Documents to download

Cloud computing is the use of pooled, centralised computing resources (including data storage and processing) that are provided to users (who may be organisations or individuals) on-demand, often over the internet. Many mainstream consumer services, including Netflix and Youtube, are enabled by cloud computing and estimates suggest that 89% of larger UK organisations use at least one cloud-based service. The government encourages public sector use of cloud computing via its cloud first policy which mandates that cloud computing must be considered before any other IT implementation where possible.

Potential advantages of cloud computing include increased security, the ability to use resources flexibly and improved energy efficiency. However, improper governance of cloud computing use by organisations can lead to problems such as security breaches. Furthermore, 50% of UK companies have reported doubts about the compliance of their cloud computing solutions with all required regulations. 

Key Points

  • Cloud computing allows organisations and individuals to access a wide range of computing services without needing to own and maintain specialised hardware and software.
  • The UK cloud market is forecast to be worth over £35 billion by 2023 (a 73% rise from 2019).
  • The global market leaders in cloud computing are predominantly large US companies, including Amazon, Microsoft and Salesforce.
  • Different implementations of cloud computing infrastructure exist for different purposes. For example, a private cloud is used by, and tailored to the needs of, a single organisation whereas a public cloud is shared by many users and resource provision is flexible. 
  • Cloud computing infrastructure consists of a central data centre, where computers carry out data processing and storage, and telecommunications networks which connect the data centre to end users.
  • Cloud computing service providers generally offer sophisticated security measures but user errors can result in security breaches. At present, around 95% of cloud security incidents are thought to be caused by user error.
  • Cloud computing service providers try to ensure their services are resilient to failure by providing spare computing resources, but a user’s resilience can be compromised if they rely heavily on a single provider that may discontinue service or change the terms of service.
  • Within a cloud computing system, data may be continuously moved, possibly across national borders. Some countries have data residency or sovereignty requirements which regulate movement of data out of the country but the UK does not have any such requirements.
  • 75% of the UK’s data trade is with the EU. Following the transition period the continuation of free flowing data trade between the two will be contingent on the EU judging the UK’s data privacy protection laws to be adequate.
  • Cloud computing can offer improved energy efficiency over on-premise facilities but there are some concerns that efficiency gains could lead to an overall increase in consumption.
  • A lack of appropriate technical skills and difficulties with migrating large legacy computer systems are two issues which organisations cite as barriers to the uptake of cloud computing.


POSTnotes are based on literature reviews and interviews with a range of stakeholders and are externally peer reviewed. POST would like to thank interviewees and peer reviewers for kindly giving up their time during the preparation of this briefing, including:

  • Dr Bill Mitchell OBEBCS*
  • Professor Carsten Maple, Warwick Manufacturing Group*
  • Professor Dimitra Simeonidou, University of Bristol
  • Glen Robinson, Microsoft
  • James Lovegrove, Red Hat*
  • Joanna Hodgson,  Red Hat*
  • Adrian Keward, Red Hat*
  • Jonathan Legh-Smith, BT*
  • Ksenia Duxfield-Karyakina, Google*
  • Professor Lilian Edwards, Newcastle University
  • Neil Stansfield, NPL
  • Nicky Stewart, UKCloud*
  • Paul Duncan, NPL
  • Paul Martynenko, POST Board
  • Professor Paul Watson, Newcastle University*
  • Professor Reza Nejabati, University of Bristol
  • Rhiannon Lawson, Government Digital Service*
  • Richard Ward, IBM
  • Simon Hansford, UKCloud*
  • Sneha Dawda, RUSI
  • Rebecca Lucas, RUSI
  • Dr Stephen Pattison, ARM*
  • Tom March, Government Digital Service*

 *denotes people and organisations who acted as external reviewers of the briefing. 

Correction [30/07/20]: In Box 1 on page 2 “Stakeholders, including a former Minister for Digital and the Creative Industries and the CEO of UKCloud (a prominent provider of cloud services to the public sector), have called for the UK to establish a sovereign cloud capacity to retain control of UK data.[References 23,24] The European Commission supports, and has proposed funding for, a panEuropean, sovereign cloud initiative.[Reference 19] In October 2019, GAIA-X, a German conceived initiative supported by France to establish a sovereign European cloud was announced. [Reference 18]”  was changed to “Some stakeholders, including a former Minister for Digital and the Creative Industries and the CEO of UKCloud (a prominent provider of cloud services to the public sector), have called for the UK to establish a sovereign cloud capacity.[References 23,24] The European Commission has proposed funding for a pan-European, sovereign cloud initiative.[Reference 19] In October 2019, GAIA-X, an initiative to establish a sovereign European cloud was announced.[Reference 18] Some stakeholders advocate for global clouds as they have benefits such as the flexibility to scale globally. [References 27,28]”

Correction [30/07/20]: On page 2 “Multi clouds can increase an organisation’s resilience against cloud service outages and allow them to optimise each cloud service for its specific task.” was changed to “Multi clouds can allow an organisation to optimise each cloud service for its specific task and prevent them from becoming over-reliant on a single provider.”

Correction [30/07/20]: On page 3 “CSPs often have spare storage and processing capabilities to mitigate against partial capacity loss and may back up users’ data in multiple locations.” was changed to “CSPs often have spare storage and processing capabilities to mitigate against partial capacity loss and may offer to store users’ data across multiple data centres.”

Correction [30/07/20]: On page 3/4 “This means regulating data privacy, location and trade is challenging.” was changed to “This means regulating data privacy, location and trade can be challenging.”

Correction [30/07/20]: On page 4 “If UK protections are not considered adequate, smaller organisations may find it particularly challenging to legally transfer data between the UK and the EU.[References 73,114]” was changed to “If UK protections are not considered adequate, individual businesses would need to use EU approved safeguards in contracts involving access to EU personal data. [Reference 116] It may be particularly challenging for smaller organisations with limited legal expertise to implement these safeguards.[References 75,117].

Documents to download

Related posts

  • Genome edited animals

    Genome editing, also known as gene editing, encompasses a broad range of techniques that allows targeted changes in the DNA of animals (and plants). The Genetic Technology (Precision Breeding) Bill 2022 -2023, due for Second Reading in the House of Lords on 21 November 2022, intends to change the regulatory definition of certain genome-edited animals.

    Genome edited animals
  • Approved work: Online Advertising Technologies

    This POSTnote will provide an overview of online advertising technologies and how they work. It will consider the importance of this industry for the UK, and the challenges that online advertising technologies present for market competition and consumer protection. It will also look at potential technical mitigations that might help to address these issues.

    Approved work: Online Advertising Technologies