Cloud giants are locking customers into proprietary ‘captivity clouds’ designed to prevent them from moving elsewhere, an expert has warned as new research shows nearly 40 per cent of organisations admit losing control over their IT and security environments.

Despite cloud platforms’ operational and financial benefits, the new Forrester Consulting research – which surveyed 449 IT decision makers globally – found that moving on-premises systems to infrastructure providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) has become a one-way ticket.

Although each offers a wealth of cloud-hosted services to support digitally transformed environments, Forrester found that once businesses choose to rebuild their environment on one of the cloud platforms, they are tying themselves to that provider’s application strategy.

Ditto software-as-a-service (SaaS) application providers, which run on one cloud ecosystem or another but may not be the same one their customers use.

This means customers often have little or no visibility of what is happening in the back end – and that they simply have to trust that those providers’ security, data governance, and infrastructure resilience practices are good enough to meet governance, regulatory and compliance (GRC) requirements.

These challenges have been exacerbated by issues such as the increase in the overall number of applications – cited by two-thirds of respondents – as well as an increase in the number of locations for applications (62 per cent), the shift from on-premises to cloud (54 per cent), and surging remote/hybrid workforces (49 per cent).

“The biggest challenge that most organisations have started to confront has been that when they start putting applications into cloud, they lose the ability to have full visibility and full control,” said Cloudflare ANZ head Raymond Maisano, who likened the situation to a ‘Hotel California’ – a place of hedonism and complacency that is “programmed to receive… but you can never leave”.

“This has been a real challenge for customers,” he continued, “who have been used to being able to control their security or their connectivity through on-premises infrastructure.”

“You’ve got to be able to manage cloud, but you can no longer route your traffic. Managing them all has been a real challenge, and businesses are starting to lose control of their environments.”

While cloud providers provide APIs to help customers integrate providers’ cloud services into their businesses, Maisano said, “trying to manipulate data flows and control points and policies to manage your data is a real challenge [that is] magnified by each of them being very different in the way they confront and control policies.”

“AWS will build their own control points, policies or facilities to manage their environment – which is different to what Microsoft will do, which is different to what GCP will do, which is different to what you can do with Salesforce.”

“The great part of the internet is we don't know the great apps of tomorrow. And if you're locked into an ecosystem that only hears about what runs in that environment, you lose flexibility and control, and you lose the ability to innovate.”

Walled gardens challenging AI, security strategies

Lack of control across business infrastructures prevent IT and security teams from monitoring what’s going on across their infrastructure – and the problem is getting worse, according to a new ISACA survey of more than 2000 security leaders that found Australian and Oceania firms struggle to secure digitally transformed environments.

Fully 65 per cent of Oceania firms report security understaffing – well above the 59 per cent globally – with 61 per cent of local firms claiming they are “somewhat or significantly” underfunded.

With 56 per cent of Oceania respondents reporting increasing volumes of cyber attacks in the past 12 months, just 36 per cent are confident that their organisations can detect and respond to cyber threats.

As a result, 78 per cent believe that Oceania organisations are underreporting cybercrime – well ahead of the 62 per cent global figure. This has direct implications on the efficacy of GRC requirements such as prudential standards and planned changes to Australian privacy laws, which the government is slowly reshaping.

Those regulations will directly impact companies’ obligations to monitor and control data no matter where it is hosted – and they will have implications for the generative AI tools becoming the latest additions to cloud giants’ walled gardens.

AWS, for one, recently released a generative AI toolkit called Amazon Bedrock – which will, vice president of data and AI Swami Sivasubramanian said, “put generative AI at the fingertips of every business… [and] help them tightly align their data strategy across their organisation.”

Yet as adoption of generative AI deepens firms’ commitment to cloud providers’ ecosystems, Maisano believes it will be more important than ever to preserve choice and flexibility with a “single control plane of security and policy” enabling customers to apply uniform management policies regardless of where each application is running.

“AI lends itself to the openness of the data source and the feeds that we can get into it to make the models smarter,” he said, “but AI has the potential to become another walled garden.”