Could the UK mid-market be falling out of love with the public cloud? Topline data from our recent report suggests that might be the case. It shows 97% of IT and business decision-makers intend to migrate applications or workloads from the public cloud over the next 12 months.
However, before the separation papers are drawn up, it’s worth examining the findings in more detail. While 43% of respondents say they will repatriate a significant portion of their applications or workloads from the public cloud, the majority (49%) plan on removing just a few specific ones from cloud providers.
Chief Technology Officer at Node4.
This kind of partial repatriation stems from mid-market companies taking a more targeted and pragmatic approach to public cloud consumption. They’re likely to be exploring ways to optimize location and workload in environments that work best for their specific needs. That means making cloud-appropriate rather than cloud-first decisions.
If this trend continues – and there’s no reason to think that it won’t – we can expect to see a higher proportion of mid-market companies with a substantial footprint of on-premises IT infrastructure and a more select set of applications running in the public cloud.
IDC data supports this argument, with 88% of cloud buyers stating they are deploying a hybrid cloud environment or are in the process of operating one.
What’s driving public cloud repatriation?
There’s no single motivation. But if I had to pick one overarching trend, it would be taking back control to minimize risk:
– The risk that ill-judged historic lift-and-shift migrations are preventing mid-market organizations from reaching their full growth and profit potential.
– The risk of storing data outside UK borders with non-UK companies due to stricter international data protection regulations and a more protectionist US administration.
– The risk of misconfiguring public cloud-based cybersecurity tools due to a lack of in-house IT skills.
Taking back control of workloads that were never intended for the cloud
Partial cloud repatriation provides a way to undo some of the poorly thought-out lift-and-shift migrations that stopped organizations from achieving their full growth and profit potential.
Many IT decision-makers were quick to blame public cloud service providers. But it’s more likely that the applications and workloads were never intended for public cloud environments. Or that cloud-enabled applications and workloads were incorrectly configured.
Either way, poor application and workload performance meant that the expected efficiency gains and cost savings from public cloud adoption did not materialize. This led to budgeting and resourcing problems, as well as friction between IT management, senior leadership teams, and other stakeholders.
With mounting pressure and a tough economic outlook, a significant proportion of mid-market organizations now feel compelled to remove poor-performing workloads and applications from their public cloud environments and locate them in more suitable settings.
Data sovereignty and compliance
Concerns over data sovereignty and compliance have also influenced decisions to repatriate public cloud workloads and adopt a hybrid cloud model, particularly due to worries about DORA, GDPR and the US Cloud Act compliance. DORA and GDPR both place greater emphasis on data sovereignty, so organizations need to have greater control over where their data resides.
This makes a strong case for repatriation of specific workloads to maintain compliance with both sets of regulations – especially within highly regulated industries or for sensitive information such as HR or financial data.
Meanwhile, the US Cloud Act may also be indirectly responsible for some cases of partial repatriation. Specifically, those organizations transferring data back to their own on-premises infrastructure or to other UK-based cloud service providers.
A growing number of mid-market organizations are concerned about the ability of US authorities to access sensitive data when stored on servers belonging to US companies, even if those servers are located outside the USA. This, of course, gives US authorities the legal right to access data stored on all the major cloud service providers.
In some ways, these are not new concerns. Companies outside the US – but using US-owned IT infrastructure – have long been worried about the clash between data protection as outlined in GDPR and the global reach of data disclosure requests by US authorities. But this has been exacerbated by the US Cloud Act and concerns over a more protectionist US government.
Public cloud, cybersecurity and IT skills shortages
That number falls to around 75% for fully cloud-based organizations. Worryingly, around one in ten mid-market companies with a primarily cloud-based infrastructure say they’re not confident at all in their ability to prevent and respond to cyberattacks.
This is perhaps surprising, given the amount of cybersecurity tooling available from all the major cloud providers. It suggests that the availability of cybersecurity tools does not automatically lead to IT decision-maker confidence in their organization’s cybersecurity posture.
These platforms offer robust security, but confidence comes from execution, not accessibility – and that requires investment in skills, automation, and visibility.
There’s also an interesting element of control here, too. Is it possible that mid-market companies would be happy to trade the advanced – but remote – cybersecurity functionality in the public cloud for a less complex – but accessible – alternative? Perhaps this argument gains further weight in the context of DORA and GDPR data sovereignty and compliance concerns.
Additionally, there is a suggestion that a lack of IT security skills may be contributing to cybersecurity-driven repatriations. Research shows that more than 90% of mid-market organizations face an IT skills shortage, with over half being significantly affected. Nearly a third of respondents say cybersecurity specialists are the most difficult roles to hire or retain.
Some mid-market organizations may lack the in-house skills to configure and manage cybersecurity in public cloud environments or even understand their default settings. These organizations may well feel that opting for an on-premises solution, despite the advanced cybersecurity features provided by public cloud platforms, is a lower risk option.
Conclusions
Public cloud still plays a vital role across UK mid-market organisations, but it’s no longer the default setting. IT and business leaders are optimising their IT infrastructure for performance, compliance, and control, not just convenience. They are also weighing up the in-house skills available to them to successfully operate their public cloud infrastructure, particularly the cybersecurity elements.
Ultimately, the trend towards partial repatriation underscores the importance of tailored cloud strategies that align with specific organisational needs and capabilities. Those who get this balance right will unlock greater efficiency, agility, and resilience from their infrastructure investments.
We list the best data migration tools.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
