The perils of over-reliance on single cloud providers

The risk associated with dependence on a particular cloud provider for multiple business capabilities is in the top five emerging risks for organizations for the second consecutive quarter, according to a survey by Gartner.

Emerging risks

In September 2023, Gartner surveyed 294 risk executives about their views on emerging risk or over-the-horizon risks. The Gartner report contains detailed information on the possible impact, time frame, level of attention, perceived opportunities and more for 20 emerging risks.

“The risk associated with cloud concentration is fast losing its ‘emerging’ status as it is becoming a widely recognized risk for most enterprises,” said Ran Xu, director, research in the Gartner Legal Risk & Compliance Practice. “Many organizations are now in a position where they would face severe disruption in the event of the failure of a single provider.”

Third party viability and mass generative AI availability both make the top five for a second consecutive quarter as well, with third-party viability topping the list on both occasions.

“Third-party viability’s continued position reflects ongoing shifts in supply chain networks, uneven inflationary effects and continued labor pressures stoking fears that third-parties may become insolvent,” said Xu. “Mass generative AI availability is concerning risk leaders because almost everyone now has easy access to AI models with nascent (or nonexistent) guidelines in place.”

Cloud concentration

Cloud concentration risk has come about because many organizations have opted to focus their IT efforts on a handful of strategic providers in order to reduce IT complexity, and therefore also risk, cost and skill requirements. Compounding the problem, a handful of hyperscale vendors dominate global and regional markets with superior technical capabilities, business reach and partner ecosystems.

“Where organizations have chosen to go the route of hosting their IT services in public clouds, there aren’t many obvious ways to avoid concentration risk while keeping the benefits of cloud services,” said Xu. “Moreover, regulations at the country and subnational level diverge on concentration risk, anti-competition, data sovereignty and privacy rules pertaining to cloud services – further complicating the picture.”

There are three main potential consequences of this risk, according to Gartner experts.

• Wide incident “blast radius” – The more applications (and business processes) depend on a particular cloud provider, the greater the potential breadth of impact of a cloud service issue, which may heighten business continuity concerns.
• High vendor dependence – Concentrated dependency on a particular vendor can reduce future technology options and allow vendors to exert significant influence over the organization’s technology future.
• Regulatory compliance failures – Organizations may be unable to meet regulatory demands to address concentration risk across different regulatory bodies, which may have different approaches to concentration risk.

“Currently, if the benefits of public cloud use are considered strategically important to a business, there are not many obvious solutions to remove the risk altogether,” said Xu. “That’s why it is especially important that businesses have a well-considered continuity plan to put into action should they face any major cloud service issues.”