Drone strikes show why key military principles apply to cloud data

At dawn on 1 March  2026, Iranian drones struck three AWS facilities. Two data centres in the United Arab Emirates were directly hit, and a third in Bahrain was affected by a nearby strike. The company advised clients to migrate workloads to other regions. 

Banking, payment, delivery services, and enterprise software ground to a halt across the Gulf region. On 23 March 2026 and 2 April, the AWS Bahrain region was again officially declared "disrupted" due to new drone attacks.

This is the first time in history a military power has deliberately destroyed hyperscale cloud infrastructure. It's not a security incident. It's a major risk for businesses and organisations.

You're a target too

Tehran justified its strikes by alleging the Bahrain data centre supported military operations. AWS denied it. Regardless of the truth, the attacker's logic is relentless: The same servers hosting your HR data, business apps, and customer files could also process military data. You don't know it. You can't know it. And that ignorance won't protect you.

It’s likely no company execs had listed "physical datacentre destruction" in their risk mapping. It's time to add it.

Lessons learned from 36 years of operations

I won't discuss classified matters, but the first rule every military leader learns even before the War College is this: Never concentrate critical functions on a single node. Never. A competent adversary will find it. And strike it. 

AWS, Microsoft Azure, and Google Cloud hold over 70% of the global cloud market. Organisations have collectively built exactly what every resilience doctrine, military or civilian, forbids. And we've done it to chase savings. 

Outages don't need visas 

You don't even need to invoke war for this reasoning to apply at your next board meeting. 

On 20 October 2025, an AWS failure forced hospitals back to paper procedures. Nine days later, an Azure configuration error paralysed Alaska Airlines, Starbucks, Costco, and telecom operators for eight hours and cost billions economically. Between June and December 2025, each of the big three hyperscalers suffered at least one major outage.

So, you need to answer the questions, what's the maximum tolerable downtime for your critical systems? How does your current architecture protect your data when your hyperscaler fails? If you lack these answers, you have a governance, and likely technological, problem.

A global regulatory signal

Regulators aren't waiting. 

In Europe, NIS2 and DORA mandate continuity plans and explicit management of cloud provider concentration risks for critical entities and financial institutions. 

In the U.S., the SEC and CISA have issued similar guidance. In Asia-Pacific, Singapore's MAS and Australia's APRA are moving the same way. The regulatory signal is global and converging.

I weigh my words: Any organisation that migrated critical systems to a single hyperscaler without an alternative recovery plan is out of compliance with its regulatory framework, and the IT leader often knows it perfectly well; they just lacked the budget to do otherwise.

The real cost of cloud

The promise of cloud was simple: Less tied-up capital, less operational complexity, more agility. 

The total cost of ownership reality is darker. Egress fees, cumulative subscriptions, unilateral price hikes on clients whose exit costs are prohibitive. Multiple industry studies agree. More than half of IT leaders surveyed have cut other budget lines to absorb rising cloud costs. That’s growth driven not by new usage, but by vendors knowing you can't leave. 

A pricing lock-in has now been added to the tech lock-in. For a CFO, it's a structural, uncontrolled budget risk, to be listed in supplier risks like dependency on a single raw material.

The CLOUD Act isn't a contract clause

Data hosted by providers subject to US jurisdiction may be accessible under US legal orders, even when stored abroad. The CLOUD Act enables authorities, through legal process, to request such data regardless of storage location.

For global organisations, this can create tension with local data protection frameworks, including Europe's GDPR, Asia's PDPA, or US sector regulations such as HIPAA or GLBA. Contractual measures alone may not fully eliminate these conflicts. 

In a geopolitical context where national priorities are increasingly asserted, this is not just a theoretical concern. It is a counterparty risk that should be evaluated accordingly.

A technical fix exists and that is encryption with keys under exclusive client control. It requires not abandoning infrastructure mastery. Many unfortunately have.

Hybrid architecture… and the players to build it

I must be honest: I long underestimated US hyperscalers' operational strengths. Their scalability, advanced services, and global availability are real. The issue isn't their competence. It's our exclusive dependence. 

The resilient answer won't come from duplicating hyperscalers. No new entrant will become a global hyperscaler in 10 years. The credible path is different and involves independent specialists, world leaders in their niches (object storage, security, critical data management) that are able to assemble coherent offerings against a dominant provider.

These players exist. With regard to infrastructure and object storage – the layer carrying critical data, backups, regulatory archives – independent vendors today serve top global media, leading telcos, and highly regulated financial institutions across continents. They have usage proof. The strictest security certifications – US, European, and Asian - cover the value chain. The technology is there.

What's missing isn't technology. It's the purchasing doctrine that makes it legible for a busy decision-maker facing a well-prepared hyperscaler salesperson. Public and private organisations fund their own digital dependence yearly via buying decisions. It's not inevitable. It's a choice. Most national legal frameworks allow preferences for resilience and security in tech tenders. They're underused for lack of clear doctrine. We must produce that doctrine and legally protect those applying it.

Decision time

Three warnings in twenty months: The Paris Olympics rail sabotage in July 2024, the hyperscaler outage in autumn 2025, and the Gulf data centres in spring 2026. In each case there was a single point of failure, and organisations caught without real backup plans.

Every invested euro, dollar or dirham in a cloud whose real location and physical resilience you don't control is an unvalued risk on your balance sheet. Your regulators see it. Your insurers are starting to price it. Your boards will soon ask.

If leaders wait for a fourth nudge to embed digital resilience in corporate strategy will be exposed to regulatory, fiduciary, and human liability that neither shareholders, regulators, nor teams will forgive. 

The skills exist. The solutions exist. What's missing? I hesitate to say, "the decision" because it's too simple. But that's exactly it. The decision. 

Laurent Boïté is a retired Major General of the French Air and Space Force, a former commander of French forces in Djibouti, former head of digital strategy for the French armed forces, and is now senior vice president with object storage provider Scality.