Authorities faces questions on why US AWS outage disrupted UK tax workplace and banking corporations
The UK authorities is being pressed for a response as to why a significant, multi-hour Amazon Internet Companies (AWS) outage within the US disrupted UK-based organisations, together with HM Income & Customs (HMRC) and Lloyds Banking Group.
The outage, which AWS confirmed began simply earlier than 8am UK time on 20 October, originated in AWS’s US-East-1 datacentre area in North Virginia, and precipitated large-scale disruption to a bunch of corporations internationally, together with within the UK.
The US-East-1 area is famend for being Amazon’s first and flagship cloud area, in addition to its largest, and is commonly the place the place the general public cloud big rolls out new providers to clients first.
Because of this, it isn’t unparalleled for service points with the US-East-1 area to blight abroad customers of the agency’s cloud applied sciences.
However with considerations mounting within the UK (and different geographies) about the private and non-private sector’s over-reliance on US-based huge tech platforms, the outage has led to renewed requires higher transparency in regards to the resiliency of the nation’s internet hosting preparations.
“The narrative of larger is healthier and largest is greatest has been proven for the lie it all the time has been,” Owen Sayers, an impartial safety architect and information safety specialist with a protracted historical past of working within the public sector, instructed Pc Weekly. “The proponents of hyperscale cloud will all the time say they’ve the perfect engineers, essentially the most workers and the best pool of assets, however greater isn’t all the time higher – and positively not when nations depend on these commodity world providers for their very own nationwide safety, security and operations.
“Nationally essential providers have to be recognised as greatest delivered below nationwide management, and at the least, the federal government ought to be knocking on AWS’s door right now and asking if they will in reality ship a service that ensures UK uptime,” he stated. “As a result of the proof from this week’s outage means that they can not.”
Authorities use of cloud below scrutiny
AWS has vowed to publish an in depth “post-event abstract” detailing the causes of the outage and the steps it needed to take to convey providers again on-line.
Within the meantime, and consistent with Sayers’ suggestions, HM Treasury is already being requested to account for why it has not used powers conferred on it earlier this 12 months to make sure suppliers like AWS are as much as the job of delivering resilient cloud providers to organisations within the monetary providers sector.
The chair of the Treasury Choose Committee, Meg Hillier, revealed a letter she has written to the financial secretary, Lucy Rigby, that seems to have been penned in the course of the AWS outage.
The letter calls on Rigby for clarification about why, regardless of having the facility to take action since January 2025, the Treasury has apparently to this point uncared for so as to add AWS to its Important Third Events (CTP) listing of suppliers.
This designation, which was launched by adjustments made to the Monetary Companies and Markets Act 2020 in November 2024, is meant to supply the UK’s monetary regulators with the means to incorporate third-party suppliers to the sector inside their supervisory scope – the concept being that doing so may assist higher handle any potential dangers to the steadiness and resilience of the UK monetary system that may come up on account of a third-party provider affected by service disruption, as occurred on 20 October with AWS.
As acknowledged in Hillier’s letter, it seems the Treasury is but to name any suppliers into the scope of the CTP regime, together with AWS, which is understood to be a provider to numerous UK monetary providers establishments.
“In gentle of right now’s main outage at Amazon Internet Companies … why has HM Treasury not designated Amazon Internet Companies or every other main know-how agency as a CTP for the needs of the Important Third Events Regime,” requested Hillier, within the letter. “[And] how quickly can we count on corporations to be introduced into this regime?”
Hillier additionally requested HM Treasury for clarification about whether or not or not it’s involved about the truth that “seemingly key components of our IT infrastructure are hosted overseas” given the outage originated from a US-based AWS datacentre area however impacted the actions of Lloyds Financial institution and in addition HMRC.
On the latter level, Hiller requested: “What work is HM Treasury doing with HMRC to have a look at what went fallacious, and the way this can be prevented in future?”
Pc Weekly contacted HM Treasury for particulars of its response to Hillier’s letter, and to hunt clarification on whether or not it has plans to imminently add AWS to the CTP listing. It additionally requested if the Treasury has considerations about components of the UK’s banking infrastructure being hosted abroad, within the wake of the outage.
A spokesperson for the federal government division didn’t instantly reply the questions posed by Pc Weekly, however did present the next assertion in response:
“We all know the menace cyber attackers current, which is why we’re working with regulators to determine a Important Third-Occasion regime, so we will maintain corporations offering these providers to the identical excessive requirements as different monetary providers establishments,” the Treasury assertion learn.
UK reliance on abroad clouds
Hillier’s query to the Treasury about whether or not it has any considerations about key components of the UK’s IT infrastructure being hosted abroad is being echoed by different UK cloud market watchers and stakeholders within the wake of the outage.
“We ought to be asking the plain query: why are so many vital UK establishments, from HMRC to main banks, depending on a datacentre on the east coast of the US?” stated Mark Enhance, CEO of London-based cloud providers supplier Civo.
“Sovereignty means having management when incidents like this occur – however an excessive amount of of ours is at the moment outsourced to overseas cloud suppliers. The AWS outage is yet one more reminder that whenever you put all of your eggs in a single basket, you’re playing with vital infrastructure.
“When a single level of failure can take down HMRC, it turns into clear that our reliance on a handful of US tech giants has left core public providers dangerously uncovered,” he stated.
AWS has operated a UK datacentre area since 2016, with a key promoting level of those amenities being that it will enable UK-based organisations to entry domestically hosted variations of its public cloud providers.
This provides additional weight to Enhance and Hillier’s line of questioning about why a US outage impacted UK-based organisations when, presumably, these organisations ought to be counting on the UK area to entry AWS providers.
When Pc Weekly put this query to AWS, citing the disruption precipitated to HMRC in the course of the outage for instance, an organization spokesperson suggested the publication to direct that remark on to the federal government tax company.
Shared duty mannequin
That response (or lack thereof) probably speaks to the notion of the “shared duty mannequin” that AWS subscribes to, whereby the organisation considers safety, compliance and the resilience of its clients’ cloud environments to be one thing of a shared burden.
As detailed on the corporate’s Shared Accountability Mannequin reference net web page, this setup is designed to “relieve” AWS clients of the operational burden of operating their very own cloud infrastructure, however they continue to be accountable for no matter information they select to host in it.
“Prospects ought to fastidiously contemplate the providers they select [to host in AWS] as their duties fluctuate relying on the providers used, the mixing of these providers into their IT atmosphere, and relevant legal guidelines and laws,” stated AWS.
“The character of this shared duty additionally supplies the pliability and buyer management that allows the deployment.”
Talking to Pc Weekly, Brent Ellis, principal analyst at IT market watcher Forrester, stated the very fact the outage originated within the AWS US-East-1 area and impacted UK organisations suggests “at the very least some half” of the HMRC and Lloyds setups had a dependency on that area.
“That will have been an structure selection by these corporations, however not essentially a fault of AWS,” stated Ellis. “That dependency might even have been launched by a nested SaaS [software as a service] part for the organisations concerned.
“Typically, I believe this exhibits how complicated and interconnected trendy cloud-based infrastructure is, and that may be a downside from a resilience perspective, particularly in the event you wouldn’t have visibility into the nested dependencies that underlie what you are promoting know-how stack.”
Regulatory intervention
Due to the impression such dependencies can have, Ellis is of the view that the AWS outage might immediate requires regulatory intervention to stop a repeat of it, in the same vein to what Hiller and her colleagues on the Treasury Choose Committee are calling for. “I do suppose it offers fodder to the higher push for sovereign cloud,” he stated. “It additionally will in all probability spur regulation to extend visibility into dependencies and fault domains for vital sectors like finance.”
What customers of hyperscale cloud providers, reminiscent of AWS, have to know is what providers and capabilities inside their chosen suppliers’ prolonged portfolios are hosted within the UK, and the way resilient they’re, added Sayers.
To spotlight why that is essential, he cited the findings of a collection of investigations into Microsoft’s cloud internet hosting preparations within the Scottish policing sector that he labored with Pc Weekly to make public.
That work resulted in an preliminary disclosure from Microsoft that it couldn’t assure the sovereignty of UK policing information saved and processed in its M365 platform.
This was later adopted up with additional revelations that policing information hosted within the Microsoft cloud might be processed in additional than 100 nations, with out customers explicitly figuring out about it.
“We already know Microsoft wouldn’t have a UK-based functionality for all their providers, however we have to know precisely what the [overseas hyperscalers] can ship within the nation and the way resilient that truly is,” stated Sayers. “We have to correctly perceive their factors of failure and the way they are often engineered round.”
A number of the hyperscalers have sought to evade answering questions on this level, claiming the knowledge is commercially delicate, he continued. “That’s not a defence we will tolerate anymore,” stated Sayers. “These providers are more and more friable, more and more complicated and more and more hidden from our view. If we’re to depend on them, we have to know they’re dependable, and in the event that they aren’t then we have to pivot – at the very least for vital providers.”
Buyer-created points
Ellis’s colleague, Dario Maisto, is a senior analyst at Forrester, who instructed Pc Weekly that AWS is conscious that customer-created, cross-region architectural dependencies are a part of a “greater sovereignty downside” going through its European buyer base.
“[AWS] is about to launch an ideal reproduction of its providers [in Europe] below the AWS EU [European Union] sovereign cloud provide, with the primary remoted [sovereign] area in Germany,” he stated.
“In actual fact, the one method a shopper can make certain that its information and workloads don’t undergo from any dependency from infrastructure overseas is bodily and logical isolation of the cloud areas the shopper makes use of [so that it] should not be attainable in any respect that the shopper is ready to make any selection that creates a dependency on overseas infrastructure.”
Reaching this final result, continued Maisto, means all the providers the client wants have to be hosted inside the remoted area as the one ones the shopper can entry. “An information boundary or a dedication to the market can’t assure what solely a exact architectural assemble of the shopper’s cloud atmosphere can grant,” he added.
AWS is way from the one cloud supplier to undergo an outage, and any cloud firm an enterprise entrusts their information to might undergo the same destiny in some unspecified time in the future of their existence.
Nevertheless, Civo’s Enhance stated the incident highlights why enterprises ought to be trying to diversify their pool of cloud suppliers, but in addition why governments and regulators should be taking a more in-depth take a look at how a lot of the world’s infrastructure runs on a comparatively small variety of hyperscale cloud platforms.
“The extra concentrated our infrastructure turns into, the extra fragile and externally ruled it’s,” he stated. “If Europe is critical about digital sovereignty, it must speed up its shift in direction of domestically ruled and diversified infrastructure. Governments and regulators have a duty to create the circumstances for actual competitors. Meaning rethinking procurement, funding sovereign alternate options and making resilience a baseline requirement.”
