In a rapidly evolving cloud computing landscape, Bence Hezso, CISSP, argues that vendor lock-in is increasingly a strategic concern for the board and executive management. Effective and robust cloud exit strategies are needed, to minimize business interruptions, regulatory risks, and risks related to information security.

Bence Hezso, CISSPVendor lock-in is a situation in which a customer or organization feels trapped: compelled to continue using a particular brand, product or service, regardless of its quality or performance, due to the impracticality or high cost of switching to another vendor or service provider. In cloud computing a similar situation known as data gravity also exists, in which data accumulates in a particular location (such as data warehouses and data lakes) or with a specific cloud vendor, making it more complicated and expensive to move that data to a different location or house it with another cloud service provider (CSP). This, too, can lead to an organization feeling locked in, even though vendors claim that their services are based on open standards.

Why is This an Issue in Cloud Computing?

The ability to switch CSPs is, in fact, critically important. Reasons why an organization may need to switch vendors include compliance with rapidly changing global and local regulations, business continuity, as well as data integrity and security.

Another valid reason is, simply, a better, more competitive deal: Google recently accused Microsoft of using its dominant market position to lock customers into its Azure ecosystem through complex licensing restrictions, hindering competition in the cloud computing sector. This accusation was part of Google's response to the Federal Trade Commission's (FTC) inquiry into cloud market competition, which also saw AWS and Microsoft defending the competitiveness of the cloud industry.

As organizations have migrated rapidly to the cloud – especially during the COVID-19 pandemic – little-to-no time has been spent developing robust cloud exit strategies as an essential aspect of a cloud management and governance framework. A planned approach to migrate away from a CSP, if needed, was either never thought of, or was an afterthought. Many organizations have since realized they are, indeed, locked-in to their original vendor.

Why Do Organizations Need a Cloud Exit Strategy?

There are many reasons why organizations need an effective cloud exit strategy in place in advance (as opposed to the prospect of dealing with a cloud exit/change without a predetermined plan). Here is a selection of those risks you face without a plan:

Data Sovereignty and Portability Issues: Vendor lock-in may leave you at the mercy of proprietary data formats or security infrastructure and policies, resulting in portability and sovereignty issues. In the event of a security breach, you might need to migrate data to another environment quickly – much easier with a plan.

Limited Ability to Deploy New Technology: As the demands of a business changes over time, it becomes crucial for IT to stay up-to-date with the latest technological advancements. However, if organizations do not have a well-thought-out cloud escape plan, it may impact their business operations negatively.

Information Security Risks: Relying on a single cloud service provider (CSP) can limit an organization's ability to deploy the best security solutions. This limitation can also lead to potential data breaches, violating data protection regulations, and sometimes making it challenging to respond to emerging threats efficiently. Additionally, vendor-specific security architectures may not be agile enough to adapt quickly to new and evolving threats. You may also be restricted to your vendor’s security features and controls; this may result in third-party or supply chain risks if a security vulnerability or software bug is discovered which is beyond your control to fix.

What Does a Cloud Exit Strategy Bring?

By contrast, investing in the development and maintenance of a cloud exit strategy brings significant advantages and benefits:

Managing Technology, Operational, and Business Continuity Risks: Having an exit strategy in place allows you to evaluate whether the current IT or cloud is still the most suitable platform for your operational needs and to plan a seamless transition to an alternative solution, either on-premises or with a different CSP.

Achieve Flexibility and Scalability:A well-thought-out cloud exit strategy will ensure you remain resilient, flexible, and in control of your technology infrastructure and data.

Ability to Comply with Laws and Regulations: Changes in regulations or legal requirements may necessitate a move to another provider or to an on-premises environment to support the compliance standards required for the organization's industry or geographic region. For example, the European Banking Authority (EBA)'s guidelines on outsourcing arrangements expect financial institutions to have a documented cloud exit strategy when outsourcing critical or important functions in line with their outsourcing policy and business continuity plans.

Efficient Cost Management: When it comes to cloud strategy, considering cloud exit planning is crucial for organizations to ensure a smooth transition away from their current cloud service provider with minimal disruption and cost.

Things to Keep in Mind While Performing Cloud Exit Assessments

Organizations have been able to rely on manual risk assessments of vendor lock-in in traditional on-premise data center environments because the rate of technology change was not as fast as it is today. However, with hundreds of virtual machines spun-up in minutes in an enterprise cloud environment, and databases being created and deleted on a need basis, performing a thorough cloud exit assessment is, nowadays, paramount.

In my role as a Senior Cloud Security Architect, I’ve been involved in numerous cloud migrations and security enforcements for enterprises in various sectors. However, in most cases, the cloud exit strategies remained on the backlog due to a lack of time, capacity, or skillset. Here are the things I have learned during my projects and which I recommend to other cyber security professionals working in the field:

Don’t rely on Free Egress Traffic: Thanks to the European Data Act, Cloud Service Providers (CSPs) now offer free egress traffic, so their clients won't face extra costs for transferring data out of the cloud. But these initiatives from CSPs are relatively new and should not be seen as a reason to not develop and maintain a cloud exit plan.

Don’t Rely Completely on Manual Assessments: Planning for cloud exits by completely relying on manual assessments can be a lengthy and expensive affair. They are also susceptible to inconsistencies and human errors. Manual cloud exit assessment requires extensive analysis of data and systems, contracts, and technical details that frequently result in delays and financial stress.

Leverage Automation: On the other hand, automated cloud exit assessment solutions can provide you with a comprehensive analysis of vendor lock-ins and any potential cost escalations from CSPs. Leveraging automated solutions is cost-effective, adapts changes quickly, and keeps up-to-date with ever-changing regulations and compliance requirements. This helps you overcome the difficulty of manual evaluations, avoid human errors, and achieve better compliance. It allows you to plan for exit from your current cloud in a cost-effective and compliant way, by providing valuable insights and autonomous discovery of your cloud assets.

Involve an Expert: Involving a professional team of expert engineers, architects, and security specialists can help you achieve true cross-cloud portability. They have experience in supporting their clients as they move workloads in and out of the cloud, which is paramount. An expert in cloud exit strategy will be well-aware of changing technologies, regulations, and business environments and can help you formulate a plan that fits your enterprise needs.

To minimize security risks and avoid the potential drawbacks of vendor lock-in, it's essential to take a strategic approach by prioritizing open standards and adopting a multi-cloud and hybrid cloud approach. This can help you maintain scalability and flexibility in your cloud investments. Senior leadership should ensure that this journey through the cloud is marked by strategic choices that align with long-term business goals and the organization's security needs, guaranteeing that organizations not only succeed but maintain their operational independence in the constantly evolving cloud landscape – all while remaining competitive, secure, and agile in today's digital age.

Bence Hezso , CISSP, has 10 years of experience in the finance, aviation, and technology sectors. Hezso has held various technical roles, with responsibilities that include designing robust security architectures for both startups and enterprises. His cybersecurity work spans enhancing software supply chain security, performing cloud security assessments.