Concerns over cloud concentration risk grow
Control over critical digital infrastructure is increasingly in the hands of a small number of major providers. While a public cloud provides a flexible, stable and distributed IT environment, there are growing concerns around its operational resiliency.
Following some recent high-profile cloud failures, and with regulators asking more questions, there is increasing anxiety that using a big cloud provider can be a single point of failure, not just technically but also from a business-risk perspective.
Many organizations and regulators take issue with the lack of transparency of cloud providers, and the lack of control (see Figure 1) that important clients have — some of which are part of the national critical infrastructure. Concentration risk, where key services are dependent on one or a few key suppliers, is a particular concern.
However, because the range, scope of services, management tools and developer environments vary among major cloud providers, organizations are often forced to choose a single provider (at least, for each business function). Even in highly regulated and critical sectors, such as financial services, a multicloud strategy is often neither feasible, nor is it easy to change suppliers — whatever the reason.
In 2021, for example, two major US financial firms Bank of America and Morgan Stanley announced they would standardize on a primary public cloud provider (IBM and Microsoft Azure, respectively). Spreading workloads across multiple clouds that use different technologies, and retraining developers or hiring a range of specialists, had proved too complex and costly.
Big cloud providers say that running workloads just in their environment does not lead to an over-reliance. For example, diversifying within a single cloud can mitigate risk, such as deploying workloads using platform as a service (PaaS) and using an infrastructure as a service (IaaS) configuration for disaster recovery. Providers also point to the distributed nature of cloud computing, which, combined with good monitoring and automated recovery, makes it highly reliable.
Reliability and resiliency, however, are two different things. High reliability suggests there will be few outages and limited downtime, while high resilience means that a system is not only less likely to fail but it, and other systems that depend on it, can quickly recover when there is a failure. While in enterprise and colocation data centers, and in corporate IT, the designs can be scrutinized, single points of failure eliminated, and the processes for system failure rehearsed, in cloud services it is mostly (or partly) a black box. These processes are conducted by the cloud provider, behind the scenes and for the benefit of all their clients, and not to ensure the best outcomes for just a few.
Our research shows that cloud providers have high levels of reliability, but they are not immune to failure. Complex backup regimes and availability zones, supported by load and traffic management, improve the resiliency and responsiveness of cloud providers, but they also come with their own problems. When issues do occur, many customers are often affected immediately, and recovery can be complex. In 2020, Uptime Institute recorded 21 cloud / internet giant outages that had significant financial or other negative consequences (see Annual Outage Analysis 2021).
Mindful of these risks, US financial giant JPMorgan, for example, is among few in its sector taking a multicloud approach. JPMorgan managers have cited concerns over a lack of control with a single provider and, in the case of a major outage, the complexity and the time needed to migrate to another provider and back again.
Regulators are also concerned — especially in the financial services industry where new rules are forcing banks to conduct due diligence on cloud providers. In the UK, the Bank of England is introducing new rules to ensure better management oversight over large banks’ reliance on cloud. And the European Banking Authority mandates that a cloud (or other third-party) operator allows site inspections of data centers.
A newer proposed EU law has wider implications: the Digital Operational Resiliency Act (DORA) puts cloud providers under financial regulators’ purview for the first time. Expected to pass in 2022, cloud providers — among other suppliers — could face large fines if the loss of their services causes disruption in the financial services industry. European governments have also expressed political concerns over growing reliance on non-European providers.
In 2022, we expect these “concentration risk” concerns to rise up more managers’ agendas. In anticipation, some service providers plan to focus more on enabling multicloud configurations.
However, the concentration risk goes beyond cloud computing: problems at one or more big suppliers have been shown to cause technical issues for completely unrelated services. In 2021, for example, a technical problem at the content distribution network (CDN) provider Fastly led to global internet disruption; while an outage at the CDN provider Akamai took down access to cloud services from AWS and IBM (as well as online services for many banks and other companies). Each incident points to a broader issue: the concentration of control over core internet infrastructure services in relatively few major providers.
How will these concerns play out? Some large customers are demanding a better view of cloud suppliers’ infrastructure and a better understanding of potential vulnerabilities. As our research shows, more IT and data center managers would consider moving more of their mission-critical workloads into public clouds if visibility of the operational resiliency of the service improves.
While public cloud data centers may have adequate risk profiles for most mission-critical enterprise workloads already, details about the infrastructure and its risks will increasingly be inadequate for regulators or auditors. And legislation, such as the proposed DORA, with penalties for outages that go far beyond service level agreements, are likely to spur greater regulatory attention in more regions and across more mission-critical sectors.
The full Five Data Center Predictions for 2022 report is available here.