Ofcom cloud report: Where the CMA should focus its probe into AWS and Microsoft

In this guest post, Owen Sayers, an enterprise security architect with Secon Solutions, who has 25 years’ experience working within the UK’s internet security framework, sets out the areas where he thinks the Competition and Markets Authority (CMA) should focus its investigation into the hold that AWS and Microsoft have on the UK’s cloud spend 

As expected, the report published by Ofcom has resulted in the referral of the clear dominance of Microsoft and Amazon Web Services (AWS) in the UK’s public cloud market to the Competition and Markets Authority (CMA).

Whilst it is right and proper that the CMA should determine its own scope for investigation, a number of areas already examined by Ofcom will undoubtedly be included.

There are, however, other areas that the CMA would be wise to include if they wish to build a full and fair view of the public cloud landscape in the UK today, and how it has been historically influenced or shaped to become what we now see.

Effect of HMG policy on the cloud market

Key areas the CMA should consider include the role and effect of UK government policy for cloud adoption, and whether the extent to which Microsoft and AWS may have been able to influence that is fair.

Successive iterations of the 2013 ‘Cloud First’ policy have become progressively more prescriptive and specific in content; moving from the original position of ‘consider cloud options first’, through ‘when we mean cloud we mean public cloud’ and finally to ‘by cloud we mainly mean Software as a Service’.

Taken in concert with the latest update in June 2023 , the CMA may conclude – as many industry observers already do – that the current distribution of cloud services in the UK, and their bulk reliance on just two global providers is largely down to HM government actions to shape the marketplace since 2014, and the ability of AWS and Microsoft to take advantage of those policies.

The CMA would also be wise to examine the means by which Microsoft took advantage of its huge desktop and server footprint in government to leverage cloud adoption after the UK published its cloud first policy in 2013.

Existing desktop end-user service licences (Windows O/S and Office suite) provided under Microsoft Enterprise Agreements were then bundled with cloud service options, enabling the transfer of users from desktop services to cloud services without new procurements or changes to contract terms.

In particular, the ability of Microsoft to transition large volumes of user identity information from desktop and server-based directories into their cloud equivalent services has given both an adoption incentive to organisations seeking to use this Microsoft licencing flexibility, and significant control to Microsoft over corporate user identity management in their cloud platforms.

It has also introduced a Microsoft-controlled technology barrier or dependency between their services and other cloud service providers and facilitated soft lock-in of organisations, due to the complexity, cost and disruption attendant with identity management changes for most customers.

The CMA might wish to examine if these individually or collectively represented use of an unfair market advantage on the part of Microsoft, which no other company could similarly enjoy.

Microsoft’s placement and role in national security policy

The recently published HMG Security Classification Scheme specifically referred Government Security Advisors to Microsoft guidance and security advice ; for the first time openly listing a commercial provider as the source of technical advice for UK government security measures, a role previously uniquely held by the National Cyber Security Centre (NCSC).

Industry commentators expressed some surprise upon its publication that specific Microsoft cloud products were now listed within key Cabinet Office policies, and reflected upon both the extent to which the UK government is now dependent upon Microsoft cloud services and their potential ability to influence policy creation.

Effect on national resilience

In its report, Ofcom touched upon the outputs of studies in other countries relating to concerns of governmental public cloud service use for national resilience, as well as reporting upon the decisions made by some UK Critical National Infrastructure (CNI) providers not to make use of these public cloud services since their availability and terms of service preclude such use.

In doing so those CNI providers have stepped outside of HMG policy, but their reasoning appears sound and broadly focussed on a wider public safety interest rather than self-promotion.

Whilst it may not be in the CMA’s direct remit to examine these areas, the findings of the Ofcom report should be sufficient to question the extent to which core HMG services and regulated sectors have transitioned to public cloud services.

CMA may recommend that a national debate be established to examine the suitability of public cloud-based services for blue-light, CNI and core utilities. Such a recommendation, if made, would likely enjoy significant support from security advisors experienced in those areas.