Private SaaS: a new gold standard?

How does data security impact open-source projects?
March 15, 2023
No US SaaS for European businesses?
July 20, 2023

The SaaS market is projected to grow from $251 billion in 2022 to $883 billion by 2029, and 50% of companies’ apps are SaaS. However, using SaaS is not an option for many companies because of security standards and data regulation laws. In this episode, we discuss the concept of Private SaaS, which separates the control plan and data plan so that companies can benefit from all the advantages of SaaS while keeping their data in-house.

Bart Farrell and Sylvain Kalache welcome Arul Jegadish Francis, OpsVerse co-founder. OpsVerse is a fully managed open source based DevOps tool chain that can run anywhere. They also welcome Michel Tricot, Airbyte co-founder & CEO, Airbyte is the leading data integration platform for ETL / ELT data pipelines from APIs, databases & files to data warehouses, data lakes & data lakehouses.

Key takeaways:

  • The Necessity of Private SaaS: The rising tide of data compliance and security requirements necessitates a shift for companies. They are increasingly required to have strict control over their data and cannot host it with 3rd parties tools.
  • Understanding Private SaaS: Private SaaS, a transformative paradigm, involves the SaaS vendor managing the control plane while the data plane remains within the company’s infrastructure.
  • Private SaaS offers best of both worlds: companies can continue to enjoy all the benefits of SaaS software while complying with any security and compliance requirements they want to.
  • Operational Visibility: for vendors, observability is crucial to address concerns about operational blind spots and control in private SaaS deployment.
  • Technology Enablers: technologies like Kubernetes play a pivotal role as enablers for private SaaS solutions. And this concept will grow quickly in the coming years.

Read the transcript

Sylvain Kalache:
0:00
Hi, welcome to Data Defenders Forum episode number two. My name is Sylvain Kalache and I’m joined by my great partner Bart Farrell. So in today’s episode, we’re going to speak about Private SaaS. And joining us for this conversation is Michel Tricot, the co-founder and CEO at Airbyte. Airbyte is a new open source ETL standout for replicating data from applications, APIs, and databases. We also have with us Arul Jegadish Francis, the co-founder of OpsVerse, which provides fully managed open source DevOps tools that can run anywhere to best serve you. Thank you for joining us.

Michel Tricot:
0:43
Okay. I’ll choose to stand out. Welcome.

Sylvain Kalache:
0:48
Welcome. So before we jump into the conversation, let’s go over a quick briefing on the situation. So the SaaS market today is roughly around 251 billion and is planning on reaching 883 billion by 2029. Excuse me, that’s a lot of billions. Actually, today 50% of the software that companies use is SaaS and most IT decision-makers say that SaaS will be the biggest growth area in the cloud sector. So it’s here to stay. But for many companies, using SaaS is not an option because of security standards and regulation laws. Industries like healthcare and finance adhere to very high security standards, but not only companies that store customer data have to respect some solid standards. And with 71% of countries implementing some sort of direct data regulation or legislation, it’s not going anywhere. One example is data residency requirements, which require a nation’s citizens’ data to be collected, processed, and stored inside the country. Not respecting this can lead companies to face sanctions. For instance, American Express and Diners were recently forbidden to issue new cards in India because they were not respecting that data rule, which is a big deal for Brink’s Club, which has the largest share in India of cardholders, which is quite interesting. So let’s get started. Arul, can you give me your definition of Private SaaS?

Arul Jegadish Francis:
2:43
So we all already know about SaaS, SaaS is where a provider or a vendor takes a piece of software, manages it completely, and offers it as a service. Now, Private SaaS is where you actually push that software, have the data managed by the software, to the customer’s own infrastructure, or to a certain region. So that makes it Private SaaS, in which case, the particular piece of software becomes private to that particular set of users or customers. But at the same time, the vendor brings in all the benefits of SaaS, like managing, managing all aspects of running the tools, upgrading them, taking care of security, providing reliability guarantees, etc. So basically, you split the control plane and data plane and make the data plane live, where the customer wants it to live. That’s Private SaaS.

Sylvain Kalache:
3:43
You got it in, can you give like, you know, in the context of OpsWorks, can you explain, you know, in very specific business and creative use cases, what does it mean for us?

Arul Jegadish Francis:
3:55
So OpsWorks provides OSS-based managed DevOps tools platform. So we basically bring in various DevOps tools on top of the platform. So in our case, we provide our customers with tools that touch their version control system, their production system, basically the sensitive parts of their software delivery pipeline. So in our use case, what we do is the tools themselves are run within the customer’s own network, whether it’s their cloud account, or whether it’s their data center, the tools are executed within the customer’s data residency data governance perimeter, but the control plane on how we manage those tools lives outside. So in one case, the line is between the tools themselves and the control way.

Sylvain Kalache:
4:50
Thank you. Michel, can you refer us on how made like, you know, what, what does this like separation means for us? And also why did you decide in which to do that? Yeah.

Michel Tricot:
5:07
Airbyte is an open-source data movement platform. And whenever we talk about private, Private SaaS, it generally means that you have a boundary around something that you manage that cannot leave your control. And in general, this is data, right? People don’t want data to leave the safety of their cloud, the safety of their databases. And what we discovered with Airbyte, open-source, is that a lot

of people, there are a lot of vendors that do data movement. But the reason why people were taking open-source was because the moment you have open-source, it means that you’re taking the software and you are running it within your own infrastructure. The thing is, by doing that, you’re losing the value that SaaS brings you. SaaS brings you. Yeah, as Arul was saying, this gives you like software breakeven, even for the company to develop, it’s easier to develop on SaaS because you can have very short cycles of development and releases, which is very different than when you ship software. And for us, the moment we discovered that, okay, this is the reason why people want to, it’s not so much that they want to own the software, it’s just that they want to own where the data is actually moving. This is when we decided to say okay, Airbyte is split into pieces, one that is called the control plane, one that is called the data plane. And from there, you can decide, the piece that’s really matter for them as a Private SaaS is the data plane is controlled by their IT team, by their infrastructure. And that’s why we’re making that split between the control plane and the data plane. And interestingly, we actually dug for the splits for the cloud product of Airbyte, which is, you know, you said, we have GDPR, you have CCPA, there are some regulation, like geographic regulation, and Airbyte is operating this way, which is we have one control plane that only contains configuration, user management. But the rest, like credentials, and where the data is actually moving, can actually go from one cloud to another from one geography to another, and the user has the choice to decide, yes, I want the data to run there. But this is forecast. But this is basically the same thing that then happens to a potential customer, which is I have my infrastructure, let’s run the data plane on my cloud. But yeah, the driver is always the security and the control over your data.

Sylvain Kalache:
7:50
You announced this as part of the new Europe launch, like, did you like was this decrease in history where you? Was it not possible for users to run Airbyte prior to this? Or it was complicated or difficult? Like, is there a backstory to this?

Michel Tricot:
8:10
I think it’s just, we started by releasing open-source, and we looked at our daily active user, or people that are working with Airbyte, open-source, and try to figure out where are the different markets. And it was very clear that yes, we have a massive chunk in Northern America. And we also have a very big chunk in Europe. Now for the cloud, the first time we really see it. And that’s because, that’s also because we are a startup, we focused on let’s launch it in the US. But very, very quickly, because we have this ambition of moving data everywhere, it was very quickly created that split between the control plane and the data plane. And for us, the testing ground for that model was let’s expand to Europe, let’s get all the customers that are ready for us in Europe, let’s address their needs. But yeah, the need was really a commercial one, which is there is a large audience for Airbyte in Europe, and if we just run in the US, we cannot address it, especially because we’re there, our product.

Sylvain Kalache:
9:21
Interesting. I see, I think about it. Yeah.

Bart Farrell:
9:23
Not only related to that, is that, you know, we have an interesting mixture of, you know, two Europeans living in the US and an American living in Europe, you know, people who live in places that are not where they originally weren’t. What I’m going for with this, though, is that for people that are working in the data space, or that are thinking about, you know, building Private SaaS, this, is it safe to say that they simply cannot be thinking locally because in a good situation, you’re going to have customers that are in these other places. You know, we were Sylvain touched on briefly in the beginning, an article that was shared by Arul about, you know, how difficult difficulties around data storage for credit card companies in India, all of a sudden, something that might not be a problem in one place is a problem in another. What is it that companies that are developing, you know, Private SaaS should be keeping in mind? They might be thinking, well, you know, I’m coming from a technical background, but all of a sudden, your technical background has a lot to do with international regulations around data protection, data security, compliance, Arul, what advice would you

give to companies that are out there trying to develop Private SaaS in that sense of thinking globally from the very beginning?

Arul Jegadish Francis:
10:30
Yeah, I think one of the things that I want to touch on that Michel mentioned as well is, when you are when you get into Private SaaS, when you’re thinking about Private SaaS, I think you should first think about dogfooding your own, like SaaS implementation, just how you’re thinking about Private SaaS. And that’s the way we do it as well. Like, we have a SaaS offering and a Private SaaS offering. And we operate both offerings very similarly, even our SaaS, where we have the control plane, and the data plane is separated. So we dog food that. So otherwise, you’re going to do your operations in two different ways. It’ll be very difficult for you. So that’s number one, your SaaS offering, Private SaaS, you should operate very similarly. And secondly, if you are, if you’re thinking about coming into Private SaaS, this golden separation of control plane and data plane is very important because it’s usually the data plane is where all these regulations come. Regulations, data residency, data governance, so as long as your data plane can move around anywhere, can live anywhere, I think, I think you’re good. So that should be part of your base architecture. On day one, you should actually think about that. A few other operational areas that you have to think about are your ability to run hundreds of single tenant systems. In traditional SaaS, often you’re dealing with one multi-tenant system. With Private SaaS, implicitly, every instance is going to be a single tenant system. So your architecture and your deployment architecture, your operations framework should support hundreds of single-tenant systems. So that’s again, a first principle you should be able to support that, then this whole remote management, like you’re going to deploy to and operate infrastructure that you cannot touch and see, you cannot see your engineers will not have direct access to that infrastructure. So you should be able to handle that this whole remote management, you should be able to do that. And then observability, you sort of have really deep and robust observability of the infrastructure, so that you know that what you’re operating remotely. And you’re going to run about like a hundreds of these instances remotely. So a robust observability framework should be robust enough to bring everything together. And again, I think you can, you can try out all this by dogfooding your SaaS, so you can develop your SaaS to dog food this and then then think about Private SaaS.

Bart Farrell:
13:16
Great, thank you. And Michel, anything you’d like to add to that?

Michel Tricot:
13:20
Yeah, I mean, I agree with Arul’s point where, as engineers, you want to build a product, and then suddenly, you have this external force that’s coming on top of your product. And I always put that I mean, we work in data. So for me, everything is about data. But this is one place where if you are in the data space, you need to have to bring people that have that sensibility, that sensitivity around what are the requirements of data, and sometimes you don’t have to be an expert, but you need to know that you have regulation. People care so much about the security of their data that you have to protect it. The mind is like how do you access that data? What secrets do you have? And it doesn’t have to be you don’t have to be a legal expert. But you do have to bring a team that has that sensitivity, because they will also make the right choices. And, you know, when we when we build our mates, we like I come from a pretty large data company, and one that was operating globally. And I actually brought some people with me that even though they were not experts, they had been living and breathing, every type of decision that is made to make data safe. And then it becomes something that is encoded into your, like development practices. Now, we also brought a data regulation expert who is us to just help us on certification, security diagram, et cetera, et cetera. Because yes, we’re dealing with people’s data. And whether it’s on it’s on the Private SaaS or whether it’s on the public SaaS or whether it’s on open-source, we need to ensure that we’ll be a very strong foundation from from the beginning. So, yeah, that’s, that’s mostly what I have to add, I would say the thing about observability. This is a big deal, because in a way, you can almost consider that observability and getting some telemetry from a single tenant deployment or like a Private SaaS deployment is a

type of data. So by doing Private SaaS, you’re not also completely removing the scrutiny that companies put on your company on your product, because you’re still establishing the link between their infrastructure and your infrastructure. And that could be seen as a point of failure in terms of security. So it’s not a silver bullet, but it reduces the blast radius, in case there is there is something happening, but you will still have to explain something there. So it’s not a silver bullet. But it definitely helps on like the day today.

Sylvain Kalache:
16:14
We had an interesting conversation in the first episode of the Data Defenders Forum where one of the guests, a lawyer, said I was working with a software vendor, in, in when GDPR was about to come. And one thing he said I thought was very interesting is that software companies cannot possibly make their software compliant to every single regulation that there is out there. It’s today there are 137 countries that have some type of data protection law, but what a software vendor can do is make their software able. Right, capable of being in compliance. And so and so I think that’s what Private SaaS is doing in some way. It’s empowering an end-user to, to put in place the security and the law that they respect, but with that can also come some, I mean, it’s a choice, isn’t it? Like most companies would use SaaS if they can, Private SaaS as a secondary option. But one question I have to ask you, do you provide like best practices, when it comes to for instance, security? Or how to be in compliance when it comes to for your users to use our software? So do you is it something you take responsibility, like providing guidance to help them?

Michel Tricot:
17:43
Yeah, so for everything that is Private SaaS related, for us, this is still something that is in the beginning. So there is also a pretty large, like learning phase. Now, I would almost consider the open-source deployment at that point, like a child of SaaS, like Private SaaS, which is we don’t own the control plane at that point, like our customer do. But we definitely help are on best practices on how do you like how do you create your deployment, how you build security around it? And one thing that we’re actually working on right now is additional, like packages that are very security related around like how do you expand the software within your organization rather than leaving it within your team? Like, every single wrong, like SSO, role access management, audit logs are these are things that you need to have the moment you start dealing with data, you need to understand who is making changes, how they’re making changes, what kind of changes are making, so there is something there. Today, you can already get it. But people have to pull this information outside of Airbyte. And what we want is to record it, push it to observability system and audit systems. But one thing that we we actually started to do on on open source is, for example, just very simple detecting when someone is installing Airbyte on a public instance, something that is accessible from the outside. Because it seems obvious that this is not something you should be doing. But sometimes just for simplicity, you’re just going to spin up an instance, run the software, they’re making it accessible to the outside. And because Airbyte is a data software that is used to move data, it becomes a very good place where to try to gain access to So right now we’ve put a lot of protection in open-source to actually protect our open-source user. So even if they don’t look at the documentation, it is in the software where we run these checks of a can I access Airbyte from the outside, if you if it is we’re just telling you You can still do it. But we’re telling you, and that’s one way for us of self-serving the good practices. Try not to do it. But yeah, that’s, that’s definitely something that we are. We’re pushing for. I will,

Sylvain Kalache:
20:17
is there anything that OpsVerse is doing or want to do in the future regarding that?

Arul Jegadish Francis:
20:23
Yeah, I think when it comes to Private SaaS, the users slash customers do look forward to the vendor for some of these guidelines. So in our case, again, as Michel mentioned, with Private SaaS, since I mean, you still have that observability telemetry coming out and all that. So there’s still that link. And so what we do is we provide enough guidance around how to make this link like as secure as possible, how do we ensure the blast radius is like as minimum as possible, with respect to establishing this link, and with us we do running the opposite software within the

customers customers account. So we do have like set of set of guidelines that we provide our customers around that. And that, yeah, with respect to Private SaaS, this is definitely an expectation from the vendors to help their users out.

Michel Tricot:
21:22
Yeah, now, one of the things that you get from from Private SaaS and the reason why people want this type of deployment model is because they’ve already set up good practices internally, if you have to be PCI compliant, you have already hardened your system. And what you want is you want to and in general, it’s not specific systems, it’s, it’s almost like they create the right boundaries, the right observability for any software that gets installed within this type of environment. And that’s the reason why Private SaaS is very appealing to companies, because now, they’ve already proven that the system is safe, and they want to deploy within a safe system. So sometimes our customers are more expert than us in what does it mean, to deploy in a PCI compliant environment because they have it, they have all the security measures in place, and they just know, I can drop the software, and is going to be automatically compliant because it runs in a monitored and secure system.

Bart Farrell:
22:33
And with that in mind, it’s interesting, because, as you said, Some customers need a little bit of extra support or training. And that’s where you have to have those internal resources to be able to provide that. Do you feel though that there are any particular industries or use cases where Private SaaS is particularly well suited? You know, when we talk about data protection, we’re often speaking about telecommunications, healthcare, you know, government data, things of that nature, obviously, financial services, Arul, are there any particular industries or use cases where you think it’s a better match than others?

Arul Jegadish Francis:
23:07
Yeah, so I think naturally for FinTech and healthcare organizations, this becomes almost a day-to-day requirement, where they do have to fulfill various data, regulations, data handling regulations. So it’s a natural requirement there in those industries. And we see that with our customer base as well. The kind of customers who opt for Private SaaS are mostly FinTech and healthcare, in our case, but, but at the same time, now, we actually obsessively deal with like DevOps tools, where almost any organization when it comes to DevOps tools, your tools are going to touch the most sensitive part of your processor, it’s going to touch your version control, it’s going to touch your production deployment system, and it’s going to touch everything in between. So even if you are an industry where, where data regulations are not a big deal, you may still want just from a general security practice, you may still want to like consider keeping these tools within within your data governance within your network. But to answer your question, we in the field we are seeing the initial uptake from FinTech and healthcare organizations and companies alike reside in a geographic region where like, like the European Union, where they have additional data protection regulations.

Bart Farrell:
24:44
And it’s good, it’s something as well to in the conversation Sylvain have and having. We talked about stakeholders, because like you said, Okay, you’re talking about DevOps teams, but they’re also having access to very delicate parts of infrastructure to say, look, it’s out of sight, it’s out of mind. I have nothing to do with that. Where do we draw the line, you know, In terms of who’s going to bear the responsibility, and, and that’s something that a lot of organizations are wrestling with. And once again, inside the European Union, it’s one thing outside, it’s another. So being familiar with those things. And once again, folks coming from a technical background, suddenly feeling like they have legal obligations, which they may not feel like they’re properly trained on, we have this sort of finger pointing of, it’s in your hand that’s in my hands, it’s, you know, Chief Data Protection Officer. In my particular case, I was working for a British startup in 2018, when GDPR came out. And of course, it was also in a right around the same time Brexit was happening. So then additional questions started getting asked. And so getting to the point where we’re at now, and, you know, global organizations that remote first people all over the world, they get some, it’s been better built into their DNA. Um, so like you said, the lateral is that, you know, DevOps seems also going to be part of the equation. Michel, anything that you’ve noticed, that’s more industry-specific, have, you know, particular use cases that are better aligned for Private SaaS?

Michel Tricot:

26:06
I mean, I’m going to repeat what Arul said, when like, FinTech is one, but healthcare is a very big one, I think here is just, and sometimes it’s also that people don’t know what they can and cannot do. And they prefer to go for the safest option. Even though a cloud solution could be something like, you know, for example, a very simple example is Airbyte. Out, we don’t sell data, we are and for in the healthcare industry, as Airbyte can be considered to be a HIPAA conduit the same way. The post office is a HIPAA conduit, like the post office is moving letters from the doctor office to the patient. And they don’t need to be HIPAA compliant. Although in the letters, you have PHI you have information about salespeople, about developers. And it’s the same thing for data. But even though they’re fine sending letters, when it comes to the data world, and in the digital world, it changes their perspective. And they’re dedicated on the on the on the paper side, but they might not be on the data side. And they could be using Airbyte cloud, but they prefer to be on the extra safe side. And that’s why they go for this type of session. So yeah, I would like to hear education, or like having a standard that can be a little bit clearer on what you can and cannot do would be a big help for this industry that is really looking to get more modernization in how they deal with data, how they deal with information transmission. So yeah, like healthcare is a big one, like most of like many, many, many of our open-source users, or people that are looking to get into this hybrid model are looking at from the health, the health industry.

Sylvain Kalache:
28:05
So how would you say like, you know, like to today, and like a few months ago, I Googled Private SaaS, and they were like, nearly nothing, and now you got Private SaaS and Palantir is speaking about it, you know, so it’s becoming a thing. That’s a question for both of you. And Arul, you can start like, what, what, how do you see the Private SaaS trend fitting into the broader landscape of enterprise software?

Arul Jegadish Francis:
28:33
Yeah, I think when we started OpsWorks, this was part of the founding thesis, because we saw this as a gap in the industry. And now in the last 18 months, we do see a lot of other vendors talking about it. And also some standard like Palantir, right, some standard operating models emerge as well. We see like, at least in that DevOps world, received a lot of vendors either announcing support for something that looks like Private SaaS, addressing that problem, or our vendors who will already have support for that, that we saw it from, like Preset, which is a data virtualization platform, they have what they call it as a managed private cloud, which is Private SaaS, their, their terminology for that. We see Gitlab moving towards single-tenant systems, even though it still runs in their cloud received from git pod is something that’s now supporting Private SaaS. So we do see this coming from various vendors. So as we go, we’ll definitely see this as a standard model of delivery tools are delivering superb, especially the data ops or DevOps m&r ops world to begin with. And as we go, obviously, we will see some standard frameworks standard ways of operating Private SaaS law when it comes to SaaS, the definitely standard ways to run when it comes to self-hosted, open source and posted world. Also, there are standard ways of shipping your software and support. Similarly, we’ll definitely see a lot of in the enterprise world when definitely see some standard operating ways and logic. So

Sylvain Kalache:
30:25
Yeah, same question for you, Michel, about the trend. But I want to, I want to add something to that question jumping on what Arul just say about the standard. Like, do you think there is a need as an industry to develop some standards, either on the vendor side, how you should, you should build your Private SaaS and then how it should be exposed, you know, to the user, I do think that we need as an industry to come up with something that could unify the experience, and it makes a user of it easier. Yeah.

Michel Tricot:
30:57
So I would say, probably want to go to the basics of why public SaaS became something. And the reason is, yes, there is all the development aspect of quick races, bug fixes, etc. But there is also a huge problem into shipping software on an infrastructure that you know nothing

about, and where everybody is different. What you the reason why Private SaaS is becoming something a lot more real and a lot more feasible, where you can basically get the best of both worlds, it’s just that the public cloud have taken over most of the infrastructure. And by doing so, they’ve removed a lot of the, like, the landscape is more generic, you know, what services you can access. And it means that instead of having to build the software for 500, different companies, you can just build the software for one company with the assumption that all the AWS services, all the Google services, all the Azure services are available. So you’re still now you’re still developing as a software only once instead of five times. So for me, that’s one of the reason why it’s almost becoming a standard, like you expect to have access to this kind of services, and all the public clouds are offering some flavor of that. Of that. Yeah, some flavor of it. Now, what becomes interesting is also the type of technology that have come over the past few years and just think about Kubernetes, for example. One reason why it has taken the world is it had created an execution standard, like this is how you ship the application. And this is how you make sure that you don’t have to think about what type of instance you’re running on what type of database you’re running, like, how you do monitoring, how do you observe the abilities, just that these are? These are fundamentals that are part of this platform, and the fact that now, all the public clouds support Kubernetes is just a step forward for private cloud, just you can ship software, and you know how it’s going to run, how it’s going to scale, how you’re going to observe it, how you’re going to track and monitor it and how you’re going to log everything that’s happening. And you’re creating a framework for building an application that you can ship. So I’m not sure I’m answering completely your question, but this is how I’m seeing the new standard that has happened is just the execution layer. The infrastructure layer is becoming more of a standard today.

Arul Jegadish Francis:
33:56
Yeah, I think if I can, I think I think that’s a great point. Without something like Kubernetes. I don’t think we could have developed any Private SaaS like solution. So something like Kubernetes and the maturity and adoption of generally public cloud infrastructure has really become the tech enabler, to enable enterprises. Now to think about Private SaaS. So I think that’s a very important like tech enabler or the solution you asked about other standards. So I think I think it’s about time for now some of these really Private SaaS vendors to come together and maybe define some general standards. Because when you go to a new customer with the Private SaaS infrastructure, we get some common questions around free handling data, how are you handling telemetry? What kind of audit do you generate, etc. So something like the SOC audit or some standard frame But it’s important to bring it in. So so any new Private SaaS vendor as long as they satisfy the standards, then they are good to go. So the security teams InfoSec teams CISOs can use that framework to assess the security readiness of a new Private SaaS vendor, I think I think we are at a stage where, where it’s time to put together some standard standard operating procedures. So the industry can easily assess different Private SaaS vendors.

Bart Farrell:
35:33
Now, I think there’s a lot to be said for that. Because with, you know, see the development evolution of Kubernetes. In a lot of cases, like, okay, there’s been this wild west phase, and now we kind of want to calm things down standardization of practice. A lot of times there are things that are on a need-to-know basis, a developer doesn’t have to know absolutely everything, there are guardrails, with policies that keep them focused on the things are actually worked in. We talk I remember asking once on Twitter, what’s the most difficult thing about learning Kubernetes and a lot of people responded our back, you know, role-based access control. So if we take that to the data, the data area as well, a lot of times we’re talking about threats, bear risk, and you know, data breaches, a lot of things that people think like, I’m not really excited about learning this, and certainly hope it doesn’t become my responsibility, because if something goes wrong, then there’s a lot at stake there. I really like what you mentioned, the lateral is that for organizations that are in this position of moving towards Private SaaS, how can some of these things become standardized, you know, with community knowledge sharing about around best practices, so that that value can be delivered faster with fewer headaches and less of the feeling of I need to learn absolutely

everything? How can we move from less of a threat and based fear-based system and more around incentives on both sides so that knowledge standards are brought up to where they need to be? Both of you are, you know, founders, if you’re hiring folks, how can you know that they really understand this? As you know, we talked about certifications for organizations, but also for individuals to make sure that everyone’s on a level playing field, particularly in this international context. Where do you see these things going? In the coming months and years? Michel, regarding standardization? What is it? That’s not happening right now? That should be?

Michel Tricot:
37:20
That’s a good question. One thing that frightens companies for doing Private SaaS is what we talked about before, which is you’re losing visibility on the system. And this is probably the largest hindrance to doing to doing Private SaaS because suddenly, people have the same expectations they would have for the SaaS product. But you have less of that control over the software over the upgrade over the environment. So you’re basically operating blind with simulates expectation that people have for five weeks. So in terms of product perception, that could be a problem where someone changes a security rule somewhere and it breaks your software, but people are not going to look at to change the rule, they’re going to look at a yourself just stop walking, what’s happening. And if I were to put things in order, then and to feel to get people to feel good about if I were to do any kind of standardization, it would be around the observability of the deployment. Because the moment you have this observability and it is baked into a standard, it means that this friction point of people say, hey, but you have access to my observability data. And I don’t know if what you’re doing with this, with this data, the moment you’ll have a standard answer is almost like an agreement that this is how the world works today. You don’t have to worry about it, we’ll get the data that we need to operate the software, you can actually audit what we’re looking at. But for me, that will be the first thing to do, which is how do you operate the software rather than the software itself? And how do you get permission? How do you audit what the vendor is doing with the with that data? So that would probably be the way I would start is just foundational. Just you’re losing visibility, let’s create recreate that visibility on the department.

Bart Farrell:
39:26
And with that in mind, yet without that visibility to be able to make proper decisions, to be able to understand all the other things that are going to happen is going to be much much more difficult. So how do we define that? How do we how do we create a shared definition? I think what’s very clear here is sort of you know concluding the conversation is that you know Private SaaS is very much here to stay and is going to grow as Sylvain mentioned. Not that long ago wasn’t a lot about it. I think it’s very clear that we can expect more because when we’re talking about topics visibility observability data governance ownership, organizations really wanting to dig deeper on that, and to respect the regulations and to be scalable, you know, internationally, if you’re, you know, if you’re a startup and you really want to be expanding and you can’t tackle these issues, or that your competitors can Well, you can’t even if maybe your technology is better, well, then that’s a significant problem. So I think it’s, I think it’s good to see that there’s, there’s more interest going into this area, and that, you know, as an industry that standards need to be established, which is precisely why Sylvain and I are having these conversations started the revolution. But no, but I but I really need that, that I think it’s with which each conversation that we have, with people that are located in different parts of the world with different backgrounds, it does seem to be increasingly clear that while there are efforts being made, you know, towards regulation on the standardization side, from those that are creating Private SaaS, that are, you know, driving this and for others that also want to get into it maybe or like need, it’s not for me, it’s no, no, this is how it’s done. And it’s just there is not 10,000 ways to do this, you know, there there’s yes, there can be different flavors here and there. But in general, that these things can be standardized. I think that’s I think that’s something to look forward to. So God, is there anything that I haven’t mentioned that that you’d like to add before we wrap up?

Sylvain Kalache:
41:16
No, I think yeah, I think

the big takeaway from me for this conversation is that we need to, as as you know, I will say the omission are realising say, like we see your product, also just a naming convention, right, like they are confronted with it, but they use different marketing names, right? Or just the naming might might be something to be pushed, maybe mean, maybe one of us, or will initially you need to give a talk at NOVA treasury, because I do think I agree, like Kubernetes is a, you know, is one is probably the key, or one of the key in providing the standout to run any Private SaaS application in an agnostic way. Right. So I think it’s a topic that needs to be discussed, and agreed on the definition. And then you can go on to stand out button as we know, naming thing is one of the hardest things in software. So

Michel Tricot:
42:18
maybe just one thing I wish we could ask is that it also creates new business models at that point because, you know, in a pure deployments, you pay for a software license, and then you pay for compute. For SaaS, you just pay for the service. Now, you’re basically having this hybrid type of pricing where the cost is not the burden, the cost of infrastructure is not the burden of the vendor, but the burden of the customer. And so it changes the pricing dynamics, and that’s, if we’re talking about standards, I would expect that at some points, there will be a bit of a mixture between pure software shipping versus SaaS, and something that comes in the middle.

Arul Jegadish Francis:
43:00
Yeah, I think I think we’ll begin to see like if you go to the pricing page of these vendors, you’ll begin to see maybe another another column that talks about Private SaaS. So it’s emerging as a third way of delivery software and tools. Yeah. Product

Sylvain Kalache:
43:18
marketing people in a fight. Yeah.

Bart Farrell:
43:24
Another column. I like to call. And no, I think that’s anyway, I think the insights that have been shared today are refreshing and seeing that there is a direction that’s being taken, and, and that we can expect more from this, given the regulatory landscape, given the things that we’re seeing, and of course, also from a business perspective, why this makes sense to consider as an option. So yeah, thank you both very much for your time today.

Speaker 1:
43:53
We will be definitely having you back. So don’t go don’t don’t go too far.

Bart Farrell:
43:57
The remote, remote contact helps but hopefully we’ll be proud seeing crossing paths in person, whether it’s in KubeCon in Chicago or some other kind, whether it’s in the US or Europe. But thank you very much and and we look forward to continuing the conversation.

Michel Tricot:
44:14
Thank you, Bart. Thank you, Sylvain.

Arul Jegadish Francis:
44:16
Yeah, thanks for having us here. Been great, Sylvain, Bart and Michel, nice meeting you here.