Government use of cloud under scrutiny

AWS has vowed to publish a detailed “post-event summary” detailing the causes of the outage and the steps it had to take to bring services back online.

In the meantime, and in line with Sayers’ recommendations, HM Treasury is already being asked to account for why it has not used powers conferred on it earlier this year to ensure suppliers like AWS are up to the job of delivering resilient cloud services to organisations in the financial services sector.

The chair of the Treasury Select Committee, Meg Hillier, published a letter she has written to the economic secretary, Lucy Rigby, that appears to have been penned during the AWS outage.

The letter calls on Rigby for clarification about why, despite having the power to do so since January 2025, the Treasury has apparently so far neglected to add AWS to its Critical Third Parties (CTP) list of suppliers.

This designation, which was introduced through changes made to the Financial Services and Markets Act 2020 in November 2024, is intended to provide the UK’s financial regulators with the means to include third-party suppliers to the sector within their supervisory scope – the idea being that doing so might help better manage any potential risks to the stability and resilience of the UK financial system that might arise as a result of a third-party supplier suffering from service disruption, as happened on 20 October with AWS.

As stated in Hillier’s letter, it appears the Treasury is yet to call any suppliers into the scope of the CTP regime, including AWS, which is known to be a supplier to a large number of UK financial services institutions.

“In light of today’s major outage at Amazon Web Services … why has HM Treasury not designated Amazon Web Services or any other major technology firm as a CTP for the purposes of the Critical Third Parties Regime,” asked Hillier, in the letter. “[And] how soon can we expect firms to be brought into this regime?”

Hillier also asked HM Treasury for clarification about whether or not it is concerned about the fact that “seemingly key parts of our IT infrastructure are hosted abroad” given the outage originated from a US-based AWS datacentre region but impacted the activities of Lloyds Bank and also HMRC.

On the latter point, Hiller asked: “What work is HM Treasury doing with HMRC to look at what went wrong, and how this may be prevented in future?”

Computer Weekly contacted HM Treasury for details of its response to Hillier’s letter, and to seek clarification on whether it has plans to imminently add AWS to the CTP list. It also asked if the Treasury has concerns about parts of the UK’s banking infrastructure being hosted overseas, in the wake of the outage.

A spokesperson for the government department did not directly answer the questions posed by Computer Weekly, but did provide the following statement in response:

“We know the threat cyber attackers present, which is why we are working with regulators to establish a Critical Third-Party regime, so we can hold firms providing these services to the same high standards as other financial services institutions,” the Treasury statement read.

UK reliance on overseas clouds

Hillier’s question to the Treasury about whether it has any concerns about key parts of the UK’s IT infrastructure being hosted overseas is being echoed by other UK cloud market watchers and stakeholders in the wake of the outage.

“We should be asking the obvious question: why are so many critical UK institutions, from HMRC to major banks, dependent on a datacentre on the east coast of the US?” said Mark Boost, CEO of London-based cloud services provider Civo. 

“Sovereignty means having control when incidents like this happen – but too much of ours is currently outsourced to foreign cloud providers. The AWS outage is yet another reminder that when you put all your eggs in one basket, you’re gambling with critical infrastructure.

“When a single point of failure can take down HMRC, it becomes clear that our reliance on a handful of US tech giants has left core public services dangerously exposed,” he said.

AWS has operated a UK datacentre region since 2016, with a key selling point of these facilities being that it would allow UK-based organisations to access locally hosted versions of its public cloud services.

This adds further weight to Boost and Hillier’s line of questioning about why a US outage impacted UK-based organisations when, presumably, these organisations should be relying on the UK region to access AWS services.

When Computer Weekly put this question to AWS, citing the disruption caused to HMRC during the outage as an example, a company spokesperson advised the publication to direct that comment directly to the government tax agency.

Shared responsibility model

That response (or lack thereof) potentially speaks to the notion of the “shared responsibility model” that AWS subscribes to, whereby the organisation considers security, compliance and the resilience of its customers’ cloud environments to be something of a shared burden.

As detailed on the company’s Shared Responsibility Model reference web page, this setup is designed to “relieve” AWS customers of the operational burden of running their own cloud infrastructure, but they remain responsible for whatever data they choose to host in it.

“Customers should carefully consider the services they choose [to host in AWS] as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations,” said AWS.

“The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment.”

Speaking to Computer Weekly, Brent Ellis, principal analyst at IT market watcher Forrester, said the fact the outage originated in the AWS US-East-1 region and impacted UK organisations suggests “at least some part” of the HMRC and Lloyds setups had a dependency on that region.

“That would have been an architecture choice by those companies, but not necessarily a fault of AWS,” said Ellis. “That dependency could also have been introduced by a nested SaaS [software as a service] component for the organisations involved.

“Generally, I think this shows how complex and interconnected modern cloud-based infrastructure is, and that is a problem from a resilience perspective, especially if you do not have visibility into the nested dependencies that underlie your business technology stack.”

Regulatory intervention

Because of the impact such dependencies can have, Ellis is of the view that the AWS outage may prompt calls for regulatory intervention to prevent a repeat of it, in a similar vein to what Hiller and her colleagues on the Treasury Select Committee are calling for. “I do think it gives fodder to the greater push for sovereign cloud,” he said. “It also will probably spur regulation to increase visibility into dependencies and fault domains for critical sectors like finance.”

What users of hyperscale cloud services, such as AWS, need to know is what services and capabilities within their chosen suppliers’ extended portfolios are hosted in the UK, and how resilient they are, added Sayers.

To highlight why this is important, he cited the findings of a series of investigations into Microsoft’s cloud hosting arrangements in the Scottish policing sector that he worked with Computer Weekly to make public.

That work resulted in an initial disclosure from Microsoft that it could not guarantee the sovereignty of UK policing data stored and processed in its M365 platform.

This was later followed up with further revelations that policing data hosted in the Microsoft cloud could be processed in more than 100 countries, without users explicitly knowing about it.

“We already know Microsoft do not have a UK-based capability for all their services, but we need to know exactly what the [overseas hyperscalers] can deliver in the country and how resilient that actually is,” said Sayers. “We need to properly understand their points of failure and how they can be engineered around.”
 
Some of the hyperscalers have sought to evade answering questions on this point, claiming the information is commercially sensitive, he continued. “That’s not a defence we can tolerate anymore,” said Sayers. “These services are increasingly friable, increasingly complex and increasingly hidden from our view. If we are to rely on them, we need to know they are reliable, and if they aren’t then we need to pivot – at least for critical services.”

Customer-created issues

Ellis’s colleague, Dario Maisto, is a senior analyst at Forrester, who told Computer Weekly that AWS is aware that customer-created, cross-region architectural dependencies are part of a “bigger sovereignty problem” facing its European customer base.

“[AWS] is about to launch a perfect replica of its services [in Europe] under the AWS EU [European Union] sovereign cloud offer, with the first isolated [sovereign] region in Germany,” he said.

“In fact, the only way a client can be sure that its data and workloads do not suffer from any dependency from infrastructure abroad is physical and logical isolation of the cloud regions the client uses [so that it] must not be possible at all that the client is able to make any choice that creates a dependency on foreign infrastructure.”

Achieving this outcome, continued Maisto, means all of the services the customer needs must be hosted within the isolated region as the only ones the client can access. “A data boundary or a commitment to the market cannot guarantee what only a precise architectural construct of the client’s cloud environment can grant,” he added.

AWS is far from the only cloud provider to suffer an outage, and any cloud company an enterprise entrusts their data to could suffer a similar fate at some point in their existence.

However, Civo’s Boost said the incident highlights why enterprises should be looking to diversify their pool of cloud providers, but also why governments and regulators need to be taking a closer look at how much of the world’s infrastructure runs on a relatively small number of hyperscale cloud platforms.

“The more concentrated our infrastructure becomes, the more fragile and externally governed it is,” he said. “If Europe is serious about digital sovereignty, it needs to accelerate its shift towards domestically governed and diversified infrastructure. Governments and regulators have a responsibility to create the conditions for real competition. That means rethinking procurement, funding sovereign alternatives and making resilience a baseline requirement.”