It’s no secret that to build world-class software for your customers, you need a resilient cloud infrastructure. But as your users grow — both in numbers and how much they use your software — you’ll begin to hear how you should consider going multi-cloud to diversify risks for your system.

A report from Flexera covering a sample size of over 700 companies suggested that almost 90% of companies are leveraging a multi-cloud strategy —  

But what “risk” are we actually diversifying by going multi-cloud?

When you hear that a multi-cloud strategy diversifies risk, think of the following categories of risks for your business. The following categorisation also briefly and implicitly explains how these risks can manifest for your business.  —

Operational Risks

1. Service outages: The possibility of a single cloud provider experiencing downtime or performance issues.
2. Data loss: The risk of losing data due to a cloud provider's infrastructure failure, security breaches, or human error.
3. Latency and performance: The risk of poor application performance or latency issues due to regional constraints or limited availability zones within a single cloud provider.
   

Security and Compliance Risks

1. Vulnerabilities: The risk of being exposed to security vulnerabilities specific to a single cloud provider's infrastructure or services.
2. Compliance: The risk of non-compliance with industry regulations or data sovereignty laws when relying on a single cloud provider's data centre locations and services.
   

Financial Risks

1. Cost overruns: The risk of unanticipated costs due to a single cloud provider's pricing model or changes in their pricing structure.
2. Vendor lock-in: The risk of being financially or operationally dependent on a single cloud provider, making it difficult and costly to switch providers or adopt new technologies in the future.
   

Strategic and Competitive Risks

1. Innovation: The risk of missing out on new features, services, or technologies offered by other cloud providers, limiting your organisation's ability to innovate and stay competitive.
2. Vendor concentration: The risk of relying on a single cloud provider that may not be able to meet all your organisation's requirements or adapt to changes in your industry or business environment.
   

Now that we have categorised these risks, let's cover the “how” of mitigating these risks, one by one using an example for each.

PART 1: Mitigating Operational Risks

Mitigating the Risk of Service Outages

Let’s take an example of a financial services company where the risk of service outages can be diversified and mitigated by employing a multi-cloud strategy. For example, let's consider a company that uses two cloud providers: AWS and Azure.

The company's core banking application relies on several microservices, such as payment processing, customer authentication, and transaction tracking. To diversify the risk of service outages, the company can architect its application across both AWS and Azure, ensuring that critical microservices are distributed between the two providers.

A possible multi-cloud architecture for this company could involve deploying the payment processing microservice on AWS, using services like Lambda for serverless compute, DynamoDB for storing transaction details, and API Gateway for managing API requests.

Meanwhile, the customer authentication microservice can be deployed on Azure, utilising Azure Functions for serverless compute, Azure Active Directory B2C for identity management, and Cosmos DB for storing user data.

By distributing the microservices across two cloud providers, the company reduces the risk of service outages affecting the entire application.

For instance, if AWS experiences an outage, the payment processing service might be temporarily unavailable. However, the customer authentication service hosted on Azure would continue to function, allowing users to log in and access their accounts.

This way, the multi-cloud strategy provides a level of redundancy and resilience that would not be achievable with a single cloud provider.

Additionally, the financial services company can implement load balancing and failover mechanisms across both cloud providers, further reducing the risk of service outages.

For example, they could use AWS Route 53 and Azure Traffic Manager to automatically route traffic to the most available and optimal cloud resources. This would enable the company to maintain a high level of performance and reliability for its customers, even in the face of unexpected service outages.

Mitigating the Risk from Data Loss

Mitigating the risk of data loss in a multi-cloud strategy involves implementing robust backup and recovery solutions across different cloud providers.

Let’s take the financial services sector for example. Safeguarding sensitive data for any financial service company is crucial.

Here's a multi-cloud architecture example that demonstrates how to diversify and mitigate data loss risks:

1. Primary Data Store: Say you choose to store your primary data in a highly available and reliable data store such as Amazon RDS, which provides built-in data replication across multiple AWS regions to ensure durability.
   ‍
2. Secondary Data Store: You can also choose to replicate your primary data to a secondary data store in another cloud provider, such as Google Cloud's Cloud Spanner. This cross-cloud replication ensures data durability even if an entire cloud provider experiences an outage.
   ‍
3. Backup Strategy: By doing so, you could also implement a comprehensive backup strategy that includes regular snapshots and point-in-time recovery options leveraging AWS Backup for the primary data store and Google Cloud's native backup solutions for the secondary data store.
   ‍
4. Encryption: You can also encrypt data both at rest and in transit using industry-standard encryption methods. For example, you can use AWS Key Management Service (KMS) for data stored in RDS, and Google Cloud KMS for data stored in Cloud Spanner.
   ‍
5. Disaster Recovery: You can further strengthen data integrity and safety by establishing a disaster recovery plan that includes failover to another cloud provider in case of data loss or unavailability in the primary provider. If you choose to do so, it’s a good practice to test and validate this plan regularly.
   ‍
6. Monitoring and Alerts: You can also set up monitoring and alerting mechanisms across both cloud providers to detect any anomalies or potential data loss events. You can native tools like Amazon CloudWatch for AWS and Google Cloud Monitoring for GCP or implement a more customised PLG (Prometheus/Loki/Grafana) stack to stay informed about the health of your data stores.
   ‍

Yes, cloud providers do provide native point-in-time and full backup recovery options but there is always a risk of fires — human error, outages, security breaches — and other strategic concerns like vendor lock-in (more on this in a bit).

Mitigating the Risk of Application Latency

This risk may not be relevant for startups and products that don’t have a significantly large number of users and concurrent requests. The reason is simple – most modern cloud providers like AWS, GCP and Azure have enough measures and native services in place to ensure a low-latency application experience for your users.

Although, according to this one research, RTT (Round Trip Time) can be reduced by up to 20% if your application architecture utilises a multi-cloud strategy. We. however, usually take such research with a grain of salt given the use case specificity for our clients.

Regardless, the following are some ways in which application latency can become a risk with a single cloud provider —

1. Geographical Redundancy‍

Using a single cloud provider may limit the available regions for a service, potentially increasing latency for clients outside of those regions.
With a multi-cloud strategy, the financial services company can deploy their trading platform across multiple regions in both AWS and Azure.

This allows them to leverage the optimal infrastructure in each region, ensuring that clients experience lower latency as their requests are routed to the nearest data centre.

2. Infrastructure Congestion & Related Issues‍

With a single cloud provider, there's a higher risk of performance degradation if the provider's network infrastructure faces challenges.

Using multiple clouds provides an added advantage of the distinct network infrastructures offered by each provider. This means that if one provider experiences network congestion or performance issues, the other provider can still ensure optimal performance for the clients.

3. Lack of Service-level optimisation‍

Although most clouds provide equivalent layers of services (serverless compute, storage, WAF etc) — there are surely some performance characteristics that offer unique benefits for you to leverage while designing your architecture.

For example, they might use AWS Lambda for a compute-intensive service that requires low-latency processing, while using Azure Functions for a service that benefits from Azure's data processing capabilities. This enables the company to optimise performance at the service level, which might not be possible with a single cloud provider.

Also, balancing load and managing redirects across 2 clouds to minimise losses during outages is a restated benefit of avoiding operational risks.

Finally – a Multi-Cloud strategy puts you in a position to leverage new innovations continuously happening across the leading cloud providers and quickly adapt your architecture to benefit from a meaningful innovation add (think how Azure is integrating Open AI’s technology).

PART 2: Mitigating Security and Compliance Risks

Mitigating the Risk of Vulnerabilities

A multi-cloud strategy can help your company diversify and mitigate the risk of being exposed to security vulnerabilities.

By utilising multiple cloud providers, you can leverage the unique security features and services each provider offers. This approach allows your company to build a more robust and secure architecture, reducing the chances of a single vulnerability leading to significant data breaches or other security incidents.

Example Architecture

Let's consider an example of an online banking application, which includes customer-facing web services, data processing services, and databases that store sensitive customer information.

A possible multi-cloud security posture for such an organisation could consist of the following services —

1. AWS Cloud

1. Amazon GuardDuty: GuardDuty, Amazon’s threat detection service, can be used to continuously monitor the organisation's AWS environment for malicious or unauthorised activity. It can protect services like Amazon EC2 instances, Amazon S3 buckets, and AWS Lambda functions.
2. AWS WAF: The Web Application Firewall (WAF) can protect the organisation's web applications, such as customer-facing online banking portals, from common web exploits like SQL injection and cross-site scripting (XSS) attacks
   

2. Azure Cloud

1. Azure Security Center: Azure Security Center can be used to provide unified security management and advanced threat protection for services hosted on Azure, such as Azure App Services, Azure Virtual Machines, and Azure Storage accounts.‍
2. Azure Sentinel: As a cloud-native SIEM (Security Information and Event Management) solution, Azure Sentinel can collect, analyse, and correlate security events from various Azure services, such as Azure Active Directory, Azure SQL Database, and Azure Functions.
   

3. Google Cloud Platform

1. Google Cloud Armor: Cloud Armor protects web applications and services hosted on the Google Cloud Platform, such as Google Kubernetes Engine (GKE) clusters, Cloud Run services, and App Engine applications, from DDoS attacks and targeted exploits.‍
2. Google Cloud Identity-Aware Proxy (IAP): Cloud IAP provides secure access control to applications and services hosted on GCP, like Cloud Functions or Compute Engine instances, by verifying the identity of users and enforcing access policies before granting access.

In this example, the organisation can utilise Amazon GuardDuty and Azure Security Center to continuously monitor and assess the security posture of its AWS and Azure resources, respectively. Meanwhile, AWS WAF and Google Cloud Armor protect customer-facing web services from web exploits and DDoS attacks.

Azure Sentinel can be used to analyse security data from various sources to detect and respond to threats, while Google Cloud IAP ensures secure access control to applications.

Mitigating the Risk of  Compliance (or lack thereof)

You can mitigate compliance risks by adopting a multi-cloud strategy, as it allows your business to leverage the best practices, tools, and certifications provided by different cloud providers.

Let's look at some technical details on how multi-cloud can help address compliance requirements:

1. Store Data Locally‍
   With a multi-cloud strategy, you can choose cloud providers that offer data centres in regions where you need to store data for legal compliance. For instance, store European customer data in an AWS data centre within the EU to follow GDPR, and use Azure data centres in the US for American customer data.
   

2. Pick Cloud Providers with Relevant Certifications‍
   Different cloud providers possess certifications catering to specific industries. By using multi-cloud, you can opt for providers with certifications relevant to your business, such as AWS's FedRAMP for US federal agencies, or Azure and GCP's HITRUST CSF for healthcare organisations.
   

3. Harness Unique Compliance Tools‍
   Multi-cloud enables you to benefit from distinct security and compliance tools each provider offers. For example, utilise AWS Config for ongoing compliance monitoring, and Azure Policy for policy enforcement across Azure resources.
   

4. Manage Encryption Keys‍
   Leverage encryption and key management services from various providers to meet compliance requirements. Use AWS Key Management Service (KMS) for encryption keys related to data stored in S3, and Google Cloud KMS for data in Google Cloud Storage.
   

5. Control Access to Resources‍
   With multi-cloud, implement granular access controls through different cloud providers' Identity and Access Management (IAM) services. Manage access to AWS resources with AWS IAM, and use Azure Active Directory for Azure resources.
   

If you understand the strengths of each cloud provider, you can capitalise on those to meet your compliance requirements with ease.

PART 3: Mitigating Financial Risks

Mitigating the Risk of Cost Overruns

As your operations grow, so do your costs and the ever-growing pressure of maximising your cloud ROI.

1. Cloud Provider-Specific Cost Savings
   Each cloud provider has its unique set of cost-saving features, allowing you to optimise costs based on the specific workloads and services you use.
   ‍
   For example, AWS offers Savings Plans and Reserved Instances to lower compute costs, while Google Cloud provides Sustained Use Discounts for continuous usage. By adopting a multi-cloud strategy, you can choose the most cost-effective options from each provider and maximise your savings.
   

2. Data Transfer and Egress Cost Optimisation‍
   Data transfer and egress costs can be a significant part of your cloud expenses. With a multi-cloud strategy, you can optimise these costs by carefully selecting the right cloud providers and regions.
   ‍
   For example, you might choose to store data in a cloud provider with lower egress fees or locate your services closer to your users to reduce data transfer costs. Additionally, using Content Delivery Networks (CDNs) like AWS CloudFront or Azure CDN can help lower data transfer costs by caching and serving content closer to your users.
   

3. Cost Optimisation through Workload Distribution
   Distributing workloads across multiple cloud providers allows you to leverage the strengths of each provider and optimise costs.
   ‍
   For example, you might run your compute-intensive workloads on a provider with lower compute costs, while storing your data on a provider with more cost-effective storage options. This approach enables you to take advantage of the best pricing and performance from each provider while reducing the overall cost of running your applications.
   

It’s important, however, to implement reliable budget alerts and cost observability mechanisms to monitor the costs across each cloud provider to effectively avoid cost overruns.

Mitigating the Risk of Vendor Lock-In

Vendor lock-in can be a concern for businesses of all sizes. For small to medium-sized businesses, lock-in might pose a risk if they want to switch providers due to better pricing or features.

In contrast, large enterprises and organisations with complex, multi-faceted applications have a higher risk of lock-in, as they might depend on proprietary services or APIs that are difficult to migrate.

While having a multi-cloud strategy is implicit in how this risk gets mitigated, it is critical for engineering teams to design their architecture in a way that moving services from one cloud to another is hassle-free and comes with minimum or no downtime.

Here are a few techniques to ensure this —

1. Use Containerisation and Microservices‍
   One of the key technical approaches to avoid vendor lock-in is by using containerisation and microservices. By encapsulating your applications into containers, you create portable units that can run on any cloud platform supporting container orchestration, such as Kubernetes. This allows you to move your workloads between cloud providers with minimal effort, giving you the flexibility to choose the best provider for your needs at any given time.
   

2. Adopt Open Standards and Interoperable Services‍
   Embracing open standards and interoperable services helps in avoiding vendor lock-in. For example, using open-source databases like PostgreSQL or MySQL instead of cloud provider-specific databases ensures that your data is accessible across multiple cloud platforms. Similarly, using open APIs and standard protocols allows for better interoperability between different cloud services.
   

3. Use Multi-Cloud Management Tools‍
   Employing multi-cloud management tools, like Terraform or Pulumi, helps manage infrastructure across multiple cloud providers. These tools enable you to write infrastructure as code, making it easier to deploy, update, and manage resources on different cloud platforms.
   

Designing a resilient architecture with migration and disaster recovery in mind equips your businesses with the flexibility to choose the best cloud provider for their needs, regardless of your business’s size or complexity, and ensures that you are not tied to a single vendor.

PART 4: Mitigating Strategic and competitive risks

If you have read this far, it's implicit how a multi-cloud strategy can help mitigate strategic and competitive risks.

Mitigating the risk of missing out on innovation and vendor concentration

Imagine if you are on AWS and your direct competitor is on Azure. If Azure is innovating and releasing newer features faster giving your competitors super-abilities to build better features and reduce cost, you will have a strategic bottleneck if you aren’t able to leverage those new Azure features.

While it is not practical to predict and plan for it, having a multi-cloud strategy or even a flexible, modular architecture can definitely be helpful.

Relying on a single cloud provider can also lead to vendor concentration risks — as its implicit from all of what we have discussed so far — where a significant portion of your business is dependent on the performance and stability of that provider.

BONUS: What are the perils of going Multi-cloud?

While a multi-cloud strategy offers numerous benefits, it is not without its challenges and risks. You should carefully consider the following potential downsides before implementing a multi-cloud approach.

1. Complexity and management overhead

Managing multiple cloud platforms can significantly increase the complexity of an organisation's infrastructure.

Each cloud provider has its own set of services, tools, and APIs, requiring businesses to invest time and resources in learning and managing these distinct platforms.

This added complexity can lead to increased operational overhead and the need for specialised expertise, potentially straining your engineering resources.‍

2. Data security and compliance‍

With a multi-cloud strategy, data is often stored and processed across various cloud providers and geographic locations.

This can complicate data security and compliance efforts, as businesses need to navigate different regulatory environments and ensure adherence to multiple sets of rules and standards.

Moreover, managing data security and privacy across multiple cloud providers can be challenging, as each platform has its own security features, protocols, and potential vulnerabilities.‍

3. Integration and interoperability‍

Integrating services and applications across multiple cloud providers can be a challenging task, as each platform has its own unique architecture, APIs, and data formats.

Ensuring seamless communication and data exchange between these disparate systems can require significant effort, custom development, and ongoing maintenance. This can lead to increased implementation costs and the risk of encountering incompatibilities or integration issues.

--

In conclusion, while a multi-cloud strategy provides numerous advantages, organisations must be prepared to tackle the associated risks and challenges.

By carefully weighing the benefits against the potential downsides, businesses can make informed decisions about whether a multi-cloud approach is the right fit for their specific needs and goals.