The Cloud: Understanding the Risks, Not Just the Benefits

Nevertheless, they still experience serious regional outages when failovers cut out, and smaller cloud service providers may not have similar redundant infrastructure.

According to Uptime Institute’s “Annual Outage Analysis 2021” report the most common cause of third- party service provider outages are software and configuration issues, closely followed by networking and connectivity issues. Fortunately, that also means most interruptions can be resolved relatively quickly, which is why outages rarely last more than minutes or a few hours.

Cyberattacks account for one fifth of all outages. And while the vast majority of these are short-lived Distributed Denial of Service (DDoS) attacks, ransomware has become an increasing threat to all organizations including cloud service providers. Particularly managed service providers (MSPs) have been a favorite target of ransomware threat actors because of the opportunity to infect many of the MSP’s customers in one single attack.

From an overall impact perspective, the most significant man-made threat to cloud service providers is likely to come from a cyberattack. The 2018 Emerging Risk Report on technology “Cloud Down: Impacts on the US Economy” by Lloyds of London estimated that the ground-up loss from a 3-6-day cyber related outage at a major US cloud service provider could result in a ground up loss of between $6.9B and $14.7B.

Increasing Risks from Natural Hazards Although much less frequently occurring than manmade risks, natural hazards present an ever-present threat to cloud operations and several of these hazards are increasing in both frequency and severity due to climate change. That includes wildfires, flooding in non-flood zones, tornadoes, and hurricanes. Additionally, severe heatwaves can indirectly affect cloud service operations due to the strain on cooling systems and power supplies, which can lead to brownouts.

Another concerning driver of mass disruption risk in the cloud service sector is the geographic concentration of data centers in two US locations. Santa Clara Valley in California and “Data Center Alley” in Northern Virginia between them have the world’s largest cluster of data centers, many of which are cloud focused, according to an August 2020 story in the Data Center Frontier newsletter. Such concentration of facilities, particularly in disaster prone locations (Santa Clara), increases the risk of widespread outage from weather events, power outages and earthquakes.

Both cloud service providers and their customers can take important steps to reduce the numerous risks that can lead to outages. The first step is to determine the resilience of the cloud service operation based on factors such as location(s), redundancy, and historic uptime performance. The assessment should include critical infrastructure dependency and the ability of the provider to withstand or recover from cyberattacks and natural disasters. Any cloud service provider that has sizeable customers completes such assessments annually and many providers also have tier certifications. From a customer perspective, multi-cloud strategies are gaining popularity as a way to maintain stronger resilience.

Customers should also determine how critical the specific cloud-based service is to their day-to-day operation and what their tolerance for outages is on that basis. Many cloud service agreements include a service level provision with a performance guarantee (e.g. 99.97%), and shorter outages breaching such guarantees are often remedied through service credits. Prolonged outages and potential financial consequences are instead addressed through contractual (limitation of) liability provisions.

Finally, it’s important to determine who is responsible for what when it comes to cloud security. That ultimately depends on the individual cloud delivery model and most importantly what’s in the contract, regardless though, the main rule is the provider is responsible for security of the cloud and the customer is responsible for security in the cloud.