Why concentration, supply chains, and even geopolitics should factor into your cloud decisions.
Most businesses now run on cloud services. Email, files, line-of-business applications, backups—if you’re a typical UK SME, a significant chunk of your IT infrastructure probably lives in someone else’s data centre. For many workloads, that makes perfect sense. But there’s a conversation that doesn’t happen often enough: what are the risks of putting all your eggs in one very large basket?
The Concentration Problem
When we talk about “the cloud,” we’re really talking about a handful of enormous companies. Amazon Web Services, Microsoft Azure, and Google Cloud between them host a staggering proportion of the world’s business data and applications. In the UK, most SMEs using cloud services are ultimately relying on one of these three providers, whether they realise it or not.
This creates concentration risk. Thousands of businesses—including competitors, suppliers, and customers—all sharing the same underlying infrastructure. When something goes wrong at that scale, the blast radius is enormous. We’ve seen this play out repeatedly: a configuration error at AWS takes out half the internet; an Azure Active Directory outage locks millions of users out of their systems; a Google Cloud networking issue disrupts services globally.
These aren’t hypothetical scenarios. They happen regularly. And when they do, there’s nothing you can do except wait for someone in a data centre you’ve never seen, in a country you might not even know, to fix the problem.
Supply Chain Attacks: The Threat You Can’t See
In April 2026, the security industry was shaken by the Trivy breach. Trivy is an open-source security scanner used by thousands of cloud environments to check for vulnerabilities. Attackers compromised the project and used it as a backdoor into over a thousand SaaS environments. The attackers were collaborating with Lapsus$, a group known for high-profile breaches of major technology companies.
Around the same time, liteLLM—a piece of AI middleware present in over a third of cloud environments—was also compromised. These weren’t attacks on individual businesses. They were attacks on the tools that cloud environments depend on, and by extension, attacks on everyone using those tools.
This is the nature of modern cloud infrastructure. Layer upon layer of third-party components, open-source libraries, container registries, and automated pipelines. Each layer is a potential entry point. You might have perfect security practices within your own systems, but if something upstream is compromised, you’re exposed anyway.
The larger and more complex the cloud environment, the more dependencies it has, and the more attack surface it presents. A hyperscaler like AWS or Azure has thousands of moving parts. That’s thousands of opportunities for something to go wrong—or for someone to make it go wrong deliberately.
The Uncomfortable Question
Here’s something that doesn’t get discussed much in polite IT circles: hyperscaler data centres are strategic targets.
We live in uncertain times. Cyber warfare is now a routine part of international conflict. Critical infrastructure is explicitly on the target list for state-sponsored attackers. And what could be more critical than the data centres that run significant portions of a nation’s economy?
AWS eu-west-2, Azure UK South, Google’s London region—these aren’t secret facilities. Their locations are publicly known. They’re enormous, they’re concentrated, and they’re high-value. Take out one building and you disrupt thousands of businesses simultaneously.
You don’t even need to physically attack them. A sophisticated cyber attack on the management plane, or a supply chain compromise like the ones we’ve already seen, can achieve similar disruption without anyone leaving their keyboard.
This isn’t scaremongering. It’s risk assessment. And it’s the kind of conversation that boards should be having but often aren’t, because the default assumption is that “the cloud” is inherently safe and reliable.
Data Sovereignty Matters More Than Ever
Where your data physically resides matters. It determines which laws apply to it, who can compel access to it, and what protections you have.
When you use a US-headquartered hyperscaler, your data may be subject to US law regardless of where it’s physically stored. The CLOUD Act gives US authorities the power to demand data from American companies even when that data is held overseas. This creates legal uncertainty for UK businesses, particularly those in regulated industries or handling sensitive information.
Public sector organisations are increasingly insisting on UK-sovereign infrastructure for exactly this reason. They want their data stored in the UK, managed by UK-based staff, subject exclusively to UK law. That’s not paranoia—it’s prudent governance.
Private businesses should be asking the same questions. If your data is important enough to back up, it’s important enough to know exactly where it is and who can access it.
A Different Approach
At Trichromic, we’ve made deliberate choices about how we deliver cloud services. Our CloudDESKTOP platform runs on Hyper-V host servers that we own and manage, located in UK data centres. This isn’t us reselling someone else’s infrastructure—it’s hardware we control, running software we configure, maintained by engineers we employ.
This approach has several advantages:
No concentration risk. Your systems aren’t sharing infrastructure with thousands of other businesses. An outage at AWS or Azure doesn’t affect you.
Controlled supply chain. We’re not automatically pulling updates from upstream repositories or running container orchestration platforms with sprawling dependency trees. We control what software runs on your systems and when it gets updated.
Lower target profile. A few racks in a regional UK data centre don’t present the same target as a hyperscaler mega-facility. We’re not invisible, but we’re not painting a target on our roof either.
True UK sovereignty. Your data is in the UK, managed by a UK company, subject only to UK law. No ambiguity about jurisdiction or foreign government access.
The Honest Trade-Off
We’re not suggesting that hyperscalers are bad or that you should avoid them entirely. For certain workloads—particularly those needing massive scale, global distribution, or cutting-edge services—AWS, Azure, and Google Cloud are genuinely excellent options. We use Microsoft 365 ourselves because Microsoft’s security team and infrastructure for running Exchange at scale is better than anything we could build. That’s a sensible architectural decision, not a compromise.
But not every workload needs hyperscale. Many businesses would be better served by infrastructure that’s simpler, more controlled, and less exposed to the risks we’ve described. If you need a virtual desktop environment, a file server, or a place to run line-of-business applications, you don’t necessarily need the complexity of a hyperscaler—and you might be taking on risks you haven’t fully considered.
The question isn’t “cloud or no cloud.” It’s “which cloud, for which workloads, with which risks?”
Questions to Ask Your Provider
If you’re reviewing your cloud arrangements—or choosing a provider for the first time—here are some questions worth asking:
Where exactly is my data? Not “in the cloud” or “in the UK”—which specific facility, and who operates it?
What’s the supply chain? How many third-party components does the platform depend on? How are updates managed? What happens if one of those components is compromised?
What’s the blast radius? If there’s a major incident, how many other businesses are affected? Is my infrastructure isolated or shared?
Who has jurisdiction? Is my data subject to foreign laws? Could a government I didn’t elect compel access to my information?
What’s the target profile? Is this infrastructure a high-value target for attackers—state-sponsored or otherwise?
These aren’t trick questions designed to make hyperscalers look bad. They’re legitimate risk assessment questions that any business should be asking about critical infrastructure.
How Trichromic Can Help
We’ve been providing IT services to UK businesses since 2006. We understand that different workloads have different requirements, and we help our customers make sensible decisions about where to run what.
For workloads that benefit from our controlled, UK-sovereign infrastructure, we offer CloudDESKTOP—a virtual desktop and server platform that gives you the flexibility of cloud computing without the concentration risks and supply chain complexity of the hyperscalers.
For workloads that genuinely need hyperscale services, we can help you navigate that landscape too. We’re not ideological about infrastructure—we’re practical. The right answer depends on your specific requirements, risk tolerance, and budget.
If you’d like to talk through your options, give us a call on 020 3327 0310 or visit www.trichromic.com. We’re happy to have an honest conversation about what makes sense for your business—even if the answer turns out not to involve us.