The nightmare begins like this. A European data centre belonging to a major cloud computing provider goes offline. At first, the cause of this shutdown is unknown – it could be a power cut, a flood, or a fire – but the effects are felt immediately. Across the continent, an avalanche of web pages stutter and stop.
If it only lasted hours, the disruption would be minimal: lost earnings here, irate customers there. But this outage lasts days, long enough for organisations reliant on this particular cloud provider to start panicking. First among them are the financial institutions that have loaded so much of their capacity for online banking onto these cloud data centres. Suddenly, hundreds of thousands of people are unable to buy or sell, transfer money or even check the status of their accounts.
The losses from such a scenario are impossible to predict but would undoubtedly be heavy. This is one reason why UK financial regulators are scrutinising the financial sector’s relationship with cloud providers. For all the advantages they bring in terms of accelerating the roll-out of digital services, there are also concerns about the tendency of cloud firms to lock their customers into restrictive contracts, Bank of England governor Andrew Bailey said at a press conference last July. “That concentrated power on terms can manifest itself in the form of secrecy, opacity, not providing customers with the sort of information they need to monitor the risk in the service,” said Bailey.
The Bank of England has since joined the US Treasury, the Bank of France and the EU in calling for new measures that compel banks to stress-test their relationship with individual cloud providers. “Part of the problem that the FCA and the Bank of England have is that a lot of these providers don’t come under their jurisdiction,” explains Sarah Kocianski, head of strategic insights at Founders Factory. Compelling banks to think carefully about how they use the cloud is one way of mitigating risks to the wider financial system – but even that’s a “hell of a challenge,” Kocianski says, as it requires institutions such as the Bank of England to coordinate their rules with every one of its international counterparts.
And while that framework is decided, the public cloud options available to businesses of all stripes are diminishing. Currently, that field is dominated by three so-called ‘hyperscale’ providers: Amazon Web Services (AWS), with an estimated market share of 50%; Microsoft Azure at 33%; and Google at 15%. While smaller firms still constitute a sizeable portion of the overall market, their slice of the overall cloud computing pie is shrinking, a process only accelerated by high entry costs for new providers and pandemic conditions that saw demand grow by 40.7% last year.
The cloud services that these firms provide – from infrastructure as a service (IaaS) to more differentiated platform offerings such as machine learning or security – have democratised access to computing power for countless organisations around the world. “You store all your stuff on this and you don’t have to buy a basement full of servers,” says Professor Donald Polden of Santa Clara University. “Cut them a cheque and you’re done!”
Nevertheless, the winner-takes-all nature of the cloud market gives rise to new risks, Polden adds. Historically, he says, such ecosystems see “dominant players tend[ing] to follow each other’s habits and practices” – a situation that may require new antitrust protections.
The irony with oligopolistic markets – those that are dominated by a small number of suppliers – is that they tend to be competitive in all the wrong ways, explains Polden. A fight for market share that results in only a handful of very large companies left standing is usually one where most opportunities to compete on price and innovation have long been exhausted. Consequently, these firms adapt by fighting to retain their existing market share, usually by semi-coercive means. An example of how this is happening in the cloud services market, says Polden, is through the so-called ‘egress fee,’ which “locks in customers and it reduces the incentives on both the supplier and the customers to price shop for a better deal.”
Other anti-competitive practices cited by critics of hyperscale providers include overly long contracts, bundling – in which software packages are combined with infrastructure provision at a lower premium, pricing IaaS-only providers out of the market – and self-preferencing, which can see new and complex licensing requirements and audits imposed on customers who abstain from buying said bundle. The long-term effect of these coercive methods of retaining customers in an oligopolistic market, says Polden, is a diminishing focus on “being creative [and] innovative” and legions of poorly treated customers.
It is a prospect that lawmakers in Washington are increasingly worried about. “AWS, and to a lesser degree Azure, were featured” in the US House of Representative’s recent 450-page report into monopolistic practices across Big Tech, says Polden. While discussion of the cloud market was relatively short compared to analyses of search, data advertising and content moderation, its inclusion confirms that the market is starting to blip onto the congressional radar. Certainly among Democrats, “there is this commitment…to try and do something, if you will, about the antitrust problems in tech markets,” says Polden. “Cloud computing is a little bit lower down the list of industries to get into, but it is on that list.”
While Polden isn’t convinced that concrete action from US regulators will be coming down the pike any time soon, it’s likely to become a vibrant source of discussion among antitrust experts in the near term. Expert opinion on whether the current legal framework can handle hyperscale cloud providers is divided, explains Polden.
“Our federal antitrust laws were passed in 1890 in response to railroad trusts, gunpowder trusts, the whisky trust,” he says, but have been constantly reinterpreted by judges to punish newer forms of corporate malfeasance. Indeed, the Department of Justice and the Federal Trade Commission have proven enthusiastic in applying “these old statutory provisions against monopolies and inclusive conduct and [pursue] cases against about all” of the big tech companies.
It remains to be seen, however, whether these statutes are suitable for regulating the cloud. “The monopoly laws [are] really intended to get to firms that can control prices largely by reducing output for the product,” says Polden, a non-issue for an industry that continues to grow at a clip of 34% a year with enough capacity left over to offer a range of freemium storage options. One solution, he volunteers, might be a special court devoted entirely to issues in this space.
“The biggest problem with all that is the Republicans and Democrats would have to actually agree on something,” says Polden. “And the likelihood of that happening in the highly polarised political arena we have here is unlikely.”
But how much evidence is there that hyperscale providers are distorting the cloud market? For S&P analyst and cloud expert Jean Atelsek, fears about AWS, Google Cloud and Microsoft Azure are not founded in fact. For one thing, says Atelsek, “there are still plenty of alternatives, including IBM Red Hat, Alibaba, Digital Ocean, Oracle, Rackspace and legions of managed service providers globally that deliver services over big public clouds, as well as via their own IT infrastructure.”
Moreover, Atelsek argues, hyperscale providers should be given credit for fostering innovation in cloud computing rather than restraining it. “In times past, start-ups would have to make big capital outlays to buy processing and storage capacity,” she says. “Now, they can purchase those on an op-ex basis from public cloud providers and have vast resources at their disposal if or when needed.” That isn’t even taking into account many of the open source software projects sponsored by the largest cloud providers, adds Atelsek. “They may commercialise [these] in proprietary ways, but other vendors are free to do that, too.”
As for the systemic risks to finance created by an oligopolistic cloud market, Atelsek considers demands that providers respect standards on transparency, resiliency and data protection as entirely reasonable. Indeed, the cloud sector has taken its own steps to improve its practices on all three counts, including offering new packages such as ‘industry clouds,’ which come with compliance measures built in. The terms and conditions behind such products imply “a degree of lock-in to the platform provider,” Atelsek concedes, “but that’s a bargain that many institutions will be willing to make if they lack the considerable engineering resources needed to secure distributed environments.”
What’s more, evidence suggests that businesses are fairly savvy about the risks associated with committing to a single cloud, with many investing in hybrid public and cloud options. A recent survey by IBM of 7,200 executives revealed that those relying on a single cloud service dropped from 29% in 2019 to just 3% the following year. Another 69% responded that vendor lock-in ‘is a significant obstacle to improving business performance in most or all parts of their cloud estate'.
However, other research suggests buyers are unhappy with the ‘stickiness’ of cloud services. The Cloud Infrastructure Service Providers in Europe (CISPE), a non-profit that represents European cloud providers, commissioned a study into alleged anti-competitive practices by hyperscale provider Microsoft Azure and its smaller rival, Oracle. The resulting report by Professor Frédéric Jenny revealed a litany of complaints from 25 business cloud companies about unfair pricing strategies, bundling and self-preferencing that disturbed CISPE’s chairman, Francisco Mingorance.
“There’s a number of practices which are also identified in the study when it comes to…the licensing and the use of software applications,” explains Mingorance. “These practices further lock the customer into a relationship with the provider, both contractually and technically, when it comes to portability and switching costs. They face a situation where any switching of provider infrastructure, or even the software, is prohibitive cost-wise.”
How much clout do these companies have in resisting demands of this kind from hyperscale cloud providers? “You want an honest response?” asks Mingorance. “What about ‘none’? When Professor Jenny started this job, he approached a lot more companies than 25. All of them said, ‘Look, we’re happy to talk to you, [but] it has to be off-the-record, under an NDA, because we cannot go public on this and be subjected to retaliation in the form of lengthy, excruciating and potentially very costly audits.’”
Cloud computing: time for antitrust action?
It is a pattern of behaviour that many other businesses have begun to recognise. A month after the publication of the study, organisations representing almost 2,500 corporate cloud users signed a letter to the European Parliament asking that the practices Jenny described in the report ‘must be proscribed in the forthcoming Digital Markets Act.’ The legislation, which is intended to ensure that big tech providers ‘behave in a fair way online,’ is seen by Mingorance as the last best hope for such anti-competitive practices to be squashed.
“It’s not clear-cut that European competition law captures this situation,” he says. Testing whether it does would mean a case that lasts several years and incur sizeable risks for whichever plaintiff decides to challenge a big tech business in civil court.
New legislation would also build greater protections for EU cloud infrastructure providers more broadly. “Even if the market is… doubling every year, the market share of European competitors is shrinking at a much faster pace,” says Mingorance. What’s more, he argues, foreign hyperscale providers know that if these practices are permitted to continue, a situation will emerge where they “will have captured most of the market.”
As such, it is easy to imagine a new and more scrupulous regulatory environment for hyperscale providers aimed at shoring up consumer rights when it comes to the cloud, as well as guaranteeing stronger standards for resilience and data portability. All this talk of oligopolies and anti-competitive practices, however, obscures the fact that cloud computing has not actually been around for that long. As our collective reliance on the medium continues to grow, it is not unfeasible that the market for cloud services may continue to be fiercely competitive.
“We’re not talking about the era of the railroads, or even the beginning of the internet: we’re talking about a really new industry,” says Polden – a realisation that may stay the hand of policymakers, at least for now.