Cloud concentration has become a significant emerging risk for many organisations, according to a recent survey by Gartner, Inc.
The Gartner 3Q23 Emerging Risk Report surveyed 294 risk executives about their views on emerging risk or over-the-horizon risks.
It found that the risk associated with dependence on a particular cloud provider for multiple business capabilities is in the top five emerging risks for organisations for the second consecutive quarter.
“The risk associated with cloud concentration is fast losing its ‘emerging’ status as it is becoming a widely recognized risk for most enterprises,” said Ran Xu, director, research in the Gartner Legal Risk & Compliance Practice. “Many organizations are now in a position where they would face severe disruption in the event of the failure of a single provider.”
Third party viability and mass generative artificial intelligence availability also made the top five for a second consecutive quarter as well, with third-party viability topping the list on both occasions.
Xu commented: “Third-party viability’s continued position reflects ongoing shifts in supply chain networks, uneven inflationary effects and continued labor pressures stoking fears that third-parties may become insolvent.
“Mass generative AI availability is concerning risk leaders because almost everyone now has easy access to AI models with nascent (or non-existent) guidelines in place.”
According to the report, cloud concentration risk has come about because many organizations have opted to focus their IT efforts on a handful of strategic providers in order to reduce IT complexity, and therefore also risk, cost and skill requirements.
“Where organizations have chosen to go the route of hosting their IT services in public clouds, there aren’t many obvious ways to avoid concentration risk while keeping the benefits of cloud services,” said Xu. “Moreover, regulations at the country and subnational level diverge on concentration risk, anti-competition, data sovereignty and privacy rules pertaining to cloud services – further complicating the picture.”
The three main potential consequences of this risk, according to Gartner experts, include wide incident “Blast Radius”, high vendor dependence and regulatory compliance failures.
With the first issue, the more applications (and business processes) depend on a particular cloud provider, the greater the potential breadth of impact of a cloud service issue, which may heighten business continuity concerns.
Analysts note that, with concentrated dependency on a particular vendor can reduce future technology options and allow vendors to exert significant influence over the organization’s technology future.
Finally, Garner warns that organizations may be unable to meet regulatory demands to address concentration risk across different regulatory bodies, which may have different approaches to concentration risk.
“Currently, if the benefits of public cloud use are considered strategically important to a business, there are not many obvious solutions to remove the risk altogether,” said Xu.
He concludes: “That’s why it is especially important that businesses have a well-considered continuity plan to put into action should they face any major cloud service issues.”
