Avoiding Cloud Lock-In: A Playbook for Platform Teams
Lock-in usually arrives in small steps: a managed database with no export path, a proprietary identity layer, tooling that only runs in one region. Here is how to stay portable without slowing delivery.
Nobody decides to get locked in. It accumulates: a convenient managed service here, a proprietary format there, and a year later moving would mean a rewrite. The fix is not to avoid the cloud. It is to keep the cost of leaving low enough that you always have a choice.
Favor open interfaces
Choose tools that expose APIs, standard identities (OIDC/SAML), and export pipelines. Vendor SDKs are fine if they sit on top of open protocols. The test is simple: can you get your data and your authentication out without a support ticket?
Separate the control plane from the data plane
Let orchestration live wherever is easiest, often the cloud, but run stateful workloads on infrastructure you can move. When the thing that schedules work is decoupled from the thing that holds your data, you can relocate the data without re-platforming everything around it.
Automate migrations from day one
Treat the ability to redeploy elsewhere as a requirement, and test it the way you test disaster recovery or backups. A migration path you have never exercised is a hope, not a plan.
Where Greffon fits
Greffon decouples the app catalog (control plane) from where workloads run (greffers). You can run greffers in colos, on bare metal, or on existing virtualized clusters, and redeploy apps elsewhere with the same manifest. The control plane stays convenient; the data stays portable.
Checklist before adopting a new SaaS
- Is there an export feature that does not require a support ticket?
- Does it support SSO providers we already control?
- Can we deploy an equivalent workload via Greffon if needed?
- Do we know the total switching effort (infrastructure, data, change management)?