The recent Amazon Web Services (AWS) outage, followed within days by a similar failure of Microsoft Azure, served to highlight just how dependent organisations of all sizes are on the cloud. With Fortnite and Facebook among the apps and websites affected, no one was immune.
These outages aren’t everyday occurrences but they can and do happen; in 2024, an issue with third-party software severely impacted Microsoft Azure, causing extensive operational failures for businesses globally, while Google’s Cloud Platform experienced a major outage earlier this year due to a simple internal misconfiguration. The upshot was that the services of hundreds of thousands of companies and organisations – including airports, banks and even Governments – were severely impacted.
The backlash was immediate – many critics sought to highlight our alleged overdependence on centralised cloud providers, such as the “hyperscalers” in this space, ie Microsoft, AWS and Google.
George Foley of ESET Ireland, which offers internet security solutions, acknowledges that dependency on the cloud, but also points out that most people are unaware of how it underpins nearly all our online activity and that of the businesses, websites and apps we use. He sees the recent outages as a wake-up call.
READ MORE
“Before I got into this industry, it was all just black magic – it was just the internet, and it worked. I do feel that that’s the general consensus among people. But then something like this happens a couple of times in just the last year and people start to say, hold up – I didn’t realise this was so fragile and that it could take out my business for a full day. What if it’s two days next time, or a week?”
The reality is that there is really no practicable alternative to cloud technology. “It is the fibre of everything we do online; we can’t get away from it,” Foley admits. Housing our data in the cloud is not only pragmatic, he points out, it is hugely cost-effective. “The alternative is that companies have their own servers and host their own websites – that just gets ridiculously expensive and then obviously consumers have to eat those costs.”
Donal Óg McCarthy, a managing director at Accenture Security, backs this up, saying that selling in the global village goes hand in glove with cloud reliance.
“For businesses providing a product that you and I might use – say, a security product or something else – there is no alternative to deploying your product globally, but to use a cloud provider,” he points out. “There is no cost-effective or scalable method for you to sell your product without leveraging a cloud provider because of their scale, because of their innovation, and because the price point of the infrastructure is so far less than if you were to procure that hardware yourself. And that’s not to mind the actual carbon emissions and energy consumption reduction from a sustainability point of view.”
The recent outages were caused by “highly unusual” and significant infrastructure failures, adds McCarthy. “But what people don’t realise is that, in the background, there are pieces of hardware, pieces of equipment failing every second of every day on every cloud provider.”
As demand and thus cloud infrastructure capacity grows, so does our reliance on it – and so do the odds of another outage. “The more reliant we are on it and the more resources we’re constantly pulling from it and the more features they’re adding to it, the risk grows essentially because now there’s another loop in the chain that could break,” Foley says.
“It would be foolish to presume that there will never be a further outage,” says Ciarán Mc Goldrick, an associate professor at Trinity College Dublin’s School of Computer Science and Statistics. “There will be. If you look at how systems and architectures are marketed, there will often be an availability or uptime provision in the relevant Service Level Agreement. It might seem highly reassuring – eg, 99.99 per cent uptime when set to multi-availability zone replication, but this can translate to around 50 minutes downtime in a year.”
That may not matter a lot to your personal website – or your Instagram scrolling. “But if it affects a core or replicating component of your larger-scale offering, then it can ultimately be a lot more impactful to your end users than the simple 50 minutes might at first appear,” Mc Goldrick warns.
And for all the capability of our technology, human error is always a risk. “Fundamentally all our systems originate from human insight, input and interaction, so they can also encode and express our human foibles,” Mc Goldrick points out. In addition, the internet is no longer in its infancy, and has become old and creaky, burdened by legacy systems. “DNS [domain name system], which has been associated with some of the recent outages, is an example of a legacy system that has seen many updates and extensions over the years to make it more secure and robust. But it’s not perfect.”
Critics of centralised cloud providers are not wrong in their view that it poses systemic threats, with businesses often finding themselves in a “golden cage” built by one of the tech monoliths. “Companies and enterprises tend towards a preferred technology supplier or platform, often for cost and/or functional and/or administrative imperatives,” Mc Goldrick notes. “But hitching your cart to a single horse isn’t great if the horse lies down or doesn’t respond. For it to respond, it has to be contactable and able to hear – and this ability to hear can be impeded by anything from misconfiguration to traffic volume attacks.”
McCarthy agrees that there is a “concentration risk”, while Foley points out that “multi-tenancy” across multiple cloud hosting services is often made deliberately tricky by the providers themselves.
The naysayers calling for a complete rethink of digital infrastructure strategies have it wrong, McCarthy says, however. Rather, the recent outages should serve as a stark reminder for businesses to be “deliberate” when it comes to their resilience strategies. “You should be considerate about where is my technology, where are the services that matter to my customers? And if these services were to go down, what happens next? That’s about having a good hosting strategy, a good resilience plan, understanding where your technology sits. That’s the bigger question.”
And a more difficult question is how exactly to get off the cloud. Every company should think about their “exit strategy” from their cloud provider, McCarthy says. “They need to think, what is my exit strategy if I determine this vendor can no longer service my needs? It will take time, it will be complicated but as people start to build new systems and new products, they need to design their systems in a certain way that puts them in the best position to decouple themselves from that provider over time.”
Much of the discourse in the wake of recent cloud outages centred on the requirement for digital sovereignty, something the European Union has been pushing for. This is a huge topic currently, agrees McCarthy, who says countries such as Germany, France, Denmark and Sweden have prioritised their digital sovereignty, and there are several examples of EU legislation. “The idea of resilience and independence, and control and ownership of your data and your infrastructure, this has long been a priority for Europe,” he says.
This means the cloud behemoths have been forced to develop “sovereign cloud” offerings, which are designed to comply with a country’s or region’s specific data sovereignty laws. McCarthy explains that Microsoft, AWS and Google now provide these, while Google has gone one step further, offering what is known as an “air-gapped solution”. “This basically means it sits on its own, no connection to the outside world, and you can even run artificial intelligence and Gemini, which is their AI agent, on the Google infrastructure,” he says.
This constitutes a “huge step change” but McCarthy believes it will gain widespread adoption across Europe. “A lot of organisations in Europe are going to adopt this, not just because AWS or Microsoft have an outage, but because they want to be able to say we have full control over our technology and over our infrastructure. We want the innovation, we want the technology, but actually we want to feel, and we need to attest, that we have this level of control. This is where sovereignty is going to really play a part.”
