Now that almost all organizations have at least established some kind of foothold in the cloud, the real growth begins. Cloud adoption rates keep ticking upward as organizations push more workloads and more critical applications into the cloud.  As that happens, leadership faces a debate of growing importance.

Organizations must ask themselves how diversified they want to be. Do they place the growing mound of eggs in a single cloud hosting basket for simplicity's sake? Or do they divvy them out into multiple hosting baskets to spread out their risk? If the latter, how many baskets is the right number?

Multi-cloud stands as a phenomenon at a significant chunk of organizations today, not just to deaggregate risk but also to serve the needs of different lines of business and tech functions at organizations. However, the data indicates that cloud consolidation is also a thing.

In our recent Cloud Risk Surface Report, the data scientists at Cyentia Institute found that some 70% of firms rely on four or fewer cloud providers today. What's more, the top five clouds alone host assets from 75% of organizations.


Figure 1. Distribution for the number of cloud providers per organization

In the hunt for efficiency, many organizations seek to streamline their infrastructure by consolidating cloud providers. They'd rather not expend the extra resources to maintain different features, frameworks, and APIs for diversity's sake. However, this kind of consolidation suggests a massive transfer of trust and value to cloud providers. As a result, we're aggregating risk within a few cloud providers. You can get a good snapshot of that risk aggregation by taking a look at the distribution of hosts among top cloud providers based on asset value ratings.

Goldilocks2Figure 2. Distribution of hosts among top cloud providers based on asset value ratings

The data shows that a full 80% of firms host high-value assets externally—42% use one of the top five cloud providers to host those assets.

The data also implies that heavy consolidation like this very well may impact security. We wanted to put numbers to how provider diversification impacts cybersecurity, so we had the data scientists correlate organizations by the number of cloud providers compared to percent of hosts with high or critical security findings. 

They discovered that firms with four clouds exhibit one-quarter the security exposure rate of those with just one cloud provider. Using eight clouds dropped that rate in half again. The data suggests that the rate of severe security findings is at its highest when cloud diversity is at its lowest. Interestingly, though, there's a diminishing margin of returns. Beyond eight clouds, security issues level off and even start to rise among the hyper-diversified.


Figure 3. Rate of severe security findings by number of cloud providers

The trend line indicates that there seems to be a "Goldilocks Zone" of risk, where not too few and not too many cloud providers create a managed risk zone that's just right for organizations. That Goldilocks Zone varies firm to firm, but the point the trend hammers home is that the story is more complicated than simply "more clouds=more secure."

At the same time, there seems to be a legitimate risk dimension to the choice of cloud consolidation versus diversification. If your organization is weighing how diverse it wants to be, you may want to keep the Goldilocks Zone in mind as a factor to consider.