Worries about being over-reliant on one particular cloud computing provider are climbing up the executive agenda as companies move more of their systems and data to the on-demand model.
The risk that comes from dependence on a particular cloud provider for multiple business capabilities is in the top five emerging risks for organizations for the second consecutive quarter, according to a survey of 294 risk executives by tech analyst Gartner.
“The risk associated with cloud concentration is fast losing its ‘emerging’ status as it is becoming a widely recognized risk for most enterprises,” said Ran Xu, director, research in the Gartner Legal Risk & Compliance Practice. “Many organizations are now in a position where they would face severe disruption in the event of the failure of a single provider.”
Xu told The Stack that while cloud concentration has been on Gartner's list of potential emerging risk selectors since the fourth quarter of last year, it's only in the last two quarters that it has surfaced as a top five risk.
"The drivers and causes of this are IT complexity, concentrated vendor choices, and divergent regulatory regimes," she said. For instance, organisations now face greater potential regulatory compliance failures because they must address data sovereignty and privacy rules that are different across regimes and even across regulatory bodies. "High vendor dependence, while more efficient and cost-effective can also reduce future tech options," she said.
One of the ways that the shifting to the cloud sold was as a way of reducing the risk of technology infrastructure. Instead of the absorbing the cost and risk that came with designing, building and running their own infrastructure, companies were told they could hand much of that complexity over to the cloud companies instead. In some cases businesses have swapped one kind of technology risk - around reliability - for another kind of risk around vendor lock-in.
And as Gartner explains, the cloud concentration risk has now emerged because many organizations have focused on a handful of strategic providers in order to reduce IT complexity. Compounding the problem, a handful of hyperscale vendors dominate the market, so even if companies wanted to spread their cloud investments around, it’s hard to beat the technical capabilities, business reach and partner ecosystems of the big players.
“Where organizations have chosen to go the route of hosting their IT services in public clouds, there aren’t many obvious ways to avoid concentration risk while keeping the benefits of cloud services,” said Xu.
Even the cloud hyperscalers have outages, and when they do the impact is visible across the world.
There are three main potential consequences of this risk, according to Gartner:
Wide incident “blast radius" The more applications and business processes depend on a particular cloud provider, the greater the potential breadth of impact of a cloud service issue, which may heighten business continuity concerns.
High vendor dependence Concentrated dependency on a particular vendor can reduce future technology options and allow vendors to exert significant influence over the organization's technology future.
Regulatory compliance failures: Organizations may be unable to meet regulatory demands to address concentration risk across different regulatory bodies with different approaches to concentration risk.
It's not only risk executives that are worried about the impact of cloud concentration. Earlier this month UK regulator Ofcom referred the public cloud infrastructure services market to the Competition and Markets Authority for further investigation.
Ofcom said some features of the cloud market could make it more difficult for UK businesses to switch and use multiple cloud suppliers. “We are particularly concerned about the position of the market leaders Amazon and Microsoft,” it said.
Amazon Web Services and Microsoft had a combined market share of 70-80% in 2022 in the UK, with Google trailing far behind in third place on 5-10%.
Ofcom said it was concerned about three things in particular.
Egress fees: These are the charges that customers pay to transfer their data out of a cloud and the hyperscalers set them at significantly higher rates than other providers. This, it said could discourage customers from using services from more than one cloud provider or to switch to an alternative.
Technical barriers to interoperability and portability: These can force customers to make additional efforts to reconfigure their data and applications to work on different clouds – making it harder to run services across cloud providers or to change provider.
Committed spend discounts: These can benefit customers by reducing their costs, but can also incentivise customers to use a single hyperscaler for all or most of their cloud needs, even when better quality alternatives are available.
“Looking ahead, if customers have difficulty switching and using multiple providers, it could make it harder for competitors to gain scale and challenge AWS and Microsoft effectively. In this scenario, we are concerned that the threat of customers switching away from the market leaders will reduce, further dampening competition for new and existing customers,” Ofcom said.
For many companies that have now made a strategic decision to shift much of their tech infrastructure to the cloud, there isn’t a huge amount they can do.
“Currently, if the benefits of public cloud use are considered strategically important to a business, there are not many obvious solutions to remove the risk altogether,” said Xu. “That’s why it is especially important that businesses have a well-considered continuity plan to put into action should they face any major cloud service issues.”
Another problem looms ahead too: while many companies have switched some of their apps and data to the cloud, many have still held onto their most business-critical apps. When those start moving to the cloud the issues of cloud concentration are only likely to be even more important.