Parametrix has detected the use of the specific cloud service providers by the members of the Fortune 500, and determined the regions of provision they rely upon. We are also able to predict individual company’s “provision redundancy” between cloud regions. That occurs when the functionality of one cloud region is duplicated in another.
Such duplication ensures resilience, since a cloud outage in one region might not mean a cessation of operations. In other words, the profits of companies with provision redundancy are not dependent on the supply of cloud services in a single cloud region.
Parametrix has estimated the quantum of profits that would be lost to specific companies due to the outage of a cloud service in a dependent cloud region for a given duration. The estimation process includes analysis of the share of a company’s profits which are dependent on individual cloud service providers, the amount to be lost due to a cloud outage, and the rate at which that loss is incurred over time.
We have defined scenarios which consider the outage of service for a cloud region or multiple regions for multiple durations. Each cloud service provider offers a large number of services, some of which are not used by a large portion of cloud users or are not key to the functioning of cloud-dependent systems, while others, here referred to as “mission critical,” are both used by the vast majority of cloud users and would lead to the unavailability of cloud-dependent systems should they fail.
Parametrix differentiates between critical and non-critical services, and can therefore determine the severity of downtime events with a high degree of precision. For simplicity, we have assumed that service providers’ mission-critical services suffer outages in the selected scenario regions. In each scenario, the financial loss has been estimated for each in-scope company, and aggregated to deliver a total event loss.
This analysis does not account for secondary and tertiary dependencies, which amplify the loss impact of any major cloud outage. A service outage by any of the three major cloud service providers is likely to cause indirect business interruption issues, for example. Some companies provide third-party services which are dependent on the three. Many such secondary impacts are not covered under conventional cyber insurance policies.
Parametrix’s analysis on the Fortune 500 provides a snapshot of cloud usage, and insights into navigating the landscape of cyber systemic risk. This post is the third in a series about identifying dependencies, monitoring performance, and managing accumulation. You can read more about it in the Parametrix report revealing the Fortune 500’s exposure to cloud downtime among the three major providers - Amazon Web Services, Google Cloud, and Microsoft Azure.