Cloud concentration and its discontents¶

The Patrician has observed that Ankh-Morpork’s essential services have gradually concentrated among a small number of providers through entirely natural market forces. The water supply, the waste disposal, and the food distribution are each controlled by guilds that achieved their positions through superior efficiency, aggressive acquisition of competitors, and the natural advantage that comes from being the incumbent everyone already depends on. This concentration is excellent for the guilds and mostly adequate for the city, though The Patrician maintains careful relationships with guild leaders because the alternative would be the city discovering quite how dependent it has become on organisations whose interests don’t necessarily align with the city’s.

The internet’s infrastructure has concentrated similarly. Three companies provide the majority of cloud computing services that underpin enormous portions of global commerce, communication, and digital life. Amazon Web Services, Microsoft Azure, and Google Cloud achieved their dominance through substantial capital investment, technical excellence, and the compounding advantages that come from being the platforms everyone else builds upon. This concentration is excellent for the three providers and mostly adequate for everyone else, though the dependencies create strategic vulnerabilities that become more concerning the more one contemplates them.

The situation is not monopoly in the traditional sense because alternatives exist and customers can theoretically switch providers. The situation is dependency in the practical sense that switching is expensive enough that most don’t, that the three providers collectively control enough infrastructure that their simultaneous decisions affect everyone, and that their continued reliability is assumed despite being operated by commercial entities with their own interests rather than by entities whose primary purpose is maintaining critical infrastructure.

The Patrician notes that concentrated infrastructure is efficient and effective until it isn’t, that the transition between these states is typically rapid and unfortunate, and that the wise approach involves preparing for the “isn’t” possibility while hoping that the “is” continues indefinitely. He also notes that most organisations are not wise in this particular way.

How we got here and why it made sense¶

The cloud concentration emerged through rational decisions by companies concluding that operating their own infrastructure was expensive, complicated, and provided no competitive advantage compared to using infrastructure provided by specialists. This logic was correct and the migration to cloud computing has been largely successful for participants.

The capital requirements for building cloud infrastructure at scale are extraordinary. Data centres cost hundreds of millions of euros, networking infrastructure requires ongoing investment measured in billions, and maintaining global presence across multiple regions requires resources that only the largest companies can muster. The barriers to entry for competing with AWS, Azure, and Google Cloud are sufficiently high that new competitors emerge rarely and succeed even more rarely.

The economies of scale favour large providers who can amortise fixed costs across enormous customer bases and who can negotiate better prices with hardware vendors, power utilities, and connectivity providers. A large cloud provider pays substantially less per server, per watt, and per gigabyte than smaller competitors or individual companies operating their own infrastructure. These cost advantages are structural rather than temporary and create natural concentration.

The network effects where customers prefer providers with more services and where more customers attract more service development create self-reinforcing growth. AWS launched with basic computing and storage but expanded to hundreds of services because their customer base justified the investment. The expanded services attracted more customers who wanted comprehensive platforms rather than assembling services from multiple providers. The cycle continues with the large providers becoming more comprehensive while smaller competitors cannot justify similar breadth.

The switching costs that accumulate as organisations integrate deeply with provider-specific services make leaving difficult even when dissatisfaction emerges. An organisation using proprietary databases, serverless functions, and provider-specific management tools faces substantial reengineering to migrate to alternatives. The costs are not insurmountable but they’re sufficient that most organisations only switch under duress rather than for modest improvements.

The talent availability where engineers prefer learning platforms with broad adoption creates hiring advantages for dominant providers’ ecosystems. An engineer learning AWS has more job opportunities than one learning a niche provider’s platform, which means more engineers learn AWS, which means more companies use AWS, which reinforces the advantage. The cycle is self-sustaining and favours incumbents.

The Patrician observes that concentration through market forces is often efficient but creates dependencies that deserve more attention than they typically receive, and that the comfort of current arrangements should not discourage contemplation of less comfortable possibilities.

What the concentration actually means¶

The three providers collectively host substantial fractions of the internet’s infrastructure, which creates various implications that organisations depending on them should understand even if they cannot easily address them.

The simultaneous failure scenario where a major outage at one provider affects enormous numbers of services simultaneously has happened repeatedly and will happen again. AWS outages have taken down significant portions of the internet’s services because so many depend on AWS infrastructure. The outages are typically brief and limited to specific regions, but the concentration means that failures affect many organisations simultaneously rather than being isolated incidents.

The pricing power where providers can adjust prices knowing that switching costs constrain customer response creates situations where price increases must be absorbed because migration is not economically viable in reasonable timeframes. The providers generally use pricing power cautiously because aggressive increases would accelerate multi-cloud adoption, but the power exists and could be exercised more aggressively if competitive dynamics changed.

The service termination risk where providers discontinue services that customers depend on requires migration to alternative services or providers. The terminations happen regularly as providers rationalise their service catalogues, and the migrations are customers’ responsibility regardless of the disruption and cost involved. The providers generally provide transition periods but sometimes the replacements are inadequate or substantially different from discontinued services.

The terms of service changes where providers modify their agreements and customers must accept the changes or leave creates situations where material terms change without genuine negotiation. Large enterprise customers can negotiate but most customers accept whatever terms the provider offers because the alternative is migrating to different providers at substantial cost and disruption.

The strategic decisions by providers about technology directions, service priorities, and feature development affect entire ecosystems of companies building on those platforms. The decisions are made in the providers’ interests rather than customers’ interests even though they affect customers substantially. The customers can provide feedback but fundamentally cannot control what the platforms they depend on do or how they evolve.

The regulatory compliance complications where providers must comply with regulations in various jurisdictions affects all customers using those providers in those jurisdictions. When regulators impose data localisation requirements, privacy restrictions, or content moderation obligations, the providers’ responses affect everyone using their infrastructure in those regions regardless of individual customers’ preferences.

The Patrician observes that dependency means accepting that others make decisions affecting you and that the arrangement works well when those others’ interests align with yours and works poorly when they don’t, and that assuming permanent alignment is optimistic.

The multi-cloud aspiration and reality¶

Many organisations declare multi-cloud strategies to avoid dependency on single providers. The aspiration is reasonable but the reality is that genuine multi-cloud is expensive and complicated while token multi-cloud provides minimal risk reduction.

The cost of abstraction where creating architecture that works identically across providers requires using only common denominators rather than provider-specific services means accepting less functionality, higher costs, and more complex operations. The providers’ competitive advantages come partly from their proprietary services, and avoiding those services to maintain portability means sacrificing the benefits that justified using cloud providers in the first place.

The operational complexity of managing multiple providers simultaneously requires expertise across multiple platforms, different tooling for each provider, and reconciliation of different service models and pricing structures. The complexity increases costs and error rates while the risk reduction is modest unless the organisation is genuinely prepared to failover between providers, which most are not because implementing genuine failover requires extensive testing and rehearsal that most organisations skip.

The common pattern is using different providers for different purposes rather than genuine redundancy. One provider hosts production infrastructure, another hosts development environments, a third provides specific services not available elsewhere. This is multi-provider rather than multi-cloud and provides minimal risk reduction because losing the production provider is still catastrophic regardless of whether development environments are elsewhere.

The vendor lock-in that multi-cloud strategies attempt to avoid is often replaced by abstraction layer lock-in where organisations become dependent on the tools and frameworks they built to abstract across providers. The abstraction layers require maintenance, constrain what services can be used, and create their own switching costs that are different from but not necessarily less than single-provider lock-in.

The realistic assessment is that genuine multi-cloud providing meaningful risk reduction is expensive enough that most organisations cannot justify the cost relative to the risk being mitigated. The token multi-cloud that organisations actually implement provides psychological comfort but minimal actual risk reduction compared to thoughtful single-provider architecture with disaster recovery and data portability planning.

The Patrician observes that claiming to have multi-cloud while actually having primary provider plus some auxiliary usage is common and reflects the gap between stated risk management and actual risk management that characterises most organisational security and resilience planning.

When providers’ interests diverge from customers’¶

The cloud providers are commercial entities optimising for their shareholders rather than for their customers, which occasionally creates situations where provider interests conflict with customer interests. The conflicts are usually managed carefully by providers who value long-term customer relationships but the potential for more severe conflicts exists.

The cross-subsidisation where providers offer some services at attractive prices funded by higher margins on other services creates situations where the attractive services might be repriced or discontinued when the subsidisation no longer serves provider interests. Customers building on subsidised services discover that their economic assumptions were based on temporary pricing that changes when provider strategies change.

The competitive conflicts where cloud providers offer services that compete with their customers’ businesses create awkward situations. AWS competes with companies selling AWS-based services, Azure competes with companies building on Azure infrastructure, and Google Cloud’s parent company competes in numerous markets where Google Cloud customers operate. The providers claim to maintain separation but the structural conflicts exist regardless.

The data utilisation where providers potentially use customer data and usage patterns to inform their own service development or business strategies is not explicitly acknowledged but is concerning possibility. The providers have extensive visibility into what customers build and how they use services, which provides insights that could inform provider decisions about what services to develop or what markets to enter. The providers’ terms generally permit this use even if they claim not to exercise it.

The priority conflicts during outages or resource constraints where providers must allocate limited resources across customers creates questions about whether allocation is fair or whether certain customers receive preferential treatment. The providers are not obligated to treat all customers equally and may prioritise based on revenue, strategic importance, or other factors that disadvantage smaller customers.

The acquisition risks where providers acquiring companies creates conflicts with customers who compete with those acquired companies or who depend on services the acquired companies provide. The providers’ commitments to maintain acquired services are genuine but temporary, and customers must plan for eventual integration that might disadvantage them.

The Patrician observes that commercial providers will make decisions in their interests rather than their customers’ interests whenever these conflict, that this is entirely rational behaviour from the providers’ perspective, and that customers should plan accordingly rather than assuming that providers will sacrifice their interests for customer benefit.

The Patrician’s assessment¶

Looking at cloud concentration with appropriate attention to dependencies and incentives, The Patrician concludes that the current arrangement is efficient and mostly works well but creates strategic vulnerabilities that deserve more attention than they typically receive, that the concentration will persist because the economics favour it, and that preparing for the inevitable occasions when the arrangement works poorly is prudent even though most organisations will not prepare adequately.

The three-provider dominance is stable because the barriers to entry are substantial and because the network effects and economies of scale favour incumbents. New providers emerge occasionally but typically serve niches rather than challenging the major providers’ dominance. The concentration will continue and likely intensify as the dominant providers expand their capabilities and as customers find switching costs increasingly prohibitive.

The dependencies this creates are structural rather than temporary. The organisations using cloud infrastructure depend on providers not just for computing resources but for the comprehensive platforms they’ve built their businesses on. The dependencies deepen over time as organisations adopt more provider-specific services and as their architectures assume provider capabilities. Reversing these dependencies requires extensive reengineering that most organisations cannot justify unless forced by provider failures or strategic shifts.

The risks are manageable through careful architecture, data portability planning, and disaster recovery preparation, but most organisations implement minimal precautions because the providers are reliable enough that investing in elaborate preparations seems wasteful. The risk-reward calculation favours minimal preparation until a significant failure demonstrates the inadequacy, at which point everyone simultaneously discovers that their disaster recovery plans are optimistic about recovery time objectives and data consistency guarantees.

The multi-cloud aspiration is mostly theatre providing psychological comfort rather than meaningful risk reduction. The organisations claiming multi-cloud strategies are usually using multiple providers for different purposes rather than maintaining genuine redundancy that would allow switching between providers without disruption. Building genuine multi-cloud redundancy is expensive enough that the costs exceed the benefits for most organisations given the providers’ generally good reliability.

The provider power to make decisions affecting customers is substantial and constrained primarily by providers’ long-term interests in maintaining customer trust rather than by customers’ ability to switch providers or by regulatory constraints. The providers use this power carefully but they have it and occasionally exercise it in ways that disadvantage customers. The power will persist because the underlying economics favour concentration rather than distribution.

The realistic path forward is acknowledging the dependencies, preparing proportionate precautions, and accepting that cloud concentration is likely permanent feature of technology infrastructure rather than temporary phase. The concentration provides genuine benefits through economies of scale and comprehensive service offerings that customers value. The concentration also creates vulnerabilities that deserve recognition even if they cannot be easily eliminated.

The Patrician suggests that organisations should maintain awareness of their dependencies, should architect for data portability even if they never exercise it, should test disaster recovery procedures periodically rather than assuming they’ll work when needed, and should avoid assuming that current provider behaviour will persist indefinitely. These precautions are modest investments that provide insurance against provider failures, strategic shifts, or conflicts of interest that currently seem unlikely but that are plausible enough to deserve preparation.

The cloud concentration is not going away because the economics favour it and because the benefits for most participants exceed the costs most of the time. The concentration creates dependencies that make the internet more efficient but also more fragile than distributed systems would be. The fragility is manageable through preparation but most organisations will not prepare adequately until failures demonstrate the necessity, at which point preparation becomes crisis response rather than prudent planning.

The wise approach is using cloud providers while maintaining awareness that they’re commercial entities with their own interests, that those interests usually but not always align with customers’ interests, and that the current arrangement works well until it doesn’t. The Patrician has seen many arrangements that worked well until they didn’t, and the pattern is sufficiently consistent that preparing for the “doesn’t” possibility is prudent even when the “works well” phase seems indefinitely sustainable. The cloud concentration is no exception to this historical pattern.