall for compliance

Figure 5: Handling read and search requests with InCountry’s web service proxy

Developers can extend the client code to use InCountry’s REST API to create, read, update, delete, and search data within a country and send anonymized values to the global backend.

Diagram of REST calls routed to InCountry Vault for anonymization before reaching the application, with data firewall for compliance

Figure 6: Extending applications using InCountry’s REST API

For software as a service (SaaS) apps or legacy apps where the client code can’t be modified, consider making a microapp that runs locally to store and fetch identity data.

4. Filtering identity data from data pipelines

Cross-border data flows can be anonymized to maintain both global and local analytics. This is important for consolidating data into data warehouses and data lakes.

The key is to redact identity data before it crosses borders and enters the data pipeline. InCountry supports three methods to redact identity data:

Extract, transform, and load (ETL) integrates with ETL tools.
Customer data platforms (CDPs) integrates with CDPs, including Salesforce Data Cloud, Segment, mParticle, and Lytics.
Data loading using Python scripts and REST APIs.

Diagram showing data flow from in-country application, anonymized via proxy, to an out-of-country data warehouse, with masked details

Figure 7: Redacting identity data before transfer to an out-of-country data warehouse

5. Enabling security and compliance

It is critical for identity data to be managed securely outside jurisdiction. AWS services, including Outposts, AWS Control Tower, and KMS, empower InCountry to meet customers’ data sovereignty needs. InCountry examines the controls configured by both parties to strengthen sovereignty and privacy posture, enabling the solution to meet regulatory requirements.

Access is fully logged, and detailed data flows are available for regulatory approval. InCountry supports both coarse-grained and fine-grained access control.

The InCountry data firewall runs at the edge to protect the identity data. It applies machine learning (ML) models on text fields to match names, addresses, identification numbers, and other types of personally identifiable information (PII) using the local language and vernacular.

Clean-Up

Once you complete the tutorial, remember to delete the EC2 instance if it’s no longer needed to avoid incurring future costs.

Conclusion

InCountry’s solution, built on top of hybrid cloud services with AWS, allows customers to deploy and extend multi-jurisdiction applications into new countries efficiently and compliantly. This approach offers a cost-effective way to expand globally while isolating identity data.

AWS Marketplace