Why concentration, supply chains, and geopolitics should factor into your cloud decisions
Most businesses now rely on cloud services for core operations. Email, file storage, line-of-business applications, backups, collaboration tools, and remote access often sit on infrastructure owned and operated by someone else. For many workloads, that makes perfect sense. Cloud services can be flexible, scalable, and cost-effective.
But there is an important conversation that often gets skipped: what are the risks of putting too much of your business into one very large basket?
The concentration problem
When people talk about “the cloud”, they are usually talking about a surprisingly small number of providers. In practice, a huge proportion of business systems ultimately sit on infrastructure operated by Amazon Web Services, Microsoft Azure, or Google Cloud.
That matters because it creates concentration risk.
If thousands of businesses, suppliers, partners, and customers all depend on the same underlying platforms, then a failure in one of those platforms can affect a very large number of organisations at once. We have seen major outages affect identity systems, storage platforms, networking services, and hosted applications. When that happens, the impact is not limited to one business or one sector. The disruption can spread widely and quickly.
For an individual SME, that creates an uncomfortable dependency. However well your own systems are managed, some failures will sit entirely outside your control. If a core provider has a serious problem, there may be little you can do beyond activating your continuity plan and waiting for the upstream issue to be resolved.
That does not mean hyperscale cloud is inherently bad. It means it should be treated as critical third-party infrastructure, with all the risk assessment that implies.
Supply chain risk is now part of cloud risk
Another issue is visibility. Most organisations understand the idea of securing their own systems. Fewer have a clear picture of how many third-party components sit underneath a modern cloud environment.
Today’s platforms depend on layers of software, open-source packages, repositories, APIs, orchestration tools, scanners, agents, images, automation pipelines, and external services. Every layer introduces dependency. Every dependency introduces potential risk.
That is why supply chain attacks have become such an important issue. A compromise upstream can create downstream exposure across many customer environments at the same time. In other words, you do not have to be directly targeted to be affected.
This is particularly relevant in complex cloud estates, where convenience and speed often depend on automation and a large number of interconnected tools. The more moving parts there are, the more attention needs to be paid to update controls, dependency management, change windows, and trust boundaries.
A well-run cloud environment can still be secure and resilient. But resilience does not come from assuming the platform is safe by default. It comes from understanding what you depend on, limiting unnecessary complexity, and having sensible fallback plans when something upstream fails.
The uncomfortable question
There is another issue that deserves more board-level attention than it usually receives: strategic importance.
Large cloud platforms are not just commercial services. They are increasingly part of the infrastructure that underpins day-to-day economic activity. Businesses rely on them for communication, authentication, storage, backups, productivity, and application delivery. Public services and supply chains depend on them too.
That makes major cloud infrastructure an attractive target for disruption, whether through cyber attack, supply chain compromise, operational error, or wider geopolitical tension.
This is not an argument for panic. It is an argument for realism.
Boards routinely assess the resilience of premises, utilities, telecoms, suppliers, and finance providers. Cloud infrastructure deserves the same treatment. If a critical workload depends on a single provider, a single control plane, or a narrow set of external services, that dependency should be understood and documented properly.
The question is not whether a hyperscaler is “safe” in a general sense. The question is whether your business has put too much reliance on any one platform without fully understanding the consequences of a serious outage or compromise.
Data sovereignty still matters
For many UK organisations, data sovereignty and jurisdiction are also important considerations.
It is not enough to ask whether data is “in the cloud” or even whether it is “in the UK”. The more useful questions are: where is it hosted, who manages the platform, which legal regimes may apply, and who can potentially compel access to it?
That matters most for regulated organisations, businesses handling sensitive client information, and anyone with contractual obligations around residency, confidentiality, or sector-specific compliance. Even where data is physically stored in the UK, the ownership and structure of the provider can still introduce legal and governance complexity.
For some workloads, that complexity is acceptable. For others, it is not.
The key point is that data location should not be treated as a marketing slogan. It should be treated as a governance question.
Not every workload needs hyperscale
Hyperscale platforms are excellent at what they are designed to do. If you need global reach, elastic scale, advanced analytics, specialist managed services, or rapid access to cutting-edge tooling, they can be a very strong fit.
But many business workloads do not need that level of complexity.
A virtual desktop environment, a line-of-business application server, a file server, or a private hosted environment for a defined user base often has very different requirements. In those cases, simplicity, predictability, control, and support may matter more than near-infinite scale.
That is where it is worth challenging the default assumption that every workload belongs on a hyperscaler.
Sometimes the better answer is infrastructure that is easier to understand, easier to govern, and less exposed to broad platform-level concentration risk.
A different approach
At Trichromic, we have made deliberate choices about how we deliver certain cloud services.
Our CloudDESKTOP platform runs on Hyper-V host infrastructure that we own and manage in UK data centres. This is not a model built around simply rebadging somebody else’s public cloud platform. It is infrastructure we control directly, configured and maintained by our own engineers.
That approach offers several practical advantages for the right workloads.
First, it can reduce exposure to hyperscaler concentration risk. Your platform is not tied to the same shared public cloud fabric that supports vast numbers of unrelated organisations and services.
Second, it allows tighter operational control. We decide what runs in the environment, how it is configured, how changes are managed, and when updates are introduced. That can support a more measured and predictable approach to change.
Third, it can simplify governance. For customers who want a UK-hosted service delivered by a UK provider, it offers a clearer operational model around hosting, management, and support.
Fourth, it can reduce unnecessary complexity. For many business systems, the goal is not to build a globally distributed software platform. It is to run a dependable service well.
None of that means private hosted infrastructure is risk-free. No platform is. The point is that different architectures carry different risks, and in many cases a more controlled model is a better fit than a hyperscale one.
The honest trade-off
This is not a case for avoiding hyperscalers altogether.
We use Microsoft 365 ourselves because, for services such as Exchange Online and the wider Microsoft productivity stack, Microsoft’s scale, resilience, and security investment are compelling. That is a sensible architectural choice for that workload.
The point is not to be ideological about infrastructure. The point is to match the platform to the requirement.
Some workloads benefit from hyperscale. Some do not. Some justify the complexity and shared-risk model. Others are better suited to something more contained and controlled.
A good cloud strategy is not about asking “cloud or no cloud?” It is about asking:
Which cloud, for which workloads, with which risks, and with which controls?
That is a much more useful question.
Questions to ask your provider
If you are reviewing your current arrangements, or choosing a provider for the first time, these are the kinds of questions worth asking:
Where exactly is my data hosted, and who operates the underlying infrastructure?
How much of the platform depends on third-party components, and how are those dependencies managed?
What happens if there is a major upstream incident? What is the likely blast radius?
How isolated is my environment from other customers?
What legal jurisdictions may apply to my data and the provider operating my services?
How are updates, changes, and security controls handled in practice?
What does resilience actually look like beyond the sales brochure?
These are not anti-cloud questions. They are the right questions to ask about any critical service your business depends on.
How Trichromic can help
We have been providing IT services to UK businesses since 2006. We understand that different workloads have different operational, security, and commercial requirements, and we help customers make sensible decisions about where those workloads should live.
For workloads that benefit from a controlled, UK-hosted platform, we offer CloudDESKTOP: a virtual desktop and server environment designed to give you the practical benefits of cloud delivery without unnecessary complexity.
For workloads that genuinely belong on hyperscale platforms, we can help there too. We are not interested in forcing every problem into the same technical answer. We are interested in helping customers choose the right one.
If you would like to talk through your options, give us a call on 020 3327 0310. We are always happy to have an honest conversation about what makes sense for your business.