Many organisations have been using ‘hybrid clouds’ – a combination of private and public cloud – for their service and infrastructure requirements, leveraging the synergies of risk and cost of the two solutions. The main advantage of the public cloud is its inherent flexibility and elasticity. For many small and medium-sized enterprises (SMEs), where the rate of return on investment (ROI) for infrastructure is particularly important, a “public cloud first” policy has been widely adopted. Similarly, using public cloud provision services is particularly attractive for enterprises with large fluctuations in resource demand, a prime example being online retailers. However, modern enterprises are dynamic environments and the drive for innovation and flexibility has meant that even large and highly regulated industries have public cloud-based platforms. Indeed, public cloud adoption has been growing rapidly, at a rate estimated to be 18% for 2017 by Gartner. Between 2015 and 2020, IDC forecasts, cloud spending will grow at seven times faster than the rate of overall IT spend.

Organisations migrating services to public clouds typically start with the least business-critical services, to “try out the waters”, and to limit business and, in particular, compliance risk in the early phases of adoption. With increased acceptance and continued innovation, and with its core advantage of flexibility and elasticity, more services are likely to source from the cloud, including those with potentially bigger business impact – and risk. However, sourcing services from the cloud are likely to have other operational impacts, including business continuity planning (BCP) and disaster recovery (DR) strategies. This is especially true for cloud resources which support other services, a prime example being the infrastructure. Unlike business continuity plans for IT services owned and run by the organisation, there is typically a more limited choice for physical locations, hardware and platforms which support the underlying cloud-based services. Whilst cloud service providers will have BCP, for critical services with high business impact on a public cloud first strategy, implementing BCP from a different cloud service provider can help to further mitigate risks in the event of an outage. In addition to potential increases in costs, however, using a diversity of cloud providers as part of the BCP will have implications for software architects. For the applications involved, they must have the same functionality on different infrastructure platforms. For cloud-first strategies, how many clouds do you need? The answer can often depend on the risk and impact of a loss of service.