Beyond AWS: How Hidden Fourth-Party Risks Threaten Digital Resilience

On October 20, 2025, a small glitch in a massive system brought parts of the Internet to its knees. Amazon Web Services (AWS) — the backbone of modern business computing — suffered a widespread outage that rippled across the globe. Airlines couldn’t process flights. Payments stalled. Slack messages froze. Even smart homes went dark when Alexa stopped responding.

For roughly 15 hours, thousands of organizations discovered just how fragile the cloud really is. But what many didn’t realize is that this wasn’t just a cloud outage — it was a wake-up call about hidden fourth-party risks buried deep within the digital supply chain.

The cause? A faulty DNS update affecting AWS’s DynamoDB service, a critical component in Amazon’s infrastructure, triggered cascading failures across the U.S.-East-1 region, which hosts nearly half of AWS’s global capacity. The result was a modern digital blackout that exposed how interwoven our systems have become.

The Domino Effect: When the Cloud Falters

AWS powers more than 30% of the cloud market. It’s not just tech companies that rely on it — hospitals, airlines, government agencies, and financial institutions do too. When AWS fails, the impact can feel apocalyptic.

“This really highlights how we need to start thinking about fourth-party risks — the hidden dependencies that most organizations don’t even know exist,” said Sherri Davidoff, founder of LMG Security.

The outage didn’t just affect Amazon’s own services. It disrupted third-party providers like Slack and Venmo — and the customers of those providers. That second layer of dependency is what cybersecurity professionals call fourth-party risk — when your vendors’ vendors become your weakest link.

It’s an uncomfortable reminder that resilience doesn’t stop at your third-party vendor list. You’re also responsible for understanding who they depend on — and how a single point of failure can cascade through your supply chain.

Fourth-Party Risk: The Invisible Threat

Many organizations have made progress in third-party risk management over the past decade. But fourth-party risks remain largely uncharted territory. As Davidoff put it, “It’s almost a tragedy because we can’t quite get a handle on third-party risks in the first place… and now we have to start thinking about fourth-party risks.”

Fourth-party dependencies are the unseen vendors behind your SaaS platforms, payment systems, and productivity tools. When one of those upstream providers like AWS, Microsoft Azure, or Google Cloud experiences an outage, your business continuity plan can unravel fast.

Why It Matters:

• Transparency gaps: Many SaaS vendors don’t disclose their infrastructure providers, leaving customers blind to cloud concentration risks.
• Insurance coverage limitations: Many cyber-insurance policies only cover malicious incidents, not accidental outages like AWS’s.
• Compound disruption: If multiple vendors rely on the same hyperscaler region (like U.S.-East-1), the impact multiplies.

This isn’t a new problem — it’s a modern version of an old one. Back in 2003, cybersecurity pioneer Dr. Dan Geer and his co-authors warned that society’s growing dependence on a single dominant technology platform could create catastrophic systemic risk. In “CyberInsecurity: The Cost of Monopoly”, they wrote:

“Risk diversification is a primary defense against aggregated risk when that risk cannot otherwise be addressed; monocultures create aggregated risk like nothing else.”

That insight — originally applied to Microsoft’s software monopoly — rings even truer today. The monoculture has simply shifted from the desktop to the data center. As Davidoff noted, today’s hyperscalers are the new monoculture, and cloud diversification is the modern equivalent of crop rotation: essential to avoiding a single-point collapse of the global digital ecosystem.

Cloud Concentration: Too Big to Fail?

Analysts have coined the term cloud concentration risk — the growing dependence on a small number of global providers. AWS, Microsoft Azure, and Google Cloud dominate the market, each running massive distributed data centers that underpin everything from retail to critical infrastructure.

Gartner has warned about this exact problem, and insurers are taking notice too. As thousands of businesses file interruption claims after major outages, many insurers are quietly rewriting policies to exclude accidental or systemic failures.

The issue isn’t just the dominance of hyperscalers — it’s that many organizations have centralized workloads within a single cloud provider or even a single region. When one goes down, everything goes down with it.

Davidoff and Durrin argue that resilience starts with diversification. “Make sure that you don’t put all your eggs in the U.S.-East-1 basket,” Durrin advised. “Spread them around the country — and not just around the country. Think about different cloud providers as well.”

Building Digital Resilience

We can’t escape the cloud. But we can build smarter, more resilient systems.

Here are five key takeaways:

1. Map and Monitor Your Vendor Ecosystem.
2. Request a Digital Bill of Materials.
3. Diversify Critical Workloads.
4. Integrate Cloud Failures into Incident Response Plans.
5. Tabletop the Scenario.

For more detailed advice, please read our blogs on third-party risk management and software supply risk management.

Beyond AWS: A Warning Shot for Everyone

This outage wasn’t the first, and it won’t be the last. We’ve seen similar disruptions from Azure, Google Cloud, and major SaaS vendors. Each event reminds us that the cloud isn’t magical — it’s just other people’s computers.

When those computers go dark, our dependencies become painfully visible.

If an accidental outage can cause this much disruption by mistake, what happens when a threat actor aims to do it on purpose? The increasing interdependence of cloud infrastructure means that a single event, whether accidental or malicious, can have sweeping, systemic effects.

That chilling thought underscores the growing overlap between resilience, cybersecurity, and national security. Hyperscalers are now part of our critical infrastructure and defending them — or preparing for their failure — must be part of every organization’s risk strategy.

Final Thoughts: Prepare Before the Next Outage

Outages like AWS’s October 2025 incident reveal an uncomfortable truth: digital resilience depends on visibility, diversification, and preparation. You can’t prevent every failure, but you can reduce the impact by knowing your dependencies, diversifying your cloud presence, and rehearsing your response.

If your organization hasn’t yet mapped its fourth-party risks or tested a cloud-outage scenario, now’s the time.

Please contact our LMG Security team if you need help identifying hidden dependencies, strengthening your vendor-management program, and conducting realistic tabletop exercises that build true digital resilience.

Learn more about LMG’s advisory and training services and start preparing today — before the next big outage hits.