Aliaksandr Marko - stock.adobe.c

Navigating geopolitical risks of cloud deployments

Familiar cloud concerns are being overshadowed by geopolitical volatility, pushing IT strategy into the boardroom. Organisations must now assess the full spectrum of cross-border dependencies to build true resilience

Recent geopolitical events have made the global IT infrastructure landscape more volatile, uncertain, complex and ambiguous than ever before. In this climate of instability, organisations have become increasingly concerned about cross-border technology dependencies, driving them to re-evaluate their reliance on cloud providers.

For years, organisations have faced more familiar concerns, such as vendor lock-in, loss of vendor negotiation power and the possibility of a major outage, like what happened with CrowdStrike last year. These are challenges but largely viewed as manageable trade-offs for the innovation, agility and efficiencies of scale cloud offers. As a result, Gartner research shows that cloud sovereignty has previously been a low priority for customers. However, this is no longer the case today. 

While much of the modern IT ecosystem relies on cloud providers, the risks posed by geopolitical turbulence now extend far beyond loss of service from sanctions or trade disputes, to the potential for data theft through government seizure or extra-legal actions. There are also concerns about unpredictable cloud prices driven by tariffs, inflation and currency fluctuations. All of this is forcing cloud strategy back into the boardroom as a critical business resilience issue.

To build true resilience in this environment, organisations must take a wider view. This means assessing not only their reliance on hyperscale cloud providers, but the full spectrum of cloud dependency risks embedded in the IT environment.

Assess dependencies on cloud providers

If organisations haven’t recently assessed cloud vendor dependencies or related critical third-party risks, now is the time to act. They can start by mapping out not just direct cloud dependencies, but also the broader web of services and technologies that rely on cloud infrastructure – both inside and outside the network perimeter.

This means looking beyond the obvious cloud solutions. Many seemingly on-premises systems rely on cloud-tethered capabilities, including security solutions that depend on cloud-based threat intelligence, or hardware like network or internet-of-things (IoT) devices that are configured and managed via the cloud.

Indeed, many traditional hardware and software offerings are now licensed via the cloud. This creates hidden points of reliance that could become critical in the event of a disruption.

As dependencies are mapped out, the geopolitical footprint of each service and vendor must be considered. This means understanding several relevant jurisdictions, such as where the vendor is headquartered, where services are contracted and where they are delivered from. Having this visibility allows organisations to quickly identify which parts of the IT environment may be exposed to geopolitical risk.

Maintaining ongoing awareness of dependencies is a key success factor. In fact, Gartner research indicates that ongoing monitoring of third-party relationships is more effective than point-in-time efforts.

Potential alternatives for critical dependencies

While many organisations overbuy capabilities in the cloud, the reality is that many alternative solutions – especially for critical workloads – may not fully meet an organisation’s most critical business requirements. Sometimes no alternative solutions exist.

Switching cloud solutions or ecosystems often comes with trade-offs, higher costs, longer implementation timelines, increased complexity and a greater demand for in-house skills. These aren’t just technical but business decisions. It’s important to involve risk stakeholders from across the organisation to determine what sacrifices, if any, are acceptable in pursuit of resilience.

Potential alternatives to consider may include sovereign cloud solutions delivered through a joint venture or partner; “geopatriation” to relocate workloads and applications from multinational service providers to regional or national providers; or eliminating certain cloud dependencies altogether.

Conducting an analysis allows organisations to determine which actions are feasible – and the cost, effort, implementation risk and amount of residual risk post-implementation. Beware of increasing the overall risk by switching solutions.

Implement scenario-based planning

Not all geopolitical risks are created equal – nor will they affect organisations the same way. The impact of a given event depends on the jurisdictions involved and the nature and extent of cloud dependencies.

Scenario planning helps ensure cloud contingency strategies are aligned to the specific circumstances most likely to be encountered. Different scenarios will affect timelines, contractual protections, data access, provider cooperation, resources, budget and realistic alternatives.

Geopolitical scenarios that could disrupt cloud services include price spikes driven by economic conditions, politically motivated targeting, trade cessation or closed borders.

Gartner research indicates most organisations need at least two years to switch between cloud solutions under normal circumstances. Therefore, significant advance preparation is required to switch more quickly. It might be the case that it’s best not to add geopolitically risky cloud-dependent solutions in the future.

Putting these steps in place will enable organisations to plan for high-impact events that could negatively affect cloud dependencies.

Lydia Leong is distinguished vice-president analyst at Gartner

Read more on Cloud computing services