Offering an extensive portfolio of ICT solutions and services in conjunction with its high-available data centers, fastest broadband internet and telecommunications networks for consumers and businesses, Dialog Enterprise is one of the most trusted information and communication technology brands in Asia. Now it is also the first provider in Sri Lanka to earn the VMware Sovereign Cloud distinction.

“More than 35,000 enterprises rely on us for the compute, storage and networking power they need to excel,” says Venura Mendis,  Head of ICT Business at Dialog Enterprise. “The cloud of course is a game-changer and our Dialog Enterprise Cloud gives customers in a wide range of industries the capabilities and flexibility inherent in a software-defined data center, complete with a self-service portal and hybrid cloud capabilities.”

Based on VMware technology and featuring numerous capabilities, among them Container PaaS service, Backup-as-a-Service and Disaster Recovery-as-a-Service, the Dialog Enterprise Cloud is the choice of many of the country’s industry leaders. This includes stalwarts in the nation’s banking, construction, education, government, healthcare, hospitality and dining, manufacturing, retail and transportation industries.

“We understand that different industries require different business solutions,” adds Mendis. “For that reason, we offer a broad array of solutions and services designed for various industries that can be customized for any business, along with completely bespoke offerings that draw on the extensive design and development expertise our team offers. Increasingly, we’ve seen a lot of demand for sovereign cloud offerings, particularly in highly regulated industries where the stakes are high and data privacy demands are great.”

To address this, Dialog Enterprise sought to earn VMware Sovereign Cloud distinction, becoming the first provider in the entire region to do so – a feat that echoed its earlier honor of being the first company in Sri Lanka to provide VMware Cloud Verified services. Mendis is quick to stress that while the company is currently the only company to have done so, the demand for sovereign clouds is great and growing rapidly.

“When a solution is a build on a robust framework like VMware’s, it simply and seamlessly works across VMware-based multi-cloud platforms, which makes it easier to lift and shift workloads from on-premises environments to the cloud while allowing for continual modernization at a much lower cost of ownership,” he says. “Now enterprises also increasingly want and demand the added ability to ensure full data sovereignty and jurisdictional control at all times. This includes making sure that data is never accessed by foreign parties in the context of maintenance or service.”

Mendis notes that because the data in its sovereign cloud is subject to the full jurisdictional control of Sri Lanka, full compliance with the country’s privacy laws can be guaranteed. This stands in stark contrast to the clouds offered by hyperscalers, but it is not the only reason customers are choosing a Sri Lankan sovereign cloud.

“Yes, customers are concerned about hosting their sensitive data in public clouds due to issues like data confidentiality, data loss, data storage needs, security and transparency issues,” says Mendis. “But it’s not all about safeguards, or the ability we have to guarantee compliance with local laws and regulations. Enterprises also turn to us because our sovereign Infrastructure-as-a-Service offers low-latency connectivity options, an intuitive portal, pricing models that are based consumption and high performance.”

Notably, it also integrates seamlessly with the myriad innovative solutions the company offers, from those that harness the potential of the Internet of Things, to broader Enterprise solutions platforms. This includes managed SDWAN and SASE solutions, Data as a Service offerings and multiple other Cyber and physical security solutions  D – among many others.

“As organizations across industries look to digital transformation to drive growth, the cloud will by necessity play a core role,” says Mendis. “And it is no surprise that it is increasingly important to ensure that sensitive data be stored and processed in a secure and compliant environment. The sovereign cloud solution we offer gives our clients much-needed peace of mind and the knowledge that their data is securely stored in a physically and logically isolated environment, managed by a team of experts. It’s only natural that more organizations will want that.”

Learn more about Dialog Enterprise and its partnership with VMware here.

Cloud Management

Artificial intelligence (AI) in 2023 feels a bit like déjà vu to me. Back in 2001, as I was just entering the venture industry, I remember the typical VC reaction to a start-up pitch was, “Can’t Microsoft replicate your product with 20 people and a few months of effort, given the resources they have?” Today, any time a new company is pitching its product that uses AI to do ‘X,’ the VC industry asks, “Can’t ChatGPT do that?”

Twenty-two years later, Microsoft is at the table once again. This time they’re making a $13 billion bet by partnering with OpenAI and bringing to market new products like Security Copilot to make sense of the threat landscape using the recently launched text-generating GPT-4 (more on that below). But just as Microsoft did not inhibit the success of thousands of software start-ups in the early 2000s, I do not expect Microsoft or any vendor to own this new AI-enabled market. 

However, the market explosion and hype around AI across the business and investment spectrum over the past few months has led people to ask: what are we to make of it all? And more specifically, how do CIOs, CSOs, and cybersecurity teams learn to deal with technology that may pose serious security and privacy risks?

The good, the bad, and the scary

I look at the good, the bad, and the scary of this recent Microsoft announcement. What’s incredible about ChatGPT and its offspring is that it brings an accessible level of functionality to the masses. It’s versatile, easy to use, and usually produces solid results.

Traditionally, organizations have needed sophisticated, trained analysts to sort through, analyze, and run processes for their security data. This required knowledge of particular query languages and configurations relevant to each product, like Splunk, Elastic, Palo Alto/Demisto, and QRadar. It was a difficult task, and the available talent pool was never enough.   

That difficulty in SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) still exists today. SIEM helps enterprises collect and analyze security-related data from servers, applications, and network devices. The data is analyzed to identify potential security threats, alert security teams to suspicious activity, and provide insights into a company’s security defenses. SIEM systems typically use advanced analytics to identify patterns, anomalies, and other indicators of potential threats.

SOAR builds on SIM capabilities by automating security workflows and helping businesses respond more quickly and efficiently to security incidents. SOAR platforms can integrate with various security products, including enterprise firewalls, intrusion detection systems, and vulnerability scanners. SIEM/SOAR is where you orchestrate action for an incident response plan. Using those actions helps in the remediation process. Managing the process and products involved in remediation is difficult.

Now, Microsoft is putting a stake in the ground with its generative AI Security Copilot tool. With Security Copilot, the tech company is looking to boost the capability of its data security products for deep integrated analysis and responses. By integrating GPT-4 into Security Copilot, Microsoft hopes to work with companies to

more easily identify malicious activity;

summarize and make sense of threat intelligence;

gather data on various attack incidents by prioritizing the type and level of incidents; and

recommend to clients how to remove and remediate diverse threats in real-time.

And guess what? Theoretically, it should be easier to sort through all that data using GPT APIs and other tools or figure out how to leverage these on incident data. These systems should also make more automated response and orchestration much simpler.

Overall, the emergence of GPT-4 may be a step towards the industry’s dream of “Moneyball for cyber,” allowing for a more robust defensive posture by leveraging the experience and wisdom of the crowds. And it will allow for a stronger defense of smaller organizations that do not have sufficient resources and expertise today.

It’s all about trust

However, there are still significant obstacles to overcome regarding adoption and trust. First and foremost, there is still reluctance among many organizations to share their incident data with others, even if de-identified, as it could potentially lead to leaked information, bad press, and brand damage. Sharing has been talked about for years, but is rarely done in a systematic, or technology-delivered manner for these reasons. The best sharing practices followed today are industry CISOs talking amongst their tight peer group when something significant occurs. Thus, given the reluctance to share in any meaningful way previously, I suspect that the industry will take a long time to put their data in this or any third-party platform for fear that it exposes them in some way.

Another hurdle is overcoming hesitancy about privacy and security concerns. Microsoft claims that integrating data into its systems will maintain privacy and security. Security Copilot will not train on nor learn from their customers’ incident or vulnerability data. However, without full transparency, the market will have lingering doubts. Users may fear that attackers may use the same GPT-based platform to develop attacks that target the vulnerabilities in their systems that it has become aware of, no matter what the ELA states to the contrary.  Wouldn’t an attacker love to ask, “Write an exploit that allows me to navigate the defenses at Corporation X?”

There is also a question about how the system can learn from the newest attacks if it is not training on the data from customer organizations. The system would be more powerful if it did learn in the wild from customer incident and vulnerability data.

Even without specific details learned from any one customer, assuming full transparency on security and privacy is guaranteed, given the wide aperture of knowledge that can be obtained from other public and non-public sources, won’t this AI-based system become an adversary’s favorite exploit development tool?

Given all of this, there are potential risks and rewards involved in using ChatGPT in cybersecurity.

Microsoft has major ambitions for Security Copilot. It’s a tall order to fill, and I hope they get it right for everyone’s sake.

Know the potential consequences

GPT-4 under Microsoft auspices might be a great tool if it figures out ways to cut off all that potentially harmful activity. If it can train the system to focus on the positive and do it so that proprietary internal data is not compromised, it would be a potent tool for mainstream analysis of security incidents and security. To date, this has only been done with very sophisticated, high-priced people and complex systems that cater to the higher end of the market.

But suppose the mid-tier companies, who can’t afford top-quality cybersecurity resources or the best data security teams, choose to open up their data to Microsoft and GPT-4? In that case, I just hope they know there may be possible side effects. Caveat emptor!

Artificial Intelligence, Data and Information Security, Security

India-based Games24x7, a digital-first company, believes that “the best gaming experiences are created at the intersection of entertainment and science.” With a portfolio spanning skill games (RummyCircle), fantasy sports (My11Circle), and casual games (U Games), the company banks firmly on technology to build a highly scalable gaming infrastructure that serves more than 100 million registered users across platforms.

In a conversation with CIO.com, Games 24×7 CTO Rajat Bansal throws light on the importance of hyperpersonalization in gaming and how the company is manifesting creative ideas for gamers by leveraging cutting-edge technology, including data science and AI.

The success of a game hinges on meeting the players’ needs and expectations. How do you ensure this through technology?

Bansal: We believe that the most important thing is to understand the users as early as possible in their gaming lifecycle. The success of a game depends on two factors: content and the delivery of that content. This is where hyperpersonalization assists in meeting player needs and expectations. The concept of hyperpersonalization is picking up pace across the globe. In a diverse country like India, there are multiple demographic factors, like region, age, and more, that affect users’ preferences and consumption behavior. When this variation is combined with a player’s individual preferences, a totally different level of hyperpersonalization is achieved.

The personalization journey begins from the moment a user enters the game. When players are served offers based on their profiles and preferences, our data science models help us identify their inclinations and preferences. For instance, two players from the same demography may have significantly different skills and so their expectations from the game will be different.

We leverage artificial intelligence, machine learning, and analytics to offer a hyperpersonalized, immersive, and entertaining gameplay experience to our users at every stage of their gaming journey in real-time.

Given that the player load can fluctuate greatly, how do you ensure your platforms are able to handle sudden spikes in player load?

Bansal: Games24x7 has a highly scalable gaming infrastructure that serves more than 100 million registered users across platforms. With a strong passion for cricket in India, user engagement on fantasy sports platform My11Circle is high, especially during the IPL [Indian Premier League]. However, our focus on technology and the models we spoke of earlier, allow us to preempt and prepare. For managing increase in workloads and user base, we have created a complete science-driven automated scaling pipeline. Given the nature of business, there are spikes for special events like IPL. To take care of such situations, we leverage data science for forecasting load at match-level and using this forecast to proactively scale up/down our fleet in a completely hands-off-the-wheel way.

There are safety risks associated with gaming. What tools/solutions have you deployed to offer a safe and immersive experience?

Bansal: We also use AI to assess gameplay patterns. Our sophisticated models can identify a deviation from the right gameplay at any given stage of the game. Such deviations are immediately flagged.

Some of the AI tools that we integrate to deliver an immersive, safe, and entertaining game play include data ETL and feature preparation pipeline for capturing user behavior for responsible game play; explainable AI for actions based on the results; domain expert-based rule engine for checking behavior patterns over time, money, and urge to play; local expert for wallet recharge patterns and game entry fees; counselling process for reporting accurate gameplay status; cognitive neuroscience for mapping telemetric data; sequential modelling for journey and evolution of users; reinforcement learning for hyperpersonalization; procedural content generation for generating content as per level; and computer vision for art, design, content, and creatives to make games exciting. 

Data is the key for making informed decisions and building customer experiences. What’s your strategy for democratizing and managing data?

Bansal: For any data-driven organization like us, the consistent and reliable flow of data across people, teams, systems, and business functions is crucial to an organization’s survival and ability to innovate. At Games24x7, we see data management as all disciplines related to managing data and it includes collecting, processing, governing, sharing, analyzing it — and all of this in a cost-efficient and reliable manner.

Depending on the use cases, we are using two platforms for data management. We have adopted Databricks as a data management platform for all our hourly/daily data processing, analysis, and reporting. Generally, this covers most of our current data consumption and analysis and it is very mature. We use Tableau as our visualization tool on top of Databricks for all business users to make informed decisions on the fly.

We have also built a data-as-a-service (DaaS) platform for all our real-time/near real-time data processing and inferencing needs for hyperpersonalization use cases. This platform is built and managed by our own data engineering team.

This free-flowing access to data results in providing customized user journeys at every step. For example, it enables the marketing team to provide offers based on customer preferences, the product team to come up with new, innovative meta games, and the science team to provide responsible game play models.

What are your future business and technology plans? 

Bansal: We are continuously investing in new technologies and business intelligence systems to analyze players’ behavior, customize their gameplay, and provide them with the most intuitive and safe gameplay experience. We are also working on developing fresh and unique content revolving around casual gaming business. We are looking forward to diversifying our skill gaming portfolio and building new and robust gaming platforms for our users. As we grow our technological capabilities, we will invest in other synergistic platforms to facilitate increased accessibility of online gaming in India.

Artificial Intelligence, Digital Transformation

Access to artificial intelligence (AI) and the drive for adoption by organizations is more prevalent now than it’s ever been, yet many companies are struggling with how to manage data and the overall process. As companies open this “pandora’s box” of new capabilities, they must be prepared to manage data inputs and outputs in secure ways or risk allowing their private data to be consumed in public AI models.

Through this evolution, it is critical that companies consider that ChatGPT is a public model built to grow and expand off use through advanced learning models. Private instances will be leveraged shortly where the model for answering prompted questions will arise solely from internal data selected – as such, it’s important that companies determine where public use cases will be appropriate (e.g., non-sensitive information) versus what mandates the need for private instances (e.g., company financial information and other data sets that are either internal and/or confidential).

All in . . . but what about the data?

The popularity of recently released AI platforms such as Open AI’s ChatGPT and Google Bard has led to a mad rush for AI use cases. Organizations are envisioning a future in this space where AI platforms will be able to consume company-specific data in a closed environment vs. using a global ecosystem as is common today. AI relies upon large sets of data fed into it to help create output but is limited by the quality of data that is consumed by the model. This was on display during the initial test releases of Google Bard, where it provided a factually inaccurate answer on the James Webb Space Telescope based on reference data it ingested. Often, individuals will want to drive toward the end goal first (implementing automation of data practices) without going through the necessary steps to discover, ingest, transform, sanitize, label, annotate, and join key data sets together. Without this important step, AI may produce inconsistent or inaccurate data that could put an organization in a risky gambit of leveraging insights that are not vetted.

Through data governance practices, such as accurately labeled metadata and trusted parameters for ownership, definitions, calculations, and use, organizations can ensure they are able to organize and maintain their data in a way that can be useable for AI initiatives. By understanding this challenge, many organizations are now focusing on how to appropriately curate their most useful data in a way that can be readily retrieved, interpreted, and utilized to support business operations.

Storing and retrieving governed data

Influential technology, like Natural Language Processing (NLP), allows for the retrieval of responses based on questions that are asked conversationally or a standard business request. This process parses a request into meaningful components and ensures that the right context is applied within a response. As technology evolves, this function will allow for a company’s specific lexicon to be accounted for and processed through an AI platform. One application of this may be related to defining company-specific attributes for particular phrases (e.g., How a ‘customer’ may be defined for an organization vs. the broader definition of a ‘customer’) to ensure that organizationally agreed nomenclature and meaning are applied through AI responses. For instance, an individual may be asked to “create a report that highlights the latest revenue by division for the past two years: that applies all the necessary business metadata that an analyst and management would expect.

Historically, this request requires individuals to convert the ask into a query that can be pulled from a standard database. AI and NLP technology is now capable of processing both the request and the underlying results, enabling data to be interpreted and applied to business needs. However, the main challenge is that many organizations do not have their data in a manner or form that is capable of being stored, retrieved, and utilized by AI – generally due to individuals taking non-standard approaches to obtaining data and making assumptions about how to use data sets.

Setting and defining key terms

A critical step for quality outputs is having data organized in a way that can be properly interpreted by an AI model. The first step in this process is to ensure the right technical and business metadata is in place. The following aspects of data should be recorded and available:

Term definition

Calculation criteria (as applicable)

Lineage of the underlying data sources (upstream/downstream)

Quality parameters

Uses/affinity mentions within the business

Ownership

The above criteria should be used as a starting point for how to enhance the fields and tables captured to enable proper business use and application. Accurate metadata is critical to ensure that private algorithms can be trained to emphasize the most important data sets with reliable and relevant information.

A metadata dictionary that has appropriate processes in place for updates to the data and verification practices will support the drive for consistent data usage and maintain a clean, usable data set for transformation initiatives.

Understanding the use case and application

Once the right information is recorded related to the foundation of the underlying data set, it is critical to understand how data is ultimately used and applied to a business need. Key considerations regarding the use case of data include documenting the sensitivity of information recorded (data classification), organizing and applying a category associated with a logical data domain structure to data sets (data labeling), applying boundaries associated with how data is shared, and stored (data retention), and ultimately defining protocols for destroying data that is no longer essential or where requests for the removal of data have been presented and are legally required (data deletion).

An understanding of the correct use and application of underlying data sets can allow for proper decision-making regarding other ways data can be used and what areas an organization may want to ensure they do not engage in based on strategic direction and legal and/or regulatory guidance. Furthermore, the storage and maintenance of business and technical metadata will allow AI platforms to customize the content and responses generated to ensure organizations receive both tailored question handling and relevant response parsing – this will ultimately allow for the utilization of company-specific language processing capabilities.

Prepare now for what’s coming next

It is now more critical than ever that the right parameters are placed around how and where data should be stored to ensure the right data sets are being retrieved by human users while allowing for growth and enablement of AI use cases going forward. The concept of AI model training relies on clean data which can be enforced through governance of the underlying data set. This further escalates the demand for appropriate data governance to ensure that valuable data sets can be leveraged.

This shift has greatly accelerated the need for data governance – which by some may have been seen as a ‘nice to have’ or even as an afterthought into a ‘must have’ capability allowing organizations to remain competitive and be seen as truly transformative in how they use data, their most valuable asset, both internally for operations and with their customers in an advanced data landscape. AI is putting the age-old adage of ‘garbage in, garbage out’ onto steroids, allowing any data defects flowing into the model to potentially be a portion of the output and further highlighting the importance of tying up your data governance controls.

Read the results of Protiviti’s Global Technology Executive Survey: Innovation vs. Technical Debt Tug of War 

Connect with the Author

Will Shuman
Director, Technology Consulting

Data Management

Salesforce’s business intelligence platform, Tableau, is getting generative AI features  in the form of Tableau GPT, built on the company’s proprietary Einstein GPT AI engine, which has  also been integrated into other products such as Slack.

“Tableau GPT can enhance and automate things like analyzing data, exploring it, sharing it, consuming it. The generative AI engine introduces a number of really exciting use cases where for example, analyzing data feels more like a conversation via a chatbot as opposed to drag and drop,” said Pedro Arellano, head of product at Tableau.

“Other use cases include the engine anticipating questions that users might ask based on what’s already in the data or taking hundreds of insights and explaining them using very easy to understand summaries,” Arellano said.

Einstein GPT, the foundation for Tableau GPT, comprises various large language models (LLMs) including those from OpenAI, Cohere, and internal, proprietary Salesforce models, noted Sanjeev Mohan, principal analyst at independent consulting firm SanjMo.

These internal models were  driven by Salesforce’s investments in companies with natural language processing abilities, and insights about how enterprises conduct data analytics, according to Amalgam Insights principal analyst Hyoun Park.

“Tableau previously acquired Narrative Science, a natural language generation solution for analytics. In addition, Salesforce has made strong investments in data science over the years such as BeyondCore, Metamind, and Datorama and has hundreds of data scientists in house as well,” Park said.

In addition, Tableau GPT has been given a data security and governance layer in order to protect enterprise data from internal and external data leakages or unauthorized access, according to Arellano.

The addition of the governance and security can be attributed to Salesforce’s effort to build trust among customers, especially at a time when companies are banning the use of OpenAI’s ChatGPT over data leak concerns, analysts said.  

“These layers protect users who are afraid that their prompts will be used to retrain LLMs. Also, it can guard against LLM hallucinations,” SanjMo’s Mohan said.  

Tableau GPT is expected to be available in pilot later this year, the company said.

Proactive data analytics with Tableau Pulse

Salesforce has also released a new flavor of data analytics under an offering dubbed Tableau Pulse, which the company said offers proactive analytics.

“It is sort of a personal guide for your data, where it knows your data. It knows the goals you’re trying to achieve with your data. And it helps you reach those goals,” Arellano said.

Tableau Pulse will also use Tableau GPT to help enterprise users make better, faster decisions using automated analytics on personalized metrics in an “easy-to-understand way,” Arellano  said, adding that that Pulse can surface insights in both natural language and visual formats.

Use cases include alerts when there is an unusual change in data or metrics, and help for users to drill down to the reason for the anomaly, the company said.

These insights can be further shared with colleagues via collaboration platforms such as Jira or Slack in order to find a resolution, Salesforce added.

“The automatic nature of the analyses provided by Pulse increases productivity but also introduces consistency and comprehensiveness since the same analytics are applied wherever necessary,” said David Menninger, research director at Ventana Research.

However, Tableau might be playing catch up with other vendors, analysts said.

“A number of vendors have developed and are refining ways to look at the graph of individual and user behaviors and interactions with data and then glean insights and make recommendations based on changes,” said Doug Henschen, principal analyst at Constellation Research.

Cloud-based products, according to Henschen, tend to have a leg up in analyzing user behaviors and data interactions at scale.

“Products that started out as server-based products, like Tableau, have typically taken longer to develop graph and personalization capabilities that can be delivered consistently across the both cloud and on-premises deployments,” Henschen said.  

Though many vendors offer automated insights, the addition of generative AI-produced narratives “will help make these insights more complete and more easily delivered in multiple languages,” Ventana’s Menninger said.

Tableau Pulse is expected to be available in pilot later this year, the company said.

Data Cloud for Tableau to unify data for analytics

In addition to Tableau Pulse, Salesforce is offering Data Cloud for Tableau to unify enterprises’ data for analytics.

The plan is to layer Tableau on top of the Data Cloud, which was released last year in September at Dreamforce under the name “Genie.”

“With Tableau, all of a company’s customer data can be visualized to help users explore and find insights more easily. Data Cloud also supports zero-copy data sharing, which means that users can virtualize Data Cloud data in other databases, making it instantly available to anyone,” the company said in a statement.

Data Cloud for Tableau will also come with data querying capabilities, the company added.

There are many business advantages that Data Cloud for Tableau can provide, according to Henschen.

“Advantages include bringing together all your disparate data, separating compute and storage decisions, and enabling many types of analysis and many different use cases against the data cloud without replication and redundant copies of data,” Henschen said.

Salesforce’s move to combine its Data Cloud with Tableau can be attributed to Tableau having reaching a ceiling in its core analytic discovery capabilities, according to Park.

“It is being pressured to increasingly support larger analytics use cases that push into data management and data warehousing. Although Tableau is not going to be a full-fledged data warehouse, it does want to be a source of master data where analytic data is accessed,” Park said.

Data Cloud for Tableau, however, is part of a strategy to  compete with data lakehouse, data warehouse vendors, and an effort to own or control more data, Menninger said. The integration of Tableau and Data Cloud will lead to direct competition with the likes of Qlik, Tibco IBM, Oracle, and SAP, analysts said.

Data Cloud for Tableau is expected to be made available later this year.

Other updates includes a new developer capability, dubbed VizQL (visual query language) Data Service, that allows enterprise users to embed Tableau anywhere into an automated business workflow.

“VizQL Data Service is a layer that will sit on top of published data sources and existing models and allows developers to build composable data products with a simple programming interface,” the company said.

Salesforce woos new users with Tableau generative AI

Generally, the addition of generative AI features to Tableau can be seen as an attempt to attract customers who are not analytics or data experts. Business intelligence suites face a problem of adoption as at least 35% of employees are not willing to learn about analytics or data structures, Park said.

“To get past that, analytics needs a fundamentally different user interface. This combination of a natural language processing, natural language generation, generative AI, and jargon-free inputs that translate standard language into data relationships provides that user interface,” Park added.

Another reason why the new features could attract customers is the disinterest of business users in using dashboards. “These users would rather use natural language which has context. Up until now, NLP was very difficult for computers to handle but the new LLMs changed that,” Mohan added.

Business Intelligence, Enterprise Applications

In the first use case of this series, Stay in Control of Your Data with a Secure and Compliant Sovereign Cloud, we looked at what data sovereignty is, why it’s important, and how sovereign clouds solve for jurisdictional control issues. Now let’s take a closer look at how data privacy and sovereignty regulations are driving security, privacy, and compliance.

Data Privacy and Security

The EU’s GDPR has formed the basis of data privacy regulations not just in EU but around the world. A key principle of the regulation is the secure processing of personal data. The UK GDPR states that security measures must ensure the confidentiality, integrity, and availability of data (known in cybersecurity as the CIA triad) and protect against accidental loss, destruction, or damage.1

Restricting access to sensitive and restricted data is a crucial aspect of data security, along with ensuring trust and flexibility for portability needs. 

Sovereign clouds are built on an enterprise-grade platform and customized by partners to meet local data protection laws, regulations, and requirements. Locally attested providers use advanced security controls to secure applications and data in the cloud against evolving attack vectors, ensuring compliance with data regulation laws and requirements to safeguard the most sensitive data and workloads.

Protected data should employ micro-segmentation with zero-trust enforcement to ensure workloads cannot communicate with each other unless they’ve specifically been authorized and are encrypted to secure them from foreign access. A multi-layered security approach secures data and applications in the sovereign cloud, keeping them safe from loss, destruction, or damage.

Sovereignty and Compliance

Data residency – the physical location where data (and metadata) is stored and processed – is a key aspect of data privacy and sovereignty regulations Data residency laws require that companies must operate in a country and that data should be stored in that country, often due to regulatory or compliance requirements. For companies that have customer data in multiple countries, it becomes a challenge to keep data secure. A sovereign cloud helps minimize risk and offers more robust controls and trusted endpoints needed to keep data secure and compliant.

In addition, data residency requirements continue to evolve and vary by country or region. Multi-national companies frequently rely on in-country compliance experts to help ensure they’re following the latest rules correctly and to avoid significant fines and legal action. 

With VMware, we provide best-in-class enterprise-grade cloud, security, and compliance solutions that provide the ultimate platform for data choice and control.

“A law can change, and it can change your entire way of doing business,” one Fortune 500 CISO said.2  And with the ever-changing geopolitical landscape, platform flexibility is needed to minimize risk with self-attested, trusted code. VMware provides simpler lift-and-shift portability and interoperability, as well as greater compliance with local laws and regulations.

Faced with changing regulations, it’s not surprising that compliance is a top cloud challenge according to 76% of organizations.3  One reason is a lack of skilled personnel. A recent survey from ISACA found that 50% of respondents said they experienced skills gaps in compliance laws and regulations, as well as in compliance frameworks and controls. Another 46% are dealing with a gap in privacy-related technology expertise.4

With these challenges, it’s not surprising that 81% of decision-makers in regulated industries have repatriated some or all data and workloads from public clouds.5  Some have moved data back on-premises, whereas others are using hybrid cloud architectures. 

With VMware Sovereign Cloud, solutions are provided by locally attested partners who provide full-service, sovereign solutions and ensure that compliance is achieved, implemented and configured. Sovereign cloud meets data residency requirements with local data centers to contain all regulated data, including metadata, and you can respond faster to data privacy rule changes, security threats, and geopolitics with a flexible cloud architecture and knowledgeable local experts.

Learn more about VMware Sovereign Cloud:

Download the Security and Compliance 1 pager

Watch the Sovereign Cloud Overview video  

Find and connect with a Sovereign Cloud Provider in your region

Join the conversation on Sovereign Cloud on LinkedIn

Next, we’ll explore data access and integrity, and how that can ignite innovation.

Sources:
1. UK information Commissioner’s Office, Guide to the General Data Protection Regulation (GDPR) Security, accessed June 2022
2. CSO, Data residency laws pushing companies toward residency as a service, January 2022
3. Flexera 2022 State of the Cloud Report
4. ISACA, Privacy in Practice 2022, March 2022.
5. IDC, commissioned by VMware, Deploying the Right Data to the Right Cloud in Regulated Industries, June 2021

Cloud Management, IT Leadership

While mergers and the IT challenges that follow get the attention, there have been some interesting cases of the reverse in recent years. IBM sold off its managed infrastructure business to form Kyndryl; German utility E.ON spun out its gas power activities as Uniper; and most recently, General Motors set up a new subsidiary, BrightDrop, to make electric trucks.

Another example is i-Pro, a maker of cameras for surveillance, public safety, medical and industrial applications, which started life within Panasonic.

Its journey to independence began in May 2019, when Panasonic sold an 80% stake in what would become i-Pro to an investment fund. Panasonic pulled several activities together—its security systems business division, an R&D unit designing compact cameras for industrial and medical use, a US subsidiary operating mainly in the public safety sector, and manufacturing facilities in China—and spun them out as an independent entity, Panasonic i-Pro Sensing Solutions Co.

The new company, since renamed simply i-Pro, had the right to use Panasonic’s name for three years, reminding customers of its 60-year history while it built its own reputation. For that time, too, it could rely on Panasonic’s IT team and its ageing SAP ECC systems while it built its own ERP in the cloud. But the clock was ticking.

“For those three years, we still worked closely with Panasonic,” says Rohan Ponnekanti, manager for business systems at i-Pro Americas. “We were using their IT systems, especially the SAP systems, and paying for Panasonic IT to help us with our day-to-day processes.”

IBM Japan was brought in to build a new global ERP system for the new company using SAP S/4HANA, which has an entirely different data structure than the older SAP ECC. The migration went smoothly enough in Japan and in Europe, which at the time was a small part of i-Pro’s activities.

Things were more complicated in the US market, though, which also included the public safety business selling bodycams, dashcams, and digital evidence systems to law enforcement. 

Ponnekanti says he was initially brought in to work on the ERP migration globally: “They thought they’d save money having one guy handle everything,” he says. That meant dealing with a vast span of time zones from Japan through China and Europe to Texas, where he’s based. Those hours, and the scale of the challenge getting the US IT systems up and running, led him to refocus his role on the company’s American operations.

“Our company is headquartered in Japan, so all the major decisions were made there,” he says. IBM Japan handled migration of the data for Japan, China, and for the tiny European sales unit. “But when it came to the US, it was a large amount of data and complex business problems they had to deal with,” he says.

The initial plan was for Ponnekanti to liaise with the Panasonic US IT staff to negotiate the extraction of the relevant data from their legacy SAP system, so it could be uploaded to the new system using SAP’s S/4HANA Migration Cockpit.

“Usually when you’re trying to carve out the data, you go by a company code, which is the highest level you can easily carve out,” he says. “But here, everything is under the same company code so it’s more complicated. All our i-Pro data was completely blended in under Panasonic data, so there was no way to differentiate the i-Pro data and extract it. That’s when we realized we really needed a professional data migration company.”

Call the specialists

Ponnekanti turned to Miami-based SAP systems integrator LeverX, which has developed its own data migration tools to help with moves from SAP ECC to S/4HANA.

By now, in the latter part of 2021, Panasonic in the US and i-Pro Americas were separate entities, albeit with an owner in common. And although there was some cooperation between the two, there were limits.

What he wanted to do was have LeverX connect their migration tool to the Panasonic ERP system, analyze the data, and extract the relevant records for insertion into i-Pro’s new system.

He says Panasonic’s IT team wouldn’t let him, though, because although Panasonic agreed to give i-Pro access to the system, for various reasons, this didn’t extend to third parties such as LeverX.

After some discussion, Panasonic’s IT team came up with a proposal: It would extract the relevant data and dump it in Excel files for i-Pro to work with.

“Now the whole project timeline changes, because there’s a lot of manual work needed,” he says. Because of the delay obtaining the data, the migration project start date slipped from October 2021 to early January 2022.

Another big challenge was that i-Pro Americas had no IT staff at this point; Panasonic had held on to the rest of the team.

“I’m the only guy there and I have no team yet,” he says. “I’m still working between the IBM team, the LeverX team and the Panasonic IT team, so it’s quite complicated.”

The biggest challenge, he says, was to understand how to map the data from the old system to the new one. Ponnekanti only joined the company himself once the split was under way, and while he had business staff who had worked with the old SAP system, their knowledge of the application was from the outside in: They weren’t able to explain the technical details of the old data structures, and hadn’t even seen the new S/4HANA system yet.

That left the LeverX staff to figure much of it out for themselves based on their knowledge of the internals of SAP’s software, and their experience of similar migrations elsewhere. This led to some late nights as they cleansed the data, aligned the fields between the old and new SAP implementations, and then transformed the data, renumbering customers, products, and SKUs to meet the requirements of the new system. The overall success of the migration depended heavily on the part played by the team at LeverX, according to Ponnekanti.

By the end of February 2022, it was time to hand off an XML file of all the data to the in-house team in Japan for the first mock data migration.

“We had planned for three mock migrations, but due to the unexpected challenges we lost a lot of time, so we ended up only doing two,” he says. There were still gaps in the data, but most of those were fixed by the second rehearsal, in April, allowing the new system to go live on time in May 2022. There were still a few holes to fix after go-live, but it wasn’t a big issue when the business hit a roadblock, he says.

Learning on the job

With the system up and running, Ponnekanti set out to recruit a team of three to maintain and improve it, one each for the sales, supply chain and finance functions. He looked for staff with backgrounds in consulting, like him, who dealt with challenges for a variety of clients. By the time they joined i-Pro, there was no more access to the Panasonic IT team, so there was no formal knowledge transfer.

Instead, Ponnekanti says, he passed on what he learned during the migration process, and told his recruits to shadow the business staff, sit in their meetings on mute, assess areas of weakness, and try to come up with solutions.

He also started involving them in the global IT team meetings. “I wanted them to hear what was going on at the higher level, so they understand and get to know all the team members from Japan and Europe, and help each other out,” he says.

After about six months, they had built up the necessary knowledge, and today, he and the team are ready to start adding additional SAP modules as the business grows.

Where Panasonic had strict procedures and slow processes, taking eight or nine months to agree even minor changes to IT systems, Ponnekanti says, he’s aiming to build an IT organization that can act quicker. He wants it to take no more than three meetings to get a project going: One in the US to discuss the idea, one with an implementation partner to cost it out, and one with the global CIO in Japan to get final approval.

Don’t let a spin-out spin out of control

Ponnekanti has some advice for IT leaders considering taking on a similar role in other spin-out companies.

The most important thing, he says, is to get a detailed commitment from the parent company up front to provide the necessary access to IT systems and data—including for third parties contracted to do the work.

At the creation of i-Pro, he says, no one really dug into the details. You don’t have to get too technical, he adds, “but at least talk about the systems you’ll need access to, and be precise about what you need.”

Even when the level of cooperation between the old IT team and the new is laid out in a contract, it’s important to maintain that relationship because it’s not just about the data migration.

Finally, where company policy or security concerns run up against the bonds of friendship, and demands for data aren’t met, turn the tables. “Ask them what could they offer given the situation,” he says. Then you can start improvising from the solutions they propose.

CIO, Data Management, IT Leadership, Mergers and Acquisitions

One of four government data centers in the Netherlands, Overheidsdatacenter Noord (ODC-Noord), the northernmost facility of its kind in The Netherlands, is located in the picturesque city of Groningen. With nearly 140 employees, the high-performance data center provides government agencies with mission-critical compute, storage, and networking solutions needed to provide important services to citizens.

Offering Housing-as-a-Service, Platform-as-a-Service, and Infrastructure-as-a-Service featuring ODC-Noord currently serves around 40 customers. These include numerous government ministries and agencies that serve citizens of the Netherlands. One of the provided services is the high availability and performance of the VMware based vCloud platform.

“We provide scalable ICT services in accordance with the National Institute of Standards and Technology (NIST) cloud computing reference architecture for business applications,” says Jaap Jansma, manager at ODC-Noord. “This includes not only HaaS, PaaS, and IaaS, but also the supporting facilities for development of custom software, as well as solutions for DevOps teams—among them Kubernetes test and production environments and applications for specific use cases, including data science and deep analytics.”

ODC-Noord’s agile teams are comprised of skilled personnel. These experts not only develop, but also manage and maintain all of the organization’s services.

“Our teams are driven, enterprising and a bit headstrong,” adds Jansma. “These are qualities that serve us well in our dedicated work to provide high-quality and innovative services to our customers.”

Those services also reflect ODC-Noord’s commitment to reduce its carbon emissions to net zero by 2030 and to serve as a partner who can help government agencies further their own sustainability goals. Jansma notes that’s why the decision to embrace the VMware Zero Carbon Committed initiative was a natural one.

“As a public-sector organization, we are included in the Dutch government’s diligent efforts to create a carbon-free energy system, but at ODC-Noord, we also feel strongly that it is our responsibility as a service provider to do everything we can to reduce the impact of ICT on the environment,” says Jansma. “The migration to software-defined data centers was an important step in the right direction, but it’s just the beginning. The VMware Zero Carbon Committed initiative builds on that momentum and is a natural next step.”

Notably, ODC-Noord already runs on 100% renewable energy sources, among them hydro, wind and solar power. Servers are also controlled with advanced power management solutions to maximize their efficiency. There are also plans to use residual heat to heat 10,000 homes and buildings in Groningen.

Outside air is also used to cool the data center—radically reducing the need for traditional air conditioning systems. Even the basic design of the facility uses natural airflows in which colder air sinks and warmer air rises to minimize the use of heating and cooling systems. In 2022, the average Energy Usage Effectiveness, or EUE, of ODC-Noord was an impressive 1.25.

Other steps, including ODC-Noord’s goal to transition to hydrogen are far reaching and ambitious, but Jansma notes that every step, large and small, is important.

“We’ve already stitched to a hydrogen-powered backup utility offered by one of our suppliers, NorthC, which is big step forward, and our innovations in power management enabled us to reduce the power usage of 40% of our assets, including servers, by 90%,” he says. “We’re also working with our suppliers to institute sustainability rating certifications and to reduce the amount of packaging—for example we recently eliminated the packaging of individual items with one of our cable vendors—and we are recycling hardware in-house to ensure it’s done right. And of course, there are myriad small steps we take each day, from recycling in our offices to promoting public transportation. It’s all important.”

Jansma believes the VMware Zero Carbon Committed initiative is a powerful way not only to support these efforts, but to make them part of the conversation with customers. It’s a conversation he believes must occur.

“We are living in a world where it seems that the sky is the limit, but we are realizing that we have to be careful with everything our planet gives us,” he says. “For a sustainable future, and for the future of our children, it is our duty to invest in a zero carbon footprint.”

Learn more about ODC-Noord and its partnership with VMware here.

Cloud Computing, Green IT

Simply put, and despite claims customers may hear and/or see in this infant market, the reality is that there is no one-size-fits-all definition to “data sovereignty”, and the true source of the definition to “data sovereignty” as applicable to any workload being contemplated is the legal, policy or guidelines applicable to that data that are prescribing it as a requirement.

For example, a government customer who is planning to acquire cloud services for workloads related to their defence ministry/department would have different data sovereignty applicable to legal, policy and guidelines than when the same government is acquiring the cloud services for their revenue ministry/department. And both of those would be different compared to when that same customer is acquiring cloud services for their parks/forestry ministry/department. Furthermore, a defence ministry of one government may have different requirements than the defence ministry of another government, and the single defence ministry may have different requirements for two different purchases depending on the workload they are considering. It is therefore understandable that a cloud offering can be compliant with the data sovereignty requirements for one customer workload, but not for another of the same customer.

In sum, the definition of data sovereignty varies from jurisdiction to jurisdiction, and from workload to workload, even within the same jurisdiction (depending on the applicable laws, policies, or guidelines that are prescribing it as a requirement). That being said, the common denominator amongst most definitions is that data must remain subject to the privacy laws and governance structures within the nation where the data is created or collected. Because the location of data is not, under many jurisdictions, a bar to foreign jurisdictions asserting control over the data, data sovereignty often requires that it remains under the control and/or management of entities and individuals who cannot be compelled by foreign governments to transfer the data to foreign governments (or, again depending on the requirements, certain foreign governments).  As an example of a requirement that may be different, some, but not all, require that the cloud vendor employees who are supporting the underlying infrastructure hold citizenship and security clearance (i.e., data residency and jurisdictional control would not suffice).  

The other important terms to define are as follows:

Data Residency – The physical geographic location where customer data is stored and processed is restricted to a particular geography. Many customers and vendors confuse this concept with data sovereignty.

Data privacy – Data privacy looks at the handling of data in compliance with data protection laws, regulations, and general privacy best practices.

Jurisdictional control of data – A jurisdiction retains full control of data without other nations/jurisdictions being able to access, or request access, to that data.

Data Governance – The process of managing the availability, usability, integrity, and security of the data in systems, based on internal data standards and policies that also control data usage.

Global hyperscale commercial cloud – Foreign company-owned cloud infrastructure where data is held by a foreign Provider, and as a result may be subject to foreign laws.

VMware Sovereign Cloud Initiative

VMware recognizes that regional cloud providers are in a great position to build on their own sovereign cloud capability and establish industry verticalised solutions aligned to differing data classification types and under their nation’s jurisdictional controls.

Data Classification is core to understanding where your data needs to reside and the protections that must be in place to safeguard and protect its ‘sovereignty’ with jurisdictional controls. The VMware Sovereign Cloud initiative has established a framework of trust scale, based on the classification of data which varies by vertical. Examples vary by industry and region, for example, official UK government classifications such as Official, Secret, and Top Secret. Examples from the commercial sector can include Confidential, Internal Use, Public, Sensitive, and Highly Sensitive. The classifications that a Sovereign Cloud Provider chooses to include in the platform by default will depend on a combination of local jurisdictional norms and the type of customers the platform is intended to serve.

The principle for data classification and trust is that the Sovereign Cloud Provider security can be organised into different trust zones (architecturally called security domains). The higher the classification type, the more trustworthy and sovereign the offering, and the more unclassified the more risk mitigation and safeguards are required (such as encrypting your data, confidential computing, and privacy-enhancing computation). However, there are some hard stops, such as security stopping at the last most secure zone that is always within a sovereign nation and under sovereign jurisdiction.

The placement of data must be based on the least trusted/sovereign dimension of service. Assessing your data classification requirements against the proposed services will result in understanding where the data can reside based on the necessary locations and available mitigations. This is an opportunity for VMware Sovereign Cloud partners to overlay solutions. By this, I mean that in many cases, a specific data classification can be placed on a particular platform (or security domain) if certain security controls are in place. E.g., Confidential Data can reside on Shared Sovereign Cloud infra if encrypted and the customer holds their own keys.

Using this risk and data classification analysis, VMware Sovereign Cloud Providers understand where their proposed Sovereign Cloud offerings sit on the scale, in relation to their other services such as public hyperscale cloud. They can then determine how to shift everything towards the most sovereign dimension of service as necessary using technology and process and enhance a customer’s Sovereign protection and cloud usage.

For the reasons noted above, VMware Sovereign Cloud providers, using VMware on-premises software, are in an ideal position to build compliant data sovereign hosted cloud offerings in alignment with data sovereignty laws, policies, and frameworks of their local or regional jurisdictions, – all in a model that is a more optimal approach to assuring jurisdictional control and data sovereignty.

My thanks to Ali Emadi for co-authoring this article. To read the full article Will the Real Data Sovereign Cloud please stand up? Click here.

Cloud Management, Cloud Security, Data Management, Data Privacy

Data about who owes how much to whom is at the core of any bank’s business. At Bank of New York Mellon, that focus on data shows up in the org chart too. Chief Data Officer Eric Hirschhorn reports directly to the bank’s CIO and head of engineering, Bridget Engle, who also oversees CIOs for each of the bank’s business lines.

“It’s very purposeful because a lot of the opportunities for us around data require tight integration with our technology,” says Hirschhorn. “I’m a peer to the divisional CIOs of the firm, and we work hand-in-glove because you can’t separate it out: I can make a policy, but that alone doesn’t get the job done.”

Hirschhorn, who joined the bank in late 2020, has worked in financial services for over three decades, during which the finance industry’s concerns about data have changed significantly.

“Twenty years ago, we were trying to make sure our systems didn’t fall over,” he says. “Ten years ago, we were worried about systemic importance, and contagion. When you solve some of the more structural concerns, it all gets back to the data. We are incredibly bullish on building advanced capabilities to understand the interconnectedness of the world around us from a data perspective.”

One key to that endeavor is being able to identify all the data related to an individual customer, and to identify the relationships that link that customer with others. Banks have a regulatory requirement to know who they’re dealing with — often referred to as KYC or “know your customer” — to meet anti-money-laundering and other obligations.

“The initial problem we were looking to solve is a long-standing issue in financial markets and regulated industries with large datasets,” Hirschhorn says, “and that was really around entity resolution or record disambiguation,” or identifying and linking records that refer to the same customer.

Being able to identify which of many loans have been made to the same person or company is also important for banks to manage their risk exposure. The problem is not unique to banks, as a wide range of companies can benefit from better understanding their exposure to individual suppliers or customers.

Defining a customer with data

But to know your customers, you must first define what exactly constitutes a customer. “We took a very methodical view,” says Hirschhorn. “We went through the enterprise and asked, ‘What is a customer?’”

Initially, there were differences between divisions about the number of fields and type of data needed to define a customer, but they ended up agreeing on a common policy.

Recognizing that divisions already had their own spending priorities, the bank set aside a central budget that each division could draw on to hire developers to ensure they all had the resources to implement this customer master. The message was, “You hire the developers and we will pay for them to get on with it,” Hirschhorn says.

With the work of harmonizing customer definitions out of the way, the bank could focus on eliminating duplicates. If it has a hundred records for a John Doe, for example, then it needs to figure out, based on tax ID numbers, addresses, and other data, which of those relate to the same person and how many different John Does there really are.

BNY Mellon wasn’t starting from scratch. “We actually had built some pretty sophisticated software ourselves to disambiguate our own customer database,” he says. There was some automation around the process, but the software still required manual intervention to resolve some cases, and the bank needed something better.

Improving the in-house solution would have been time consuming, he says. “It wasn’t a core capability, and we found smarter people in the market.”

Among those people were the team at Quantexa, a British software developer that uses machine learning and multiple public data sources to enhance the entity resolution process.

The vendor delivered an initial proof of concept to BNY Mellon just before Hirschhorn joined, so one of his first steps was to move on to a month-long proof of value, providing the vendor with an existing dataset to see how its performance compared with that of the in-house tool.

The result was a greater number of records flagged as potentially relating to the same people — and a higher proportion of them resolved automatically.

“There’s a level of confidence when you do correlations like this, and we were looking for high confidence because we wanted to drive automation of certain things,” he says.

After taking some time to set up the infrastructure and sort out the data workflow for a full deployment, BNY Mellon then moved on to a full implementation, which involved staff from the software developer and three groups at the bank: the technology team, the data subject matter experts, and the KYC center of excellence. “They’re the ones with the opportunity to make sure we do this well from a regulatory perspective,” he says.

Quantexa’s software platform doesn’t just do entity resolution: It can also map networks of connections in the data — who trades with whom, who shares an address, and so on.

The challenge, for now, may be in knowing when to stop. “You correlate customer records with external data sources, and then you say, let’s correlate that with our own activity, and let’s add transaction monitoring and sanctions,” he says. “We’re now doing a proof of concept to add more datasets to the complex, as once you start getting the value of correlating these data sets, you think of more outcomes that can be driven. I just want to throw every use case in.”

Investing in technology suppliers

BNY Mellon isn’t just a customer of Quantexa, it’s also one of its investors. It first took a stake in September 2021, after working with the company for a year.

“We wanted to have input in how products developed, and we wanted to be on the advisory board,” says Hirschhorn.

The investment in Quantexa isn’t an isolated phenomenon. Among the bank’s other technology suppliers it has invested in are specialist portfolio management tools Optimal Asset Management, BondIT, and Conquest Planning; low-code application development platform Genesis Global; and, in April 2023, IT asset management platform Entrio.

The roles of customer and investor don’t always go together, though. “We don’t think this strategy is applicable to every new technology company we use,” he says.

While some companies may buy a stake in a key supplier to stop competitors taking advantage of it, that’s not BNY’s goal with its investment in Quantexa’s entity resolution technology, Hirschhorn says.

“This isn’t proprietary; we need everybody to be great at this,” he says. “People are getting more sophisticated in how they perpetrate financial crimes. Keeping pace, and helping the industry keep pace, is really important to the health of the financial markets.”

So when Quantexa sought new investment in April 2023, BNY Mellon was there again—this time joined by two other banks: ABN AMRO and HSBC.

Artificial Intelligence, Chief Data Officer, CIO, IT Leadership