Blog
Cloud strategy in transition: from blind trust to conscious control
Fifteen years ago, the choice was simple: you put your data in the cloud, preferably with one of the major American hyperscalers. Scalable, affordable, and everyone was doing it. But the world has changed. International tensions are rising, regulations are getting stricter, and organizations are realizing: we actually have no idea who has access to our data.
The question that used to only come up in IT departments is now on the boardroom table. Not because the technology has changed, but because the context has changed. Who controls our infrastructure? What if the rules of the game are different tomorrow? And more importantly, can we even afford this level of dependency?
Chris Baars and Jody Pietersz, Managing Directors at TrueFullstaq, see this shift daily. In conversations with clients, in tenders, and in strategic decisions.
From IT discussion to boardroom issue
Not so long ago, the choice for hyperscalers was a no-brainer for many IT departments. The functionality, the scalability, the massive teams of developers building features that local alternatives struggle to match. "Technically speaking, those choices still make sense," says Jody. "Hyperscalers offer a lot of advantages."
But now different questions are being asked. Not about functionality, but about risk. About dependency. About control. This isn't just an IT discussion anymore; it's become a real boardroom matter.
What's driving this shift? It starts with legislation that's been around for years, but whose impact is only now becoming truly tangible. The Cloud Act of 2018 gives US authorities access to data stored by US companies, even if that data is stored outside the US. "That Cloud Act was always there, but constructs like the Privacy Shield always shielded it," Chris explains. "And with the removal of that extra clause, concerns are now emerging."
This stress doesn't just come from the loss of legal protection. It comes from broader unrest about international relations. Trade tensions, political unpredictability, shifting alliances. "Those are movements that further fuel unrest," says Jody. "People think: if the situation can change this quickly, how safe is our data really?"
"Trust has really taken a massive hit. You're not going to get that back," Chris concludes. And that has a concrete impact. In tenders, for example, sovereignty is getting more and more weight. Where ten years ago it might have counted for 1 point out of 100, it now accounts for 25 points. It's a serious factor in decision-making.
A major TrueFullstaq client recently summed it up perfectly: "There are five major competitors in our market. We're the only ones with all our data in a sovereign cloud. So it's one of our most important USPs." From compliance checkbox to competitive advantage.
The pragmatic reality: hybrid is the future
These developments naturally raise the question: what's the right cloud strategy then? Should we move everything to local infrastructure?
"No, I think we'll see more hybrid solutions," says Jody. For organizations with significant international traffic, multiple availability zones, and large international platforms, there are still advantages you'll only find with hyperscalers.
Modern private clouds have moved far beyond simple virtualization. Infrastructure as code, containerization, and automatic scaling - capabilities that were exclusive to hyperscalers years ago are now simply available in private environments.
Hyperscalers aren't the enemy either. For certain use cases, they're just good. The problem lies in the reckless choice to push everything across the border. "And that's not going to happen anymore," Jody predicts.
Chris draws a parallel with security: "There's the principle of least privilege: what you don't know, you can't leak. That also applies to cloud solutions. So you keep it within the borders, as close as possible to your own control and influence. Only what can't be done otherwise, that's what you put with such a large player."
"Say you're making an investment decision now. You're going to develop a new application, and you want to make it completely future-proof," Chris sketches. "You can choose: I'll do that here in a secure data center, where I can just drive to and where I can turn the knobs, where I can grab someone by the collar if things go wrong. Or I'll put it with a major international player while the geopolitical landscape is in constant motion. I think more and more organizations will almost automatically choose the local option."
Control as competitive advantage
Making a business case for a cloud strategy is never easy. "Everything has a business case," says Chris. "It's just difficult to weigh." That's certainly true for choices that go beyond simply picking the cheapest option.
The cost story is more nuanced than it seems. The entry costs of a private cloud are higher, but as your platform grows and you need SLAs, a private solution can, in many cases, even be cheaper. Comparing clouds requires more than a glance at startup costs. Day 2 costs are just as important: traffic, support, and unexpected peaks.
But ultimately it's about more than money. Control over your infrastructure can really deliver a competitive advantage. Not just because it weighs heavier in tenders, but because customers increasingly value it. "Compare it a bit to buying from a local farmer or from the supermarket," says Chris. "The fact that you know exactly where it comes from gives you a form of autonomy and control."
What used to be a nice-to-have (knowing where your data is and who has access to it) has now become a deal closer. The consideration shifts from 'what's cheapest' to 'what gives us the control and predictability we need'.
Security: the invisible accelerator
Besides geopolitics and compliance, there's yet another factor accelerating the reconsideration of cloud strategy. A factor that's becoming increasingly urgent: security.
Control over your infrastructure isn't just about knowing where your data is. It's also about who can access it, how your systems are protected, and how quickly you can respond when things go wrong. And the landscape is moving extremely fast there.
"Everywhere you see budget constraints, except on security," says Chris. Partly due to international unrest, but mainly due to the speed at which threats evolve. Chris compares: "If you have a new house built and you put a good lock in the front door, that's still okay three years later. In IT, that's not the case; the digital lock becomes outdated much faster."
And AI is accelerating the pace further. Decrypting and cracking encrypted data are getting faster and faster. What you come up with today can be broken by AI tomorrow. Many organizations still think that if they design a platform in 2025, it'll still be fine in 2030. "That's simply not true," says Chris. "The development of all criminals is going so much faster than we can think up defenses."
If you don't have your security in order, you're fair game. Security isn't a side issue anymore; it's business continuity, reputation management: a basic condition to operate. And here's also the link to the broader cloud strategy discussion: control over your infrastructure is control over your security.
Cloud native maturity: from experiment to foundation
Kubernetes is no longer the new toy that organizations are experimenting with. It's become the foundation. "I see basically everyone still moving to Kubernetes," says Jody. And rightly so: containerization prevents vendor lock-in, makes application management manageable, and offers the flexibility to move workloads when needed.
But the theory of 'platform-independent' sometimes clashes with practice. Migrating between clouds proves more difficult than promised. Still, Kubernetes remains the standard, not because it's perfect, but because it offers the best balance between flexibility and standardization.
What is changing is how organizations handle it. Compliance plays an increasingly larger role. With legislation like NIS2, organizations face supply chain responsibility. "We also have to comply with that, and we have to support that," Jody explains. "If a client asks, ' I need an audit trail, how have you set that up?' Then we need to be able to show that."
Security is moving from a separate team to an organization-wide behavior. It's no longer something you add after the fact, but part of how you work. From physical access control to who can access which data, it's becoming hygiene rather than an exception.
And then there's edge computing. Not everything needs to be in the cloud. For certain workloads - think warehouse robots or critical infrastructure - it's actually smarter to run them locally. Faster, safer, less dependent on internet connectivity.
Kubernetes, compliance, edge: they're all signals of the same movement: organizations becoming more mature in how they handle cloud technology.
The shift is irreversible
"The genie is out of the bottle," says Chris. The awareness that you're dependent on infrastructure you don't control, in jurisdictions where you have no influence, isn't going away.
Organizations are now combining the best of both worlds: the flexibility of cloud, where possible, and the control of local, where necessary. That consideration - not blindly all or nothing - is the new standard.
For some organizations, this means a sovereign cloud. For others, a carefully delineated hybrid strategy. For yet others, it means edge computing for critical workloads. There's no one-size-fits-all answer.
The question is no longer "cloud or not cloud". The question is: which cloud strategy fits our risks, our ambitions, and the world we operate in?
Organizations now thinking about what control means to them aren't just building better infrastructure. They're building strategic independence in an uncertain world.
