Good afternoon everyone. Thank you very much for joining us. Uh good morning, good afternoon, good evening if you're listening later on and you're joining us from somewhere else. Um first of all, thank you very much for joining us today. We really appreciate you taking time out of your busy schedule. We know that everyone is busy nowadays. So the fact that you're willing to take time out to come and listen to us is very greatly appreciated and hopefully you'll get something out of this and it's worth your while and you'll come back and ask questions um and want to know more. We this is the second in a series of webinars we're doing around DORA. We've obviously presented previously an overview of DORA and what we're going to do is cover different articles over the next few months and today we're going to look at article 28 general principles. Now I just want to highlight something very quickly just to save any confusion. When we previously discussed DORA and when this was originally set up we talked about article 25 and general principles. The reason for the change to article 28 is because originally there was aproposal for DORA put forward of which there was an article numbering system. There were about 32 articles. Now it's now released as afinishedact. There's actually about 60 different articles now and they've changed the numbering. So this is article 28. Previously article 25 general principles. And today it's myself, Steve Rakom, the CTO of financial services. Um, and Adam Gale, business architect for NetApp, who are going to be talking with you today. And also Rahul Sharma is joining us to talk about some of the technology we can use in this space as well as a demo. And we've also got Peter Dean who's the financial services lead, global lead for NetApp. So we're here to help with any questions you have along the way. If you have questions, please use the Q&A. The chat is disabled. We want to try and use the Q&A so that we can share that information with everyone. So what's on the agenda? We're going to talk about article 28. So, we're going to talk about previously a bit of a highlight of what's going on with DORA, what we talked about before, but then we're going to get into article 28 and really start diving into that, what it means, why it's been defined, how it's been defined around the key requirements, then how we can help meet these requirements, including a demo. So previously on we talk about regulation a lot and Adam I know something regulation not just Dora but other regulation is something that you're very interested in and very focused on. >> That is that's right that's correct Steve and the reason I like to talk about this and if anyone remembers me presenting previously on Dora uh and presenting this slide is because regulation to me is fascinating. We tend to rush ahead with technologies and we don't regulate them, but we're getting so much better at that. You may have been watching the news recently and noticed that the EU artificial intelligence acts has been gaining a lot of traction. Um, we can generally break down regulation into four areas when it comes to finance. We've got data and I reg data and AI regulation. We've got privacy and security. Um, and you might recognize NIS 2 there. That's another subject which I've been presenting on a little bit. Please feel free to reach out to me if you want any more information on that. And um we also have digital economy in one. We're getting so much better and so much faster at releasing these regulatory pieces. We've got the EU chips act coming out shortly which is fantastic. It's going to have billions of dollars of economy enablement and we have other regulation but today we're going to be looking at DORA. And when I created this slide uh a while ago, all the things were a bit further out. Now they're getting a bit furtherin like that. Um, so probably we do need to update that slide, but back over to you Steve. >> Cool. Thank you, Adam. And again, just level set to make sure everyone because we might have new people on here or people who aren't so aware of Dora. The timeline for Dora is kind of key because as we know, financial services can typically run quite slowly when it's looking at change. And the reason why that's important is because DORA will come into enforce in 2025. 17th of January 2025 is when the European Banking Authority, the EBA will start to look at enforcing this. So what organizations need to start doing if they've not started doing it and hopefully a lot of you already have. What we see typically a typical way of approaching this is first of all building awareness and assigning roles because this isn't and I'll say this repeatedly throughout today this isn't an IT challenge. This is a business challenge. So ensuring that the organization is aware building awareness assigning roles and it will have a part in it but making sure that the whole organization is aware is absolutely key in the first step. Then it's around data discovery and it's not looking at the data itself. It's understanding what policies procedures how you are currently running to meet some of the challenges the door might throw up. Looking creating a gap analysis to understand where those differences are. then planning and collaborating to then try and resolve those issues, executing on that and then feeding back and making sure that's an iterative loop. One of the big things that we see and what this is trying to do is make sure that if there are changes in environment if things do change that this is continually being looked at to update rather than something that's stuck in a draw and never touched again. So, Dora is an attempt to harmonize and bolster security across the EU finance sector. And this talks specifically about EU, but as with GDPR, it looks at anything, any business that has services in financial services that run within the European Union. So, even if you're not headquartered in the EU, you still have to abide by it. The idea is it's looking at two big things. It's looking at cyber security and cloud concentration. And it's acknowledgment that cloud is a part of financial services now. If you go back six, seven years ago, no one would put for anything onthe cloud and financial services. Now everyone's doing it. The EBA are recognizing that and they're now trying to make sure they put frameworks in place. We've got a number of series. Like I said, we've already done the generic session. Today's the article 28. You can see these different sessions over the next few months. If you want to join them, you will see invites coming out. Please let us know if you don't getin touch with us by all means. You'll see some contact details at the end. Adam, over to you. >> Thank you. So today we're going to be covering the general principles which is article 28 which falls under E principles for a sound management of ICT third party risk. Now I'm going to be saying ICT third party risk a lot today. I'll try not to mess it up. After you've said it a thousand times, it becomes quite difficult. So, let's kick this off. But before we do that, we all need to be on the same page. And Dora does this by giving us a number of definitions. Because if we're all completely clear on what we're talking about, we can go and we can go ahead and meet the requirements of Dora a lot easier. So, first off, let's look at the definition of an ICT third party service provider. Now, if you've seen me present before, on the right hand side, you'll see copies from the article text. That's a screenshot of um ofDora. On the left there is a summary provided by me. So ICT third party risk service provider means an undertaking of um ICT services. Now that's quite big. It doesn't add a lot of context to us. So let's go look at what an ICT services. ITT service means digital or data services provided through ICT systems either external or internal with users including hardware software and support mechanisms. So basically if I summarize that if I go out and buy a bunch of servers put them in a room put software on them and provide support and sell those services out. I become a third party ICT service provider. We're also going to take a quick look at um critical unimportant functions. Critical unimportant functions means a function that the disruption of which would materially impair the financial financials performance of the financial entity. So what this means is something is critical to your business. If we took it away, you would struggle. And the ICT concentration risk means an exposure to individual or multiple related ICT third party uh ser services. Now this is important because the ICT concentration risk is referenced throughout this article and so is critical or important functions specifically when you are putting those critical or important functions in the cloud or an ICT provider. Now hopefully that provides a little bit of context about what we're going into. I really do like that Dora has these definitions that are well defined because it helps us all be on the same page and if you get chance I encourage you to read them. >> Adam Ithink it's really good pointing that out at the start because something I get asked quite commonly is who defines what's critical? How do you define it? So I think understanding that from the start is really key because it's something that the act has tried to lay out and it's one of the most common questions I hear. Absolutely.Yeah. So, what I'm going to do now is go directly into the article and I'm going to divide it into five sections. The first section is going to be proportionality and how will this be applied. So again on the right hand side is copied text from the actual article. Left I'm going to summarize it. financial entities uh management of ICT third party risk shall be implemented in the light of proportionality which takes into account scale complexity the importance and dependency of a service so what does that mean let's take an example is I as a bank or may have an application which is bespoke to me I've created it potentially in the cloud and it deals with transactions so me paying other financial entities me receiving payment uh from financial entities and let's say I do a thousand transactions through it to a day and it covers probably 50% of my cash on hand now it's in the cloud so its scale is quite big I say it's medium to big complexity I say I built it in containers so the complexity is complex but it's movable but the dependency is very high if I remove this it significantly disrupts my business and other financial entities ities. So the proportionality of this service is very high for me. Now the second pointB goes on and says what would happen if I took that away? If I took it away would it would my business start to fall apart? Would it be a massive impact? If it does that's important. We need to class as a critical service. So proportionality is the first bit where we get started. Then we're going to move on to strategy. So strategy, what is my third party ICT strategy? As part of your ICT strategy, um you financial entities need to adopt and regularly review a strategy on third party and looking at multi vendors or the multi- vendor strategy. And then what Dora does here, it does something that I always don't like. It references itself. So Dora here references article six, but we'llcome back to that later. This strategy should include a policy on the use of ITC services provided by third parties. So what does that mean? First off, let's go look at article six. Article six defines the ICT risk management framework and it says define a holistic ICT multi- vendor strategy at an entity level and be able to explain your procurement mix. So that was a lot of information. I had to take in there. It really was. Don't worry if you're getting confused or lost. I often get confused and lost. Let's summarize it. On the left, it says, "Document your strategy. Include a multi- vendor approach where possible." So, that service I just talked about, the one that um we built, look at it. Is it in the cloud? Am I able to move it to other clouds? Is there another service I can replace it with? And we must review our strategy annually. So look at it every year and have a process in that to caption new services that we brought on board defining if they're important or not and be able to explain your choices. It says be able to explain the rationale behind your decision to you. And now I often find that if you can explain a decision a business decision generally people will agree with you and then the management have to review this on an annual basis. So once a year management should review this and say yes we agree with the strategy. Great. So now we've covered strategy. We're going to go over to register of information. Now this is an interesting one because it says financial entities shall maintain update at the entity level a list and we call this list the register of information and basically it captures all of your third party ICT providers and we should look at the contractual arrangements referred in this and we should appropriately document and distinguish between those that are critical and important and those that are not. Financial entities should also report on this on an annual basis. So once a year you're going to have to basically report this big list to somebody and in there the services and functions should be listed. So list the service, list the function in my uh register of information. So let's summarize that on the left. Collect all my contracts. Now we're going to talk a little bit about contracts coming up and I just want to uh preface this by saying why are you listening and why would you care about contracts?are important. They're important if you're a technical person on this call today because you might be asked a technical question relating to a service which is in a contract. If you're a salesperson, you probably are going to get asked about your contracts. We're being asked about ours. Steve and I often get asked about NetApp's contracts when it comes to Dora. If you are a customer or a financial entity, you should be asking about contracts from your providers. So, contracts are important. Don't think you're not subject to them or that you shouldn't care about them. They are very important. So back to this, check your contracts for do doro compliance. Ask them as we have been asked. Sort them into critical and important, which ones are relevant, which ones are not, and report them in to your competent authority on an annual basis. And be ready to provide that list of contracts. And the reason why you should be ready to provide this list is because if you join my first session, you can be audited. If you remember, you can be audited and there is fines associated with this. And this is one of the things I re I suspect they're going to ask for. They're going to say, "Show me your register of information. Show me the list of ICT service providers you have because it's an easy question to ask, isn't it?" So, that covers the register of information. Now, we need to assess our contracts. Now [clears throat] before entering into a contract arrangement all the use of an IT service we need to assess whether the contract covers any critical important function. We've kind of already covered that we need to assess whether or not the supervisory conditions are met and we need to undertake all our own due diligence on them and we need to identify any conflicts of interest. So does it cover an important or critical function? Is this a suitable ver provider? Is this Amazon? Is this Google a suitable provider for my workload? Does it cause a concentration risk? Am I putting all my services in one place and check for conflicts of interest? And you should be assessing your providers too. It says that we should assess them um with the highest and appropriate level of information security standards. So we should be looking at our providers, looking at our Googles, looking at NetApp, looking and saying, are you applying the highest standards? Are you doing all the things to secure my data that Dora asks and that you should be doing? And then financial entities should be taking a riskbased approach to the frequency of orders. So basically, you get to decide yourself basically on the uh on the audit frequency. You approach this how you see fit. But again, be able to explain your choices and financial institutes should ensure the contractual arrangements for the use of these services can be terminated if any of the following happen. What might happen? These are the things that Dora thinks might happen if the ICT third party provider breaches the law, can't abide by regulation or it contractual terms. That includes things like performance. So if I've got a workload in the cloud or in an ICT provider and the performance just falls off a cliff and I can no longer provide my service properly, that's a breach of contract. Be aware of that. Be ready for that scenario. Also be aware of any weakness in their overall ICT uh approach to security. So if they now start failing at protecting your data, that's a risk and we should be assessing for that. also if the supervisor can no longer effectively supervise that financial entity. Now Steve had mentioned previously there is going to be a list published of critical ICT third party providers and I can't imagine a scenario where this might happen but someone might fall off that list and they might say they no longer are falling under this because maybe they got bought by a foreign entity or something like that. If they can no longer be effectively supervised, then you should be ready to pull your workloads out. So to summarize that, audit for high standards. You decide on the audit schedule, but make sure you can explain it. Terminate your services if they breach the law regulation or if your performance is impacted and it affects your customers or your own workloads. If there's evidence of weak security, particularly if you're sensitive data, or if the authorities can no longer um if the authorities [clears throat] can no longer effectively supervise that entity. Now, we're going to get to the fun bit. I know that sounds silly, but this is fun. Trust me. We're going to talk about your exit strategy. Now, this is my favorite bit. This is where I think a step up and differentiates itself from other legislative acts. It says that for ICT services supporting critical important functions, fin ent financial entities shall put in place exit strategies. And now these exit strategies shall take into account the risk that might emerge at a third party ICT level if there is a failure or a deterioration in the quality of services or a business disruption. So basically all the things we were just talking about if my performance drops off or if the cloud provider just goes away just DNS entries blow the whole thing away and I can no longer access it. Be ready for those eventualities and financial should be able to ensure that they're able to exit without disrupting activities to their business. So I got to I have to exit my cloud on my third party providers and I can't disrupt my business. I can't limit my compliance either and there should be no detriment to the continuity or the quality of the services I'm providing to my clients. Now, that's a big ask. I think that's a real big ask, but it's quite exciting. It goes one step further. Exit plans for this should be comprehensively documented and then we can reference another article. I do hate it when Dora does that because you end up caught in a Dora loop. And then we need to test these and we need to review them periodically and we should identify alternative solutions. So let's go back to that example I described at the beginning that payment service. I need to be able to identify an alternative solution should that one go away and it should be documented in my transition plans and it should be tested annually. It could be going back to paper and pens. It could be another cloud. It could be bringing it back on premise, but test it and document it and be able to securely and integrity transfer that to another service or bring it back inhouse. So there it is in black and white saying being able to move it somewhere else or bring it back in house. So I'm going to summarize that. Put all your exit strate sorry put in place an exit strategy in case of failure or degradation of service. But you can't disrupt your business and you can't limit compliance or regulatory requirements and you can't deliver you can't degrade your service to the client and where possible identify alternative solutions and then documentand test your plan and be able critically to be able to move to another provider or back inhouse.So that's the exit strategy the how do I get out. Now those were our five points taken from article 28. There was a lot said there and I understand if you feel a little bit lost. I feel a bit lost explaining all to you. So I'm going to summarize it in a nice easy way. I'm going to put it into a requirement summary.First off, proportionality. Assess your ICT providers for scale, complexity, and dependency. What would happen if my service went away? Strategy. Document your multistrate. Sorry, your multi- vendor approach. Document your strategy annually review it. Capture all the new services because we are constantly on boarding new services and be able to explain your choices. Keep a register of information. Clay all your contracts. Sort them into this is an important function, a critical function. This is not. Annually review them and be ready to report in those contracts. Audit your third party providers. Make sure they are maintaining the highest standards and be ready to terminate your contract. Ask for those contracts. Look through them, read them. There's some really interesting stuff in there. And your exit strategy, identify alternative providers, but remember, can't disrupt and you can't disrupt your customers. Be able to pull it back on premise or to another cloud and documenteverything and explain your choices and then test them. Test them once a year. So that's me covering article 28 with a summary at the end. Hopefully that was use for you. useful to you. I did get into some of the weeds there and we got a little bit technical, but hopefully the summary slide there brings it all together. Feel free to ask any questions or if anyone wants me to go over a piece again, I can do. But if there's no questions, I'm going to be handing over to Ra now. Ra is going to be doing an excellent demo of how we can meet some of these requirements using our technology. >> Yeah. So, Adam, I think just before we do that, I think it's um really important for people to understand that the ED exit strategy is verykey. It's really important. It talks about what companies need to do, how they need to do it. It's an area where from a NetUP perspective, we absolutely believe we have options we can help. The ability to take services because at the end of the day, what door is looking at is making sure services stay aligned, say, make sure services stay up, but what's part of that which is key is the data needs to be there. It's great if you can migrate a service, but if the data doesn't go with it, then there is no service. So from a NetApp perspective that's absolutely important. I guess one of the questions Adam I'm curious on your thoughts is it obviously we talk a lot about cloud from an edge strategy do you think that means staying within the same cloud provider or does it mean that they have to be able to move across cloud providers or do you think there's an element of a combination of both? For >> me um it's a combination of both but predominantly the latter being able to move from cloud provider to cloud provider. Um absolutely been able to move from provider to provider. In fact, I would go as far as saying that it's explicitly written when it says multi vendor approach and such. So, we absolutely have to be able to move between providers. I can easily visit a situation where we lose a provider just by somebody being fatfingered and putting in the wrong DNS entries. >> Yeah, it'sdefinitely a challenging area and I know there's a question on the Q&A that we'llanswer in a bit fromRachel, but also the question just for everyone because it's interesting is what about a service you talked about the exit strategy needs to be non-disruptive etc. What about if thoughts on risk acceptance were moving the service would absolutely impact the service because it would be impossible to do it without an impact. Now, is it a case of and I've been thinking about this while we've been talking. Is it a case of as long as it's documented, explained, you can prove to the regulator why that's a challenge, why that's an issue, and what you're doing to try and mitigate as much risk as possible thatwe would imagine. And again, we're not the regulators, so we can't definitively say, but as long as you're documenting and showing it something you looked at, then that should be okay. >> I agree. Yes, that would be the case. Um, there is another article that talks about proportionality by itself, which is how they will apply uh this to everybody. And they absolutely talk about, you know, having some flex basically having a degree of proportionality. If you developed a bespoke application, which there is no way you can pull out of uh a third party ICT provider without causing a level of disruption because it's just physically impossible, that'sjust the nature of the beast. It's the way it is. So yes, um I believe it would be okay. But as you correctly pointed out, you have to document them. >> AndI guess then there's another question coming which I think along for me is along the same lines fromSteve which is around Office 365. Obviously, if you're running Office 365 that's going to be running in Microsoft, that's not something you're necessarily going to migrate to AWS or Google. Again, my understanding is there are exceptions. Theidea is that things are exceptions, not the norm. Office 365 would fit under that exception note in my mind. Would you agree there, Adam? >> I would also question whether or not that falls under a critical and important function of the business. Can we still operate without Office 365? If you took operate [clears throat] office 365 away from me today, the corefunctionality of NetApp would still survive though. So I would question whether that would be critical or not. >> Yeah, Ithink that would be a discussion that people have till the end of time on whether hey critical, you know, if you think email goes down all of a sudden people can't communicate, things can't get done. I guess it's depending on the service that's being offered, you know, if it's a payment service and whether Office 365 is required for that or whether it'ssome of the things behind the scenes that Office 365 iskind of there for. So, I think that's one that will be discussed heavily. >> Agreed.So, unfortunately, I don't have an answer for that one. >> Not a problem. And obviously, as we said, we're not the regulators. This is, as with any regulation, it's open to interpretation. And this is from our perspective, that's how we believe the regulators would look at things like Office 365 or a service that would absolutely be impacted if you moved and how you mitigate that. Um, but from what we've read and how we've read it, that's what we believe is the case. Um, andRahul is now going to have a chat with everyone and talk about more about when we start looking at exit strategies, including a demo on where we can help. Over to you, Rahul. >> Yeah, sure. Thank you, Adam. Thank you, Steve. Um Ilearned a bit or two about Dora as well. So thank you. Let me share my screen. Um hopefully it's the right one. You see the screen with a slide deck in Yeah.>> Yep. See it >> correct. Okay cool. So yeah um my kind of what's within netup I'm a solutions architect or principal architect covering our portfolio stretching from on-prem to the cloud um so I'm going to try putting some of uh these discussion point into context on how we work with customers in enabling that transition whether it falls into dora or not right we've been doing that with customers for good seven to eight years where we enable them to move workloads from onrem to the cloud or between multiple clouds. And the demo I have later on focuses on kind of similar capability on moving a workload a specific application running in Azure getting um it migrated onto onrem just simple uh migration workflow and uh we do have some customers who use uh this function this kind of capability in action today. Some have built uh their solutions um you know which stretch across multiple clouds and they're leveraging our um storage services across the hyperscaler stack to achieve that. But in order to do kind of all of that where we bring this hybrid word together weintroduce or we uh built a new capability within our portfolio called uh blue XP. And again if you have uh been working with NetApp for last I would say four to five years in the more kind of a recent uh kind of history you would have come across blue XP as being our um our flagship um you know unified data management and data orchestration control pane. It provides uh kind of admins, business teams, operational teams to come together into this single UI and drive a consistent workflow for their storage infrastructure to start with moving on to some of the governance and protection data protection capability we have built within the portfolio. So it provides a multi-use case approach for data management and we do that with um by bringing multiple tools and multiple solutions together. You know we have um kind of long history of innovating with on-prem storage. We took that to the cloud or to the public cloud more specifically roughly around uh 10 to 12 years ago and we were the first one to do that and in certain aspect we are the only one to do that to offer NetApp storage as a first party storage across thethree big hyperscalers AWS, Azure and Google and any and I assume all of you as if you're using cloud in some shape or form are probably aware about kind of Azure Netaf files FSX for NetApp on top in AWS. s andGoogle with Google cloud net app volumes. So that those capabilities have been well matured and been there for a while. We also have another kind of capability of our kind of cloud storage solution called cloud volume on my demo will focus on that. Uh what that iswhat that kind of defines is a software definfined storage array fully orchestrated and controlled by uh byan organization. So instead of being a direct first party, you're leveraging the infrastructure of the cloud, you're owning the data by deploying this uh storage infrastructure using the blue XP orchestrator in the cloud. So that's kind of in a nutshell what cloud volume onapp bring to the uh table and we've got FSI non FSI customers across the globe using that capability uh today and we leverage our long innovation of capabilities within NetApp to bring the on-prem to the cloud world together. So let's look at these kind of big blocks. Just wanted to make them big to make it clear for everyone. Right. So in the left what I have in my demo I have a blue XP as an orchestrator sitting above. And on the left I have an application deployed on a just an Azure VM. It's an ASP application which has some storage presented from a netup cloud volume O tab. This green block or a bubble you see on the left. What I do is then on the right hand side I have an on-prem environment and again as to Adams and Steve's point that could actually be any other cloud and inmy demo I'll kind of demonstrate the multicloud capability initially but we'll focus on moving this specific workload or this specific application to an on-prem environment which is also running a netapp storage system and we do that by leveraging our own storage efficient data transfer engine. So that does a block level replication. It not it's not just about moving that data. It's about egressing with the most efficient way. Right? Typically if you have to leave a hyperscala cloud or a public cloud uh you know there's some sort of egress cost associated with it and the amount of data will directly equate to the time it will take for you to egress. So if in some shape or form you can reduce that footprint, you're also able to reduce the time it'll take to leave that specific environment. Right? The same applies to on-prem as well. If you're moving from on-prem to the cloud, the same logic will apply over there. and uh you know we'llkind of do a migration or move of that application and then kind of the application is shown as being uh pointed and repointed to the uh to the on-prem environment.So let's get on to the demo. Again, I do a lot of these demos. Most of the time I tend to record them ahead of time so there is no last minute glitches of uh the these specific environment going down orany of us sweating about you know the time constraint. So in this UI, I'm logged in to my Blue XP control pane, which as I mentioned earlier, and I actually because for a specific customer, they wanted to see a multicloud data mobility demo, I built something for them forsome data set hosted in Google Cloud getting replicated to Azure. Uh so thatwas already built. So I just leverage it my leverage my demo environment to demonstrate really an on-prem my a cloud to an on-prem move but as I mentioned any of that capability we talk about applies to within cloud multicloud environment so I could manage my AWS based netup storage through this UI Azure based storage or Google based storage as long as they have a netup endpoints to it you can with an exception that as you see we can also have certain capabilities to uh toretrieve information about the cloud Google cloud storage, Azure blob storage and S3 storage just not to access the data but what type of storage account you have which type of u you know S3 buckets you have their capacity etc. So I have this cloud montap in Azure and I have a volume uh on this system there's some storage efficiency going on as I mentioned the our platform natively will help you reduce the footprint of that data if I go into volumes I have a number of volumes there's some coming from that Google cloud replication into this but as did the demo slide explained ASP app one is the volume in question so that has got some data on it this the data is presented to aVM or a virtual machine which is hosted in Azure. Uh it is a block device essentially astorage device connected to that virtual machine. So if I go into my application, this is a ASP application. As you see this storage, this Azure VM has a storage coming provisioned from the NetApp cloud app. And on top of it, I have the um ASP app, a Razer app being uh deployed or created. Just a simple uh thing, nothing fancy. It has some ice connection going on, which is really a blockbased access tothe device. just to demonstrate you know this is how we're uh talking to the storage platform there's multiple ways to do that you can access over NAS you can access over block that'salso a unique capability of our uh storage platform now if I go back to uh the Visual Studio I'm just going to kick off a build of this and launch that and it'llsimply launch this UI right there's nothing uh specific going on it's just a basic app I built and it has some data that data resides The persistent data as we talked about earlier is sitting on that app volume and from my point of view I I'm an I'm a kind of a cloud architect or a cloud admin or cloud ops. I my responsibility is to port that application from uh the Azure word into an on-prem or to another cloud word where a net app storage might uh be available. uh I could update that rebuild there just to demonstrate you know this is basically running uh on top on back of uh this data and this is happening in kind of real time all the replication I will do willbe was recorded in real time later part of certain things on kind of how storage is accessed via the on-prem server I have cut out just in interest of time uh but otherwise u you all the stuff is uh getting kicked off inreal time. So I've updated the app and it's you know it's ready to be migrated. Let's say I've given it a name to be migrated. So we know that this is what we are uh going to migrate. Now I've done that part. I can go back to my blue XP UI. All the stuff we're doing with the UI here or kind of you know theclicks those clicks are API calls in the back end. you know they don't need to happen through a UI but you know before you kind of start running it'sgood to know how to kind of put your first steps up so the UI generally help to kind of explain things quitenicely right otherwise I could do that uh or this demo in a umin a um I can do this demo in a more uh orchestrated way using uh let's say um anible using terraform all of that is uh possibleas well. Um so I'm just setting up some replication. I'm going to go forward with that and u you know selecting some um you know retention replication policies how frequently I want to schedule. I just want to do this one off. So I'mgoing to select an hourly schedule I want to replicate and as you see there's some 49 meg worth of data which is coming over from the cloud egressing back to onrem but uh this data might be less than 49 meg because there's some storage efficiencies going on we are reducing compressing and dduplicating that data so that time this replication is kicked off and replication will then be managed and shown through the replication UI that the replication relationship is now in place and is completed. So if I go into my replication UI, it'll [clears throat] show that an initialized and a minute or so I'm refreshing and it's starting to replicate that data and my replicated capacity here number will increase right. So simple kind of replication going on. I don't need to bring in an external tool. I'm just leveraging the two storage systems and them talking each other uh using the block replication engine they are um kind of they support and this is an kind of encrypted tunnel the replication which is happening this is happening over an existing uh private connection you I have in this case or you have for your cloud to on-prem could be direct connect express route cloud interconnect whatever the naming convention for your specific connection is once the data is replicated itis available now on prem. I'm now able to uh break that relationship because till I have broken the relationship that data in an on-prem word is kept in a uh in a secure manner that you can't modify because it's a readonly copy. So again in a typical workflow you will orchestrate that using one of the infrastructure as a code tools as said whether you use terraform or anible or direct rest API. So that will kick off a break breaking of the relationship. Once the relationship is broken, I'm then able to uh take that data set and present it to my uh on-prem uh server and in this case I've connected to an on-prem server which also have a visual studio and it has uh it has been presented with that E drive which is where basically that persistent data was replicated onto from the cloud world and[clears throat] I've updated that config in there to say migrate it on uh on prem. So the same app has come uh come from the cloud whatever how much amount of data it is it doesn't really matter you know thetime it will take for replicate of that of replication of that data from the cloud to on-rem is basically two factors the amount of data you have and the size of theinternet or the size of the network link you have will the bigger the link obviously the faster you can transfer that data once you've kind of done that replication as I said build you know uh reconnected or represent that storage orchestrated way you're able to bring your persistent data back to onrem. Now this is a kind of a simple example of using more of a uh I would say aclassic application you know might be two three tier application but the same kind of analogy will apply whether you have a containerbased application we have capabilities in blue XP or part of our portfolio called Astra which allow you to move your container based workload with their persistent data from either onrem to the cloud or from one cloud to another. So you know so that it'snot just limited to something which I've just demonstrated. The idea is toshowcase a capability that how simple it is and you can scale that up as you grow or as you have your production environment you'll leverage some of the automation and orchestration we already have in the system uh to make you um achieve this u this transition if required uh from on-prem to the cloud. So that's kind of uh summarizing my demo, right? The blue XP as a tool provides you that capability to um to bring both the on-prem and the cloud work together from a data perspective and allow you the data management capability using its uh rich set of functionality and features that ithas. and uh any other questions or any followup you may have about this and feel free to reach out to us via the chat or through the account team you already have uh to provide you more detail and uh with that uh I'll pass back to Adam and Steve now thank you >> thank you very much Rahul um >> hey Steve >> yeah Peter sorry >> Steve just no you'refine I just oneh two points that I'd like to make andRahul Thank you very much forthat for that demo, right? Because you show the ease in which that we can help to adhere to compliance. And sotwo points that I want to make from a business perspective, right? So if you're sitting on the call now, if you're watching this video and later at a later date and you're thinking, okay, well, how do I explain this to what Steve said earlier, the DORA compliance is a business challenge and a business opportunity here that requires a technical solution, right? So we have to help the business also to understand how easy we can make it to show that compliance andRahul's demo just is a way for us and for you tohelp drive that message to your executives right we all know and we said earlier a seuite individual has to sign their name to your firm being compliant for andso to help that person sleep at night right this is the way that we can help show that in this particular article that we move you and enable your compliance with Dora in this particular article. The second andsometimes more important is this type offunctionality that NetApp offers and that we do and can help your organization with shows confidence and compliance. So, when I'm sitting across the table from an auditor, right, a lot of times it's that guilty until proven innocent andthey their job is to look for things, right, andfind where those cracks are or where those gaps may be. And by a being able to show in a confident manner, this is how easy we can make it. This is the way that we can accomplish and enable our compliance. It gives confidence to the regulators when they're coming in and auditing or they're doing that search that yes, this is an organization that has things locked down that understands what they're doing and how they're doing it. And then that confidence breeds into other areas as they start to review andlook through the rest of the articles. So again, I wanted to thank Rahul fora great presentation, but then tie those two bullets back those two points back from a business perspective. uh and then challenge those on the call here today. Talk to your business because the easier we can make this, the more confident we can show that compliance, thebetter chance we have then to be able to show compliance overall. And that's what I wanted to add today. >> Uh thank you, Peter. That's really valuable. Andjust for everyone's awareness, this isn't someone talking just from a vendor perspective. Um, you may not know Peter, he's been on the calls before, but Peter's background, he spent 28 years in alarge multinational financial institution. So, this is absolutely someone with experience of sitting across the table with regulators, with compliance teams. So, this isn't just someone with NetApp experience orlooking at it from that side. Peter has a lot of industry experience. So, he has been where you are now. So hearing that Peter is really valuable to be honest because it as you said it puts that different spin on it onwhy this is important in a number of different ways and Rahul thank you very much for presenting thatwas fantastic as we talked about as Adam presented on earlier an exit strategy is a key part of article 28 understanding what your services are understanding how important they are the data needs to go with those services it's great if you can fail over a service but if the data isn't there that service is useless so being able to take that data make it agile and portable and move it between potentially within the same cloud provider if it's moving to different a different region moving to a different cloud provider if requirement calls for it or moving it back on prem is something that as Rahul showed we can do verysimply in one simple tool to manage it all so today we talked about article 28 general principles as I mentioned earlier we've got a number of other articles coming up soon. If you want any more information, please do feel free to reach out to us. These slides will be coming out as we mentioned in the chat already. There's a link at the end to the netapp.com Dora website where you can find more information. There's mine, Peter and Adam's details as well as an email if you want to ask any further questions after this. Please do not hesitate to get in touch. We are more than happy to try and help where we can. We're looking to help and get engaged with you because we know as we said this isn't an IT challenge. This is a business challenge that it plays a major part of and we're here to support you with that. So with that, thank you very much all for taking time out of your extremely busy days. The next session is coming up in May. The invites will be coming out, the registration link will be coming out. We hopefully look forward to seeing you then. And if you have any questions, please get in touch. Rahul, Adam, Peter, thank you very much. >> Thank you very much all for joining us. Thank you. >> Thanks. Have a good day.