Skip to content
Thav Global Solutions
All insights
Infrastructure20 January 20267 min read

Relocatable by design: avoiding cloud lock-in in public infrastructure

A government system can be hosted on a commercial cloud today and still be free to move tomorrow. The trick is to decide that on day one, in code.

Infrastructure Practice

Sovereignty, procurement, cost, and politics all change over the life of a public system. A platform that can only ever run in one provider's account, in one region, configured by hand, has quietly handed that provider a veto over the institution's future. Relocatability is not a migration project you do later. It is a property you design in now.

All infrastructure as code, with no exceptions

If a resource is not defined in code, it does not exist. There is no click-ops, ever. The entire backend, networks, databases, key management, queues, and audit storage, is declared in a way that can be read, reviewed, and recreated. The reproducibility that this buys is the same property that makes a move possible: you cannot relocate what you cannot rebuild from a definition.

Host where it makes sense today

This is not an argument against commercial cloud. Running on a major provider now is often the right call for speed, security, and operational maturity. The argument is against un-abstracted lock-in: take the managed services, but reach them through a seam, so that choosing a provider today does not foreclose a region, a sovereignty requirement, or a better option in three years.

  • Multi-account separation of development, staging, and production from the start.
  • Keys and secrets managed by the platform, never in the repository, and reachable through an adapter.
  • Environments stood up from the same definitions, so staging genuinely resembles production.
  • No deep dependency on a single proprietary service that has no abstraction and no exit.

Lock-in is rarely a decision. It is the accumulated weight of a hundred small couplings no one chose to abstract.

What it costs, and what it buys

Building behind adapters costs a little discipline up front and saves an enormous amount of leverage later. When the procurement rules change, or a data-residency requirement lands, or a region is deprecated, the institution gets to decide what happens next, rather than being told. For public infrastructure, that freedom is not a luxury. It is part of the mandate.

More insights

Security7 min read

The client is always untrusted: designing systems that assume compromise

A customer's browser, a partner's API call, and a shared terminal are all attacker-reachable. The discipline that keeps a critical system safe is deciding what is allowed to run there, and what never can.

12 May 2026
Data Governance6 min read

Data minimization as law, not policy

The safest data is the data you never collected. We treat minimization as a hard constraint on the schema, not a value statement in a policy document.

22 April 2026
Delivery8 min read

Replacing a critical legacy system without taking it offline

Modernization fails when it treats the old system as something to switch off on a Friday. The real constraint is that the service it runs cannot stop.

30 March 2026

Planning a new system, or need an independent assessment?

Whether you are modernizing a legacy platform or testing the one you already run, we will tell you plainly what it takes and where the risk is.

Start a conversation