 Well, I'm very excited to be here, and I haven't been to EDW in a long time, and it's really exciting and energizing to me to see the passion of all the data people. So I hope that I can be a partner for you and a partner with you on this journey as we deal with all these newfangled things that are coming up for us. The one thing I would caution is, you know, this is a very, very special time of the day. And after lunch, people can sort of sleep with their eyes open. So we just have to watch out for that. So, you know, why did I get interested in this security clouds and all of these items? So before we start, I would like you to take a moment and see where you place yourself on the capability maturity model today. Where do you think you or your organization are in the information management maturity model? And we'll do like one, two, three, four, till 10, not till 50. So everybody had a chance to think of a number, maybe half number, 2.5, 2.5 is my favorite. Yeah. So everybody had a chance to sort of situate yourself to where you think you are and your organizations are in this. Okay. So we'll come back to us at the end of the presentation and talk about that a little more. So what I'm going to talk about is basically what, you know, you hear all the speakers say challenges and possible solutions. I'm not providing definitive solutions, but a path forward for thinking about solutions and a framework in which you can do the solutions that your organization needs for its specific requirement. So they're evolving compliance challenges. And if we go to the cloud and as we are doing more outsourcing, more partnering, more service providers, compliance challenges become more and more important. And I am proposing that us data people become partners with the security people. You know, they have the same thing. Nobody likes them. Nobody likes us. So we can all be partners together. So I'm going to use a case study or a framework for a biotech pharma company to just walk through this journey today. So how do information services enable a global pharma business? So what happens? There are physicians worldwide, prescriptions are written worldwide. Clinical trials have to be done to make sure that the drugs can be approved. And clinical trial, you know, we are having a hard time finding patients in the US. So more and more clinical trials are being done outside the US. Then there are health authorities in each country. Fortunately, in EU, at least 25 countries have only one authority. But if you think of Central America, all those little tiny countries, they have their own health authority and they do not even agree on how to license a drug among each other. They're trying to have a single standard, but they're not there. So you have, if you want to sell even one pill in that country, you have to deal with the country's health authority. You have a whole supply chain, right? So you have to supply the drugs, both for the trials, as well as for what is already on the market. And you could have, you know, manufacturers in China. You could have a lot of manufacturing in Singapore, in Brazil. So where do drugs go from which manufacturer and how are they licensed? Which package do they go in, you know? They don't have RFIDs yet. So how does technology help? In addition to running the usual business, we need a lot of business information, especially when a lot of outsourcing is being done, the whole business process outsourcing is being done. And we need to manage risk and compliance. There are a lot of partners. There are partners to do clinical trials. There are partners to manufacture the product. And then we need to help monitor their operations. You know, FDA doesn't care. If you're going to sell something in the US, it doesn't matter where it comes from. It has to be GMP compliant, and you have to monitor that. So given this is our world, what happens? We are doing, we are going along. The business is running. Everything is running fine. Then the Sunshine Act comes from part of the healthcare law. Earlier different states were making different laws. You know, California was very strict, Minnesota was very strict. But the good thing is that the Sunshine Act unified them all. But what does it mean? It means if a physician is paid anything by a sponsoring organization which is worth $100, you have to record it. And you have to send these reports to the government. And even if your company doesn't make any promotional materials over $25, or even over $100, but let's say a salesperson goes, buys a doctor a coffee from Starbucks, they have to keep track of it. Maybe if they buy 20 coffees, it'll add up to over $100. Then if a company sponsors a continuing education seminar or a conference, just like we are all here, and a physician attends the conference, and the lunch is provided, they have to figure out what was the cost of the lunch. Whether the physician ate the lunch, went off to see an emergency patient or not. It doesn't matter whether they ate it or not. But if the lunch was provided, you have to track that. And just think how many continuing education providers are there? Are we supposed to collect all the conference data from them? Then how are they tracking their physicians? They're keeping their physicians as physician ABC, Dr. Smith, Dr. Brown, but how do we know it's the same physician? So before we can aggregate the data and report, we need to know master data management and we need to know who are all those service providers and keep track of all of them. Then another thing happens, we are a science company, a scientist discovers a new test. They are always discovering new tests. They want us to have personalized health here. Most of your doctors want you to have personalized healthcare. You want personalized healthcare. You don't care if your cousin, your sister, your friend took this dose of the drug. You want to know what dose of the drug is right for you. Also, you want to know if there are 10 drugs on the market, which one will work best for you? So to do that, the physicians need to know more about you. So to do that, they have tests. What do they measure? They have all these biomarkers sitting in your blood, right? They're trying to figure out which of those biomarkers are significant and which will make a difference. So let's say a scientist discovers a new test. Now they want samples. Well, clinical trials have been done worldwide. One clinical trial has about 1,000 or 2,000 patients. All those samples are there, right? They need to know, okay, maybe I want females, non-smokers between 30 to 50 years of age. They want to find those samples. Can we give them those samples? Have we tracked if those samples have consent associated with it? Were they consented once? Was the consent to use sample in the research has been withdrawn or not? So these are just few examples of what is the real world out there. And why this data management is really, really significant. And has enough challenges of its own without bringing security into the picture. So this is just an example. In the box, you have internal systems. Outside in the cloud, you have a CRM system. You have an electronic data capture system for doing trials. Then since the trials are actually done by physicians, the samples go to the labs. There are CROs who actually contract research organizations, which actually conduct the trials. They find the patients. They enroll the patients. They have their own systems. Hospital labs do their tests. They have samples. They are sample repositories. You cannot possibly keep all those samples in freezers. You'll have, just like we have a whole farm of servers, we'll have a whole farm of freezers. So they are repositories which hold samples for you. And then there are special labs for doing special assets. So you see just with a tiny glimpse of where all samples can be. You all participate in healthcare. If you're not part of a Kaiser or a big HMO, this is happening to your samples too. It's not a place, even if you're not in a trial. Same thing for physician data. So I'm going to use this as an example for master data to carry forward. So as I was saying earlier about the Sunshine Act, so we have contracts with the physicians, contracts with the education providers, grants that are provided, prescriptions are written, and people who are in healthcare already know this. If you look at your prescription bottle, there is an NDC number on it. So every prescription is individually tracked. And then there are aggregators who aggregate that prescription information and sell it to companies. And then you could base your salespeople's compensation on it. You could track your operations based on that. And you could do a lot of different activities based on that. So a lot of this data is already available. And AMA keeps track of all the physicians, there are state licensing boards through which the physicians are licensed. And of course, they are affiliated with multiple clinics. They are affiliated with multiple hospitals. So one has to keep track of all the physicians, all their relationships to the clinics by where they provide clinical information, plus their contractual organizations. With the clinic part of a group purchasing organization, does the clinic get its drug from a discounter? And do they get discount about those drugs? Do they get specialty drugs? Do they take the drug and they may get 100 bucks of pills? Do they take them out and split them into 10 boxes each? And then that's how they dispense it. So all that information about the physician and the organizations to which the physicians are affiliated with is also tracked. So now let's bring some security components to it. So as we know, we already have data in a cloud. We already have software as a service provider. So do we know which clouds are hosting this data? Do we know at those sites who has access to that data? We assume we may have contractual terms when we do the contract with the service provider who has access, but most contracts are not written that way. Then do we know who could access it, but do we know who actually accessed it? So if it's patient data, if it's HIPAA compliant data, even if it is anonymized or de-identified, you may want to know who is accessing your data. Then do we know what are the trends and patterns of the data access? So you may have seen the news report of the Octomorm. How was that information leaked? That information was leaked by an unauthorized access of the patient's information. So people had access, but they were not supposed to access that information. Same thing, you might have read in the news about the case of Stanford Hospital. So Stanford Hospital had a third party service provider. They took some patient data for their business. But for whatever reason, they posted it on as a sample data for teaching Excel pivot tables. That data was out there for almost one year. And a patient found it and reported to Stanford. Stanford talked to the site, they took it down right away. So how would you even know what is happening to your data? And that is really the essence of the security challenge that we face today. So are we monitoring the access? My co-presenter who's not here, he always says there is no control if there is no monitoring, right? I mean, he's a security guy. And we data people know. Do we monitor? We have all these policies. We do a lot of aggregation. We may monitor our data warehouses. Are we truly monitoring data access and trends of data access? Who is accessing what? Absolutely not. That is not our priority. Very, very few people have that as a priority. Then how automated is it? I mean, security people could keep us busy with BI solutions. We could give them so much BI, big data. We could be analyzing logs for them and you would have a big data warehouse for them. So is there a monitoring alert if access patterns change? Absolutely not. You know, there may be some areas where this happens, but in many, many areas it doesn't happen. And in security, there are tools. Tools are coming up into security. They have different kinds of tools than data tools. So to me, if we can bring the two parties together and start having conversations about data, tools, and capabilities, hopefully we can take a leap forward rather than just steps forward. So what are the risks if you put the data in the cloud? And we have talked about some of them. So data could be shared with unknown or unwanted third parties. What are the legal rights and what is the regulatory authority? So for example, if you have your email on the cloud and as a Google, then the Justice Department could subpoena Google. They would provide them the information and they could run those email trackers as it. You would never know that. Same thing if an education school or a school district uses Google email. Then Department of Education requires that student records need to be kept on US soil. Well, Google is changing its policy to make sure that they can decide where the data is and it's not distributed, replicated in their data centers worldwide. Do we know who's doing what with that data that we have placed on the cloud? Are people aggregating it? Are they replicating it, disseminating it, dispersing it? This is sort of the situation with the Stanford case. And as more and more of outsourcing and cloud hosting happens, it becomes an increasing risk. Then when we do contracts with the cloud service providers, they have their own terms. They may limit liability, they may terminate service. They may limit data access to our own data. Are we protecting ourselves from that? What reliability and guarantees do they offer for lost data? Will somebody hold our data hostage, right? So it's very, very interesting world if we start thinking from a security mindset. So what I'm proposing is that we have a framework in which we take capabilities from the data management framework. And we also take capabilities from the security management framework and bring the two together. So like any other solution, we'll have a strategy, a framework, and how do we sustain this in the enterprise. So first of all, we have to decide on our strategy. What is our strategy going to be? The biggest thing that is missing is some sort of a risk assessment. For data, we do not have any basis of risk. If we don't have a risk classification, we cannot do threat or mitigation analysis. Then we need to decide what kind of a cloud are we going to use? Are we going to put our data in a cloud, which is of less business risk? Or are we going to put data, any data on the cloud? So that is a significant item to figure out upfront, or at least have some guidelines or have some idea so that when a business function wants to say, oh, I hired this person, they have a great hosted solution. I'm going to use them. You know whether that business function can be hosted on that kind of a cloud or not. And also, if possible, if you can qualify your providers, if you could qualify your infrastructure as a service provider, software as a service provider, that way you know which of those solutions are already available to the enterprise. So if people want those solutions, then you have already qualified your IAS vendors and SAS vendors. So at least you have a head start. And you don't have to play catch up when the business function wants to do something. Same thing with partners. So more and more collaborations are happening. More and more business process outsourcing is happening. So we do not even talk security to them. We may talk about data exchange to them for data integration purposes, but we really do not talk about anything about their security when we are thinking of how we are going to integrate with their sources. So deciding on these items forms the scope of your endeavor. So if you're going to go back and talk about to your security colleagues, you want to at least pick something and have a small scope to start with. Then, like I said earlier, basically we are going to bring practices from data management as well as practices from security and bring the two together. And as you know, in data management, we always start with master data. And even if we have master data, we want to identify some key attributes. And the whole reason of doing master data is so that we can do information transfer and information exchange. Also, we have a basis for information aggregation and information integration, which we usually do in our warehouse environments and exchanges. We do either with partners outside or with the systems inside the company. So I'm not going to stay with this. You all know this. And we all know what master data is. So coming to what is really important from a security perspective, there is a secure. And some of you are here from the financial industry, the insurance and banks. They are more ahead of pharma or biotech in terms of the data security classification. So you may say, this is public data. This is private or internal data. This is confidential or data for restricted use. Then access. We talked about access a little earlier. Who is accessing this data? And what are our controls for access and data distribution and are we monitoring them? And what are the policies? And how are we tracking compliance against those policies? So bringing these two frameworks from security and data, what would it look like? So it would look like having some sort of a security classification for your master data. Let's say we start there. So if you have a customer, and the customer is, let's say, a physician because we talked about physicians earlier, we may not care about prescribers. Prescriber information may be public information. Anybody can get the directory of physicians in the US. There are about a million or so physicians. You can get their directory, AMA sells that data. So prescriber information may not be public information. But there are certain thought leaders. There are certain experts in certain fields. Somebody may be an expert in oncology. Somebody may be an expert in immunology. That may be internal data for the company. So they may want to, say, take the key attributes or characteristics that we already have for our physician data, whether it's their license number, whether it's their NPI number, and add the security classification that is relevant to your organization as an attribute to that master data. Then the same thing for access. So let's say we usually know who is accessing the information from a security perspective, because security people are really, really good at managing parties. Identity management is all about managing parties and their user IDs. Anybody who has an interest in the company, they have a user ID, whether you're a permanent employee, you're a consultant, you're a contractor, you're a partner, you're an outsource. You are coming from the outsourcing place. All of you, if you're going to access the system from that enterprise, you have a user ID. And there are a lot of tools to do the identity management and the authorization and access management. But we usually don't bring that together into the other master, with the other master data and bring it together with the master data framework. But in addition to who has access, which is the authorization and authentication, now we all already need to know what devices are there, getting the information on or what devices the access on. And as bring your own device grows into enterprises, it becomes important. Then location becomes important. Where is this being accessed? You have your own device. Are you on holiday in the Bahamas? And you are accessing this information? Are you supposed to be accessing this information outside the US? Do you have a reason for that? Is your device lost? Should they have access patterns for this? Did somebody take your device? So this is really, really important. So let's say somebody is in crucial manufacturing in the manufacturing supply chain for the data, and they have mobile access, and they are traveling. You really, really need to know what kind of information is being accessed and who is doing the access. So for master data management, I'm proposing that in addition to existing master data categories, which we have when, who, where, who, that come from the data side, we also add attribution for the security pieces also. So usually, our databases do a very good job of who and when. I mean, this is sort of the third generation of data management. We have a lot of best practices. We have a lot of lessons learned. We have versioning. We have controls. We have a lot more tools than we used to have. So who and when are pretty well covered? But where? When we do the organization models, we may say where the organization business units are located. But we are not talking about where the master data is located. So we can enhance that capability and add the where. So that way, I mean, some of you have tools in which these capabilities are already provided. And the other additional aspect is, there are multiple parties who are controlling our data. So who has control of it? And whose governance are they under? So we would need to add those. We already talked about security classification, and we already talked about devices. And sustaining is pretty much the same thing. Security has their own steering committees. Data has their own steering committees. IT strategy has their own steering committees usually. So if we could bring those three groups together and have an engagement model with the business where we have an information security strategy, where we bring all those people together, we identify for the business which kind of data do they want to start this information security strategy with, it would be different for different business. And because the risks for different businesses are different, and then basically use what security and data people will always do, the governance models having some and policies. And I think the security people have more metrics. So if we can bring those two together, then we have a great framework for establishing a risk strategy for information management or secure information management for the business. So this is just sort of putting all the pieces together. We talked about strategy. We said start with a small scope, maybe one entity or one business unit that would work. And then follow through with the security classification, expand your master data solution. And then once that is done and you're ready to move on, then you can add information exchange and information aggregation capabilities also. And then basically monitoring, monitoring and monitoring. So what can you do when you go back? Maybe go have lunch with the security folks. Maybe attend one of their security governance meeting. Maybe invite them to the data meeting because there is a lot they could learn from data management practices because security practices have traditionally been about risks. And help the enterprise create a data map. So whatever scope you pick out, see where that data is located. And then add the security attributes. Maybe five, two to five would be a great place to start. So what are the critical success factors here? You've heard this before. You've done this before. A lot of you have championed maturity in the data world. I remember to me, this is the third wave of data. Client server and all the data was all over the map. And this whole BI data warehousing, all data people were important to gain. And now with big data and all the clouds and doing integration. So this is a tremendous opportunity. And the security people are also good at managing exceptions. We data people sometimes get caught up in the exception. We try, try, try to follow or make rules and business rules for all the exceptions. But security people are really better at exception handling if there is an incident. If there is a security incident in your company, there is a structure and a framework and a method to respond to that incident. So if we could learn from that, and instead of just physical security, we could also bring that capability into data security, we would have a huge leg forward. Then tools are evolving. There are a lot of standards out there. And standards are friends. We love standards. So the more standards, the better. So we can adopt the standards framework, whichever is applicable to your industry. For us, in health care, C-Disk was a standard. And now HL7 is becoming a standard. And C-Disk and HL7, they're trying to bridge them together for going forward. It'll happen one day. Responsibilities, I think that's another area where we could learn from security and partner with security. What are the responsibilities of the vendor from a data security aspect? We talked about risks before. What is important to your solution and what is important to your business? And you want to put that in contractual terms. So coming back to this, so let's say you are all in the cloud. Would you be able to sustain the same maturity level without doing extra steps? Or if you go beyond the enterprise, you will have to do extra steps to maintain that maturity level. And then if you want to advance on the model, then of course, more work, right? So to me, this is really, really an exciting time to be an information management professional, right? There is so much data. A single full genome analysis of one person is too terabyte. There is not enough bandwidth to load that into the cloud. There is a company in China, and there's another company in the US. Mostly they are the ones who are sequencing the full genome. How are they sending this data to the scientists? They put it in hard drives, and it comes on FedEx. So it's really, really exciting to be at this point in this time. I mean, I heard somebody talk from eBay. They have amazing solutions for provisioning and analysis in real time. So if one could take this big data analytics and apply that on the genome, it would be very, very interesting for the scientists. So there's more information. There's a lot of instrument data. And I'm sure you've heard a lot of people talk about the internet of things. So all that data already exists. And for us in the biotech pharma industry, as we go into more and more personalized health care, they want to do all kinds of tests and collect all the data in addition to your genome and figure out what makes you so special. So there are new technologies. There are a lot of database technologies. I know some people have presentations in this conference about that. Column databases, all these Cassandra, Hadoops, and all that that you've already heard about. How do they play together? A lot more tools for semantic correlation. We don't need to do integration and aggregation just by attributes anymore. We could use semantic tools, and we could have a hybrid solution within tactical and semantic solutions to do these correlations, and also mobility. So there's data, data, data everywhere. And the more we can do it, the more tools we can have, the more value we can provide to the business. So that's all I have. Thank you so much. And if you have any questions, comments, you would like to share experiences, which I should have said before. Please, feel free. Thank you so much. Sure. You know, I think different companies, legal, have different sensitivities. So there is really no solution. To me, the best thing is, don't put it on the ground. I mean, that's your scope. That is in your strategy. You want to see, is it high, medium, and low risk from a legal perspective for your company? If it is a high risk, don't put it. If it's a low or a medium risk, then you have to run it by legal. I mean, for us, electronic lab notebooks is a big deal. Intellectual property is very, very significant. So having electronic lab notebooks, which were hosted, would not make legal comfortable. They couldn't defend intellectual property cases. So it's a very, very tough decision. And that's why it's really important to think ahead, because otherwise cases like this happen. And you know, the business is excited. IT is excited. We are excited by new tools. We want to put it out there. We want to make it available to everybody. So any other comments, questions, thoughts? Yeah, I think verification part is still tricky. And data verification has not been significant for a while. And I heard the gentleman before lunch speak about information architecture. So even if it is redundancy on the cloud, he talked about a settlement. And that's usually what is in most of the architectures. So even if you have data replicated and across partitions, there is a synchronization schedule. It may not be the synchronization schedule. That means your business needs. But usually, there is a synchronization schedule. And that does take care of it. I mean, that's one of the advantage of going to the cloud and taking that capacity. Any other comments, questions? Is there anybody from the finance industry? Do you have good interface between security and data people? They talk well together? Uh-huh. I see. I see. Oh, I see. Right. Right? Uh-huh. Right. Right. That's wonderful to hear. How about? I don't know the line at all. Uh-huh. So we are not ready. Right. Right. Thank you. Anything else otherwise? Thank you so much.