EP 14: Can Compliance and Cloud Innovation Coexist? with Mark Angle
EP 14: Can Compliance and Cloud Innovation Coexist? with Mark Angle
About This Episode
In this insightful episode of the Cloud Currents podcast, TierPoint host Dave McKenney is joined by Mark Angle, the Chief Cloud Officer at OneStream Software, to discuss the evolving landscape of cloud innovation and compliance. The conversation kicks off with a look into Angle’s extensive experience in the tech industry, highlighting his pivotal role in transitioning OneStream from an on-premises model to a thriving SaaS-based operation. Angle shares his journey through the early days of cloud skepticism to spearheading significant growth at OneStream, emphasizing the strategic decisions behind choosing Microsoft Azure for their cloud services and the challenges and successes encountered along the way.
Know the Guests
Mark Angle
Chief Cloud Operations Officer
Mark Angle serves as the Chief Cloud Operations Officer at OneStream Software, LLC, where he spearheads the delivery of cutting-edge corporate performance management solutions globally. Appointed in 2022, he has significantly contributed to the company's growth, leveraging his extensive experience in cloud operations and strategic planning. His leadership has been pivotal in enhancing service offerings and optimizing costs, driving OneStream's expansion across over 42 countries. Prior to OneStream, Mark held key executive roles that shaped his expertise in driving business value through innovative technology solutions.
Know Your Host
David McKenny
Vice President of Public Cloud Products at TierPoint
David McKenney is the Vice President of Public Cloud Products at TierPoint. TierPoint is a leading provider of secure, connected IT platform solutions that power the digital transformation of thousands of clients, from the public to private sectors, from small businesses to Fortune 500 enterprises.
Transcript Table of Content
00:00 - Intro to Mark Angle's Background and Transition to Cloud
04:31 - OneStream's Evolution and Cloud Adoption Strategy
07:16 - Deep Dive into OneStream's Core Software and Services
10:15 - Challenges and Strategies in Cloud Migration and Security
40:11 - Future Directions: AI Integration and Big Data
Transcript
00:00 - Intro to Mark Angle's Background and Transition to Cloud
David McKenney
All right. Hello and welcome to the Cloud Currents podcast. This is where we explore strategies and technologies regarding innovation in the cloud. I'm Dave McKenney, and with us today we've got Mark Engle, the chief cloud officer over at OneStream Software. So, hey, Mark, how we doing?
Mark Angle
Went great today. Thanks for having me, Dave.
David McKenney
Cool. So we're going touch on a couple of different topics today, given what you guys do. We're going to talk about some re architecting of legacy applications. We're going to get into some optimizations around cloud economics and cloud native solutions. I know you guys do some work with FedRAMP, so kind of talk about that. And at the end of it all, we'll probably round it out with some good old AI talk because we have to do that these days, right?
Mark Angle
Those are love AI.
David McKenney
Yeah. All right, so you've got decades of experience, Mark, notable to this conversation. We'll talk about Tyss and Krupp as well prior to OneStream, but you helped spearhead or spearheaded rather the transition from an on prem model to SaaS based model for your company. On top of that transition helped enable growth of, I think it was ten x, maybe even 15 x over the most recent year. So pretty fantastic and eager to hear more about how that went down. So why don't you go ahead and start with a bit about your history with Sys and crop and then more recently your work with OneStream and even go ahead and go into some about what OneStream actually does for those that aren't familiar with your line of work.
Mark Angle
Sure, sure. So a little bit about my history. I've been in technology for a couple decades, a little over a couple decades. As said, I spent a large amount of that time with the organization Thyssenkrupp, a large german, we'll call them manufacturing company, who deals with all sorts of different materials and processes and makes a lot of different things, spent time with them in a variety of different roles and sort of climbed the corporate ladder, as it were. And during that, I had a lot of time to learn project management expertise, systems management. And sort of during that time, the cloud became a thing. And it's funny, there's anecdote where I had a sales guy from a company, were a vendor were working with come in, give a presentation to me in the late two thousands about something to do with the cloud.
I can't even remember at this point. And I told him at one point, if you use that word cloud one more time, I'm going to kick you out of the room to find out. Cloud is part of my title, so the eggs on me at that point, but spent a lot of time learning with Sys and crop and through the beginnings of that cloud journey, there was a lot of private cloud hosting. At a large organization like that. We were not going the AWS route. Azure wasn't a thing yet, Google wasn't a thing yet, GCP, were looking at hybrid cloud hosting models and what that would look like, and then doing things in our private cloud, in our own data center.
It was a lot of our own data center management learned, I would say from, in a different way than you would have from, let's say a West coast startup mentality where you start on AWS and you build everything from there. And I had spent years managing data centers and knowing all there was to know about hosting and everything from that lens, but really didn't know a ton, even though we had looked at private cloud and some hybrid cloud stuff, didn't know a ton about what this cloud thing was. You see the t shirt about that's just somebody else's computer, right? When you go into the cloud, what does that really mean? I always sort of subscribe to that methodology or that line of thinking until I got into it. So then I transitioned into OneStream.
04:31 - OneStream's Evolution and Cloud Adoption Strategy
OneStream at the time was a very small company with a small customer base. When I came in, we had, for easy math, less than 100 people and less than 100 customers. We had a substantial company that had grown over a course of quite a few years, but we had not hit our stride into really large scale yet. We had an on premise software that had been selling for years with customers hosting it themselves. And we started to have customers who wanted the company to host it for them. Right. We decided that was something that we needed to do from a company standpoint. They hired me and said, okay, it's your job to build this thing up for us. And I started my journey with Microsoft Azure. At that point, Microsoft Azure was chosen really because OneStream has been historically a Microsoft stack.
We really build our product on top of Microsoft SQL, used Microsoft VMS operating system for an application and web front end. So it really made sense, especially from that database standpoint to go with Azure. At the time. When I started, it was the classic portal. If anybody remembers Microsoft Azure's classic portal and portal.
David McKenney
Yeah, yeah.
Mark Angle
Quickly turned into the arm portal and all the changes that went along with that. And I've grown it from when I first came into the company. It was about eight customers that were hosting to now well over 1400 customers. And we're planning on, you know, our next step in the scale is 10,000 plus customers that we want to be able to host in a SaaS model now.
David McKenney
That's awesome. I always like talking to folks who've been in the classic and all the red Dog front end days of Azure because I feel like everybody earned a badge in going through that transition to the armed model and we're all better for it. Right, but I want to ask about, because it's interesting to me that you really were a software company that turned to hosting because of your clients needs and requests, which is a good business to be. Right. But can you talk a bit about what OneStream does conceptually from what is the software that you are offering clients? And then we'll move into maybe talking about your adoption strategies of cloud thereafter. But I think it would help to talk about the industry that you serve.
07:16 - Deep Dive into OneStream's Core Software and Services
Mark Angle
Absolutely. OneStream at its core in the beginning was a financial consolidation and reporting package. Analytics was part of that as well. If you think about an accounting department or an FP and a department's primary tool set, accounting is going to be sort of that book of record GL system, but it's not going to have a lot of analytic capabilities and it's limited in what it can produce from a reporting standpoint. FP and a wants to do a lot of planning and trying to forecast what the future is going to look like. There were several different products on the market that did a lot of these things. And our founders came from a company who did those things in the past and they said, you know what, we can do this better.
And they took a lot of different aspects that had been different products in the past and put them together into one product that financial consolidation, reporting, planning, account reconciliation, all of those suite of financial aspects that you would think that are core to the office of the CFO. And we've just continued to add to that core over and over throughout the years. So we've created, we've gone from a core platform to a platform that you can actually develop on top of and create solutions on top of, to then opening that up now to our partner community to be able to independently develop solutions on top of our platform, much like other SaaS providers out there.
And we are continuing to expand the abilities of our platform, both from a development standpoint, but also the core capabilities for our prime customers, which are the office of the CFO thinking about the realities of finance outward, how do you plan for all that money coming in and going out and what it's going to look like in the coming months and years?
David McKenney
Yeah, it's really a neat solution, I have to say to myself. And so I'm a project guy, so I'm real good at spending money. I let other people help plan for it, but I can see the other side of it, certainly. So you deal in a very, let's say the type of data you work with is pretty protected when it comes to businesses that use your software. So when it came to convincing your own leadership that maybe you needed to shift from a prem based model to going all in on cloud, in this case Azure, what did you do to get, what were the key factors in getting that approval? Because it all starts with approval. Somebody somewhere or some group had to say, yeah, we think this is a good idea. Mark, go.
10:15 - Challenges and Strategies in Cloud Migration and Security
Mark Angle
I will say, fortunately it was a progression of steps. We went from just being a product company that produced something that you installed yourself to then being basically that, also adding on a managed service, posting on the cloud, then shifting to, we're primarily a cloud company, but we still offer it as a package solution on prem. And really now going toward taking the next step from managed service to software as a service, which a lot of folks don't really understand what SaaS means. It's not actually a technical term as much as people think that it is. It's a contracting vehicle. Right. It's taking those contracts of software entitlement and hosting and bundling all of that into one software where you get entitled to run the software out on the cloud. Right.
There are different types of sass, which is something that I spent a lot of time explaining to people. There is single tenant SAS, there is multi instance SAS, there is multi tenant sass. There are lots of variations in between those different monikers that are given out there. So true. Yeah, we've really taken the steps through that and we will never, because of the security profile that you mentioned, this is company's most critical financial data, especially if they're a public company. But even private companies, nobody wants to let that data out ever. And for public, it really becomes important that it doesn't get out ahead of time because that can really affect the market and a lot of things.
We have to be very careful about security where a lot of, you know, if you think about a lot of consumer softwares, they don't necessarily have to be as careful with a lot of the data elements contained within their software. We have to be extremely careful about that. So we in a sense lifted and shifted that on prem software into the cloud and maintained private rooms tenants for each customer, so that everybody, it was easy to explain the security model. Everything is a walled off garden. You get your own garden when you bring come to us. And that's how we rolled for quite a while. Now, as you can imagine, that doesn't scale well.
So at a certain point you say, well, okay, we still need to keep these pieces separate, but there's a management layer that needs to be multi tenanted so that we don't have to hire one person for every single customer that we bring out, because we can't manage that much. Then we created a multi tenant management layer which had tentacles into all of these single tenant customer environments. Then eventually we said, you know what, we really need to take a look at this. And if we're going to scale as high as we want to and also get cost efficiencies, make sure that customers can take advantage of both the lower cost and the higher performance that more multi tenancy offers you. We've got to rethink how the software is structured.
So while continuing to offer the same feature set to our customers, went on a journey to try to reconstruct how we do the services, the infrastructure services that are contained at the bottom layer of our software. And I would say we're in the middle of that. Let's say it's going to be an ongoing journey forever. And anybody who works at a software company knows that it doesn't stop. You always have something new that needs to come out, but there's a cycle now of features that need to come out on a regular basis and there's a cycle of improvements to the infrastructure, the cloud layer, that also need to go along with that, but sort of independently.
So we've developed, when you get to SAS and we've created this SaaS contracting vehicle several years ago, we have the ability now to make those changes as we need to without affecting the usability of the software. And we're trying to really lean into that to again get more and more ability to make it cost effective but provide better performance. That's the biggest challenge that we have.
David McKenney
Yeah, because you're in a competitive landscape, you're probably not the only company out here doing things like this. You're probably the best one though, right?
Mark Angle
Absolutely right.
David McKenney
So you mentioned it was iterative and that helps that like look, lift and shift was the right model for us to start with and giving everybody making sure that business as usual, were at a different cloud, but everybody still has their own tendency, their own walls as you put it, or gardening. When you were starting to find ways to drive performance, drive down costs, were you looking to cloud native options or what did some of those iterative changes to become more cloud native look like post the initial lift and shift?
Mark Angle
Sure, absolutely. So we looked at several years ago when we started to really say we're going to become a SaaS company formally with our contracting vehicle and how we operate as a company, we looked at. So okay, should we stay with Microsoft Azure? Should we look at AWS, GCP, Alibaba, IBM, any of the different options that were out there? And we did a bake off, we looked at a bunch of them, narrowed it down to the big three, right, with GCP, AWS and Microsoft. And there were some really key reasons why we stuck with Microsoft, not the least of which was the great partnership that they give us.
But there were other technical reasons why, because of the way that our software still works, it made sense to continue with them, but we started to move more into okay, what can we do, when you talk about cloud native, what can we do to get away from these independent virtual machines that have roles that you're wasting a giant machine just for a small role essentially. And we've started to look at, while there are some azure functions and some things that we could do without even a server footprint at all, we've employed some of that. We've also moved toward now an Azure Kubernetes model where we can start to run containers out there that will cycle and be able to get more of a dynamic scale out of it. An intermediate stuff that we took was to use scale sets.
So instead of having permanent vms that were sitting out there, we used more instances that we could chill and scale as we needed to. But it was a manual scaling versus Kubernetes will give us the ability to do more dynamic scaling. So we're actually in the middle of moving toward that right now, and we're hoping to have the operational release out with that in the coming year.
David McKenney
It's interesting because I definitely was going to ask you as a follow up question, if you could put it in a timeframe from start to finish, how long did the migration transformation take you to move to Azure? But you're highlighting the point that the migration never really stops. You might have lift and shifted and that might have been a milestone, but, and you had some very clear security drivers there. But using scale sets on IaaS or making the move to functions to get some app services or containers where you're at right now. It just shows that there's a constant progression of, you can always do something more. Or as the cloud is evolving, there is maybe a feature to be had that maybe it drives up performance or drives down cost for you, but I guess I'm putting words in your mouth.
But would you say that the migration has ever really stopped for you?
Mark Angle
No, absolutely not. I will say that it has been a sort of a snowball effect where we started from a very, very small team, the only way that were able to scale to where we're at now was to do the same thing repetitively over and over again and not have to keep tweaking it every time. While we continue to add more features to our software, the way that we deployed our software remained static for quite some time. And it was only within the last couple of years that we really started poking at that and saying, substantially making changes. Now we're going whole hog into, okay, if we really rethink this, what can we make it look like? Part of that is just, that's good business to do when you're in this position.
But then we also have drivers from the bottom and the top right from the top. We've got new feature sets that we're deploying to our customers and that our customers are coming to us and saying, we really want to do with your platform. And a lot of that has to do with more data. More data. More data, right. And the more data that you want to process in analytical cube like we do, it can get really expensive from an infrastructure standpoint really quickly. And if you're not careful, you can bring it to its knees if you do the wrong thing. We have an open platform.
We let customers do whatever they want on top of that platform to some degree, because it's a development platform, even they can really create a lot of dangerous things, and we sort of have to be ready for that and be able to handle it from the bottom side. You get the opposite effect where you're hosting, because we don't own our own data center. We're hosting on top of something that's changing too. It's like walking on top of a bottom. Right? It's always moving underneath your feet a little bit, and you're trying to stay up with the latest changes on APIs, the latest product rollouts, the latest cost changes, all of the different things that Microsoft as a company is trying to do.
We're wedged in between, trying to make sure that we are forging ahead on a roadmap that makes sense in between a changing ground and changing requirements from up top.
David McKenney
Yeah. You don't get to pause Microsoft's maintenance cycles or change their fault or availability domains. You don't get that. You lose that along the way. Right.
Mark Angle
And that comes along with disaster recovery failover, high availability region deployments. We're a global company, so making sure that it works as well in the US as it does over in Singapore or elsewhere. Right. Like there are a lot of things that we have to consider on a daily basis to make and there's no room for failure. It can't go down. Right. We have an uptime requirement. It has to stay up. Yeah.
David McKenney
And it was. So what I like, I love what you're saying here because even in the last part you've got the consistency of the platform and you can find pros and cons. You don't have a lot of the flexibility you might have with your own private cloud installation where you can say, you know what, it's a holiday week, we're not going to do an upgrade that's out of your hands. But at the same time, public cloud is definitely given companies, even like yourselves, which you would probably say you're a software company, not really a cloud hosting company, but you do cloud hosting as a result of the software delivery model. You use your words, you're in a SaaS contract model, but public cloud is giving you things that maybe a decade prior you would say containers. That's not us. We're not a container company.
We don't have that in our cloud or we don't have access to it. But what I found is in your iterative approach, which is similar to so many other companies, is they get to see those things and play out. Well, if we're going to do this, why not take it one step further? Because maybe that advanced option is available to us. And I think it's really neat to see in use cases certainly like yours, which seems to also be a very fast tracked process. You guys have been making a lot of these changes and evolutions in a short amount of years. It seems like it has been a.
Mark Angle
Very rapid cycle when you go from, like I said, less than 100 customers to where we're at right now, and the customer account doesn't seem like that big. But you think about our customers are not mountaintop consumers at their homes or at small businesses. Our customers are typically some of the biggest companies in the world, or they are the biggest companies in the world. I won't name them, but they are definitely the biggest companies in the world that typically are our sweet spot, and it is a challenge to keep up with that. But if I go back to talking about that evaluation we did from a multi cloud perspective and figuring out what was the right way to go, part of that conversation was also, should we host our own data center? Right?
Should we go back to a colocation model or buildings where we rack and stack everything ourselves? And the advantage that we saw was the same thing we had felt from the beginning, which is that what you just brought up, our ability to roll into a new region around the globe or a different modality in the way that we have to do things, is far superior because we're on top of a public cloud. Right. Part of what we do is government hosting for the US government. And in order to be FedRAMP compliant, to try to host your own data center to do that would be very difficult to put that lightly. It's very difficult to do it no matter what.
But it was much easier for us than somebody who would be building their own building, because we're able to layer in the existing Microsoft authorizations that flow up through our authorization. So, yeah, you're right. Going into other countries, like, there's no way we could have done that otherwise. Yeah.
David McKenney
The number of badges, regulatory compliance worldwide, spot on, especially in the finance sector. But I'm always. I always find it interesting because our security teams at tierpoint will often remind us how expensive it is to go through FedRAMP, especially high FedRAMP, high attestations and audits and all those things. It is a substantial undertaking, both operationally speaking, but even financially, for a company to meet those requirements. So you have a lot of things going on in this constantly moving migration. But if you had to go back four or five years ago, it's longer than that since you started the migration. But if you had to go back to the early days and if you knew then what you know now, would you have made any decisions differently? It's easy to say, but it's also kind of fun to say, man, if we knew this.
Mark Angle
I think that the one thing I would have maybe done differently if we had the time, because I'm not sure you have the time when you're in the moment, but if I had the time, I may have pushed our product development team to make more infrastructure related changes earlier to allow us to be more scalable earlier. It's not to say those conversations didn't happen. They absolutely did. But I think part of it was we just weren't ready as a company to make that mind shift. Frankly, inside baseball, we hired some people along the way that came in with an outside mindset that weren't necessarily part of the industry from a sales standpoint that we're in, but had worked with other software companies and said, well, this is sort of the modern way of doing it, we should really be doing this.
And they helped to echo the conversation that had already been in place and just make that louder and louder until the point that it was undeniable that's what we needed to do. But you say, oh, well, it would be nice to have done that, but in reality, did we have the time to really do that, or were we running so fast that we couldn't catch up anyway?
David McKenney
Yeah, that's. And thanks for the kind of the insider chat. I think it's understated just how common that is, to bring in outsider information or bring in outside expertise, because unlike the cloud native or cloud born companies that you mentioned at the onset of this talk, a lot of us have been in business for decades that are years that predate public cloud. And to change in being a co location and a hosting provider and a managed services provider, it's really hard to change what we've done for years and years to mold to public cloudways. Nobody is unaffected by that, in my opinion. And it's interesting, the more and more people talk about those challenges and changes and what they had to do to take a company into the new decade.
I think it's great that people share it, because I think you find much more commonplace in those discussion points.
Mark Angle
Yeah. The transition from when I worked at Tyson Crop, like the legacy way of hosting your own stuff, even if it was in a co location model, to really, what is inevitability of using some sort of cloud, be it SaaS or Iaas or Paas or whatever. Now, it's been a monumental shift in the way that the world works, and it has been interesting from this side of the table to watch companies have that light bulb go off. A lot of what we faced was security folks who a lot of times either were trying to make a name for themselves or they had been burned because they had some sort of an incident, security incident, where they were just clamped down really tight and they couldn't move to do business, or a lot of different regions around the world.
We've seen different regions, and I won't call out the countries, but there are certain countries who are much more reluctant to come into a modern day way of hosting the cloud than others are. The US has been one of those ones who's been on this journey for quite some time. There are some european countries who are definitely still fighting that a little bit and still coming into their own on it. So it's very interesting to watch.
David McKenney
Yeah. Especially in the regulatory space. When you see a technology like cloud moving so fast, inevitably regulatory plays a lot of catch up and so policy, and you just never know when it may be. Some areas it's happening quicker and affecting you sooner. Finances in that whole sector is not like where retail and maybe even manufacturing led a lot of the charge in public cloud usage and SaaS certainly, and then finance coming along because of the standard regulations. You probably have some of the more advanced scenarios that people have had to deal with because it has been under more of a lens than when everybody's like, whoa, this online marketplace or this online store completely disrupted the market. We should probably go talk about regulations with that.
Mark Angle
It's been interesting from another aspect of, you think about the timeline of me being at OneStream and where were at when I started in 2016 versus where we are today. That was before GDPR was a thing, right? Yeah, we started our FedRAMP journey in 2017, early 2017. There were this like an Alphabet soup of, because we're not industry specific, we're industry agnostic, and we're used across all sorts of different industries, we bump up against all of these different industry compliance certifications that are out there. Right.
And the Alphabet soup of being hit in the face with everything from HIPAA to PCI to FedRAMP to ITAR, to anything that you can think of, ISO, obviously, and figuring out when was the right time to tackle those for a budding startup software company and when it made sense to put all the effort into that, you know, put values in.
David McKenney
That balance, you gotta make money too, right? And those things you gotta pick, you gotta start somewhere and you can't do them all at the same time.
Mark Angle
It is a lot of effort to go through those compliance. It's a lot of effort to do the compliance certification or authorization upfront and then to maintain it on an ongoing basis. It's even more difficult. And when you stack those together, you can get a control set that can sort of pass through all of those. But it really takes the compliance department to manage that and work closely with our technical folks to make sure that we're doing that properly. Yeah.
David McKenney
So let's talk about like some FedRAMP stuff here. So you guys have a lot of information around complexities of FedRAMP. And I know you guys, you mentioned government. It's a public sector cloud adoption. I love to hear just some challenges and elaborate on things you've seen that because FedRAMP is often highlighted in conversation, but not a lot of people have it because of how hard it is to get and maintain. So it is very challenging, unlike where you might hear more people talk about PCI and HIPAA amongst your peers. So would love to hear some, I guess, some journeys in the FedRAMP space from you.
Mark Angle
Yeah, that. It has been quite a journey. We started, as I said, in 2017, working with our first agency that we were trying to sell to, and they said, you have to get this FedRAMP thing. And we said, I'm sorry, what'd you say?
David McKenney
FedRAMP?
Mark Angle
What is that? So I personally, actually, I was the one who had to go to Washington, DC situation in a, what they call a reading room and go through control sets to try to understand what were up against. And FedRAMP was still sort of a young program at the time. I can't remember what year it started, but it hadn't been around for that many years at that point. And it was, there were not that many, and there's still not that many today. But really, then there were not that many companies out there that had this authorization already.
David McKenney
So could you have just. Sorry, real quick, because I'm curious, could you have just done that on your own if you said, look, OneStream has a desire to be FedRAMP, I'm going to go to Washington and sit in a reading room, or did you have to have that sort of need and sponsorship from an agency that said, we need you to get this, go get it, and then you're kind of allowed in the back door to go learn FedRAMP?
Mark Angle
Oh, yes. There are two ways to do it, actually. So both of those are options. There is an option to do a sponsoring agency like we did, and then there's an option to do it yourself and go through what's called a Java joint authorization board, in which case the FedRAMP PMO actually does the authorization. We already had a customer in the pipeline that were working with. And as we've gone through and done other work at the tail end of our FedRAMP high authorization now, and we've actually done a close cousin to this, which is the just an impact level four authorization for Department of us, Department of Defense as well. We've had a sponsoring agency for that too. It has its pluses and minuses to working with an agency.
They have their own overlay controls in a lot of cases where it's not just the basic list, 853 controls that are off the shelf, it's also whatever that agency decides that they are their controls or control modifications on top of that. I know I'm getting a little technical, but it can be a challenge to try to work with an agency because it's a little bit more of a lift. But then if you go the job route, there's also some challenges there because they are very stringent. There's not risk acceptance in the way that an agency might. So there's pluses and minuses depending on which route you go there.
David McKenney
So when did you. So you started in 2017? When abouts, would you say you finalized your completion of the FedRAMP certification?
Mark Angle
So if my memory serves me, and I don't have notes in front of me, but I believe we started our journey in 2017. We got our FedRAMP moderate authorization in 2018, which is extremely fast. We worked on it very quickly and very heavily to try to get that done, mostly because we had a customer in the pipeline that we really needed to push that. But now, as we've gone through the FedRAMP high authorization, I think it's been around three years to get that done. And some of that is technical changes on our side. Some of it is compliance changes on our side. Some of it is just, it takes a while to work through the process.
We had some fits and starts a little bit on how we work with the agencies, and we had to switch our partner at one point to try to get the right agency partnership to get that authorization done. It's never dull, let's put it that way.
David McKenney
I'm going to maybe just answer my own question, but would like to hear your commentary on it. But FedRAMP, you get moderate, you get high, even if you've got customers that don't need it. I have to imagine that the fact that you've gone through all that is sort of a feather in your head and has people saying, okay, even though we don't need that, these guys know what they're doing from a security perspective and compliance perspective, that we've got that added level of trust. Do you find that it helps accelerate your growth from a customer base for those that didn't even need FedRAMP?
Mark Angle
To some extent, yes. We definitely have used that in conversation a lot with customers to help them understand the level of certainty that we go to. We started with SoC SSA 16. Now it's 18 at the time, the SoC two, SoC one and control sets. Then we moved on to FedRAMP. So SoC is more generic for everybody who's got financial controls and FedRAMP is more narrow. But you're right, it does give them an example of like, well, okay, if they can do that, they should really know how to be able to handle our commercial stuff really well. Where we ran into a lot of challenges is when went, when were having this conversation internationally, there was a lot of like, why do I care what your us federal government does? Right? And really.
So let me go show you what I just did for the last four.
David McKenney
And a half years. I need to share my pain with somebody.
Mark Angle
So we ended up doing CSA and ultimately ISO 27,001 to make sure that the international folks were more comfortable as well. And that helped. So we kept layering on more and more, and we continue to layer on more and more compliance authorizations and certifications throughout the years just to make sure that we've got everybody as comfortable as possible.
David McKenney
Yeah, it feels like at this point, especially globally speaking, with all of those regulatory and compliancy, I'll just again refer to them as badges that are out there or frameworks. It's a job just mapping one control to another so that you can say, hey, we actually, we have that through FedRAMP, but let me show you how it might translate over here pretty soon before you know it, in your case, you're trying to collect them all.
Mark Angle
Yeah. One of the interesting aspects of my job over the years has been that not just from the technical standpoint to implement those controls, but then also work with compliance to get it done, but from a contract language standpoint. I've been very heavily involved with legal, our internal legal, to both formulate our contract in a way that it addresses as many of the questions as possible so that we don't have to go through an extensive redlining process with customers prospects, but also, as there's some companies, just for some reason won't accept standard contract and they always have to have something they want to jam in there. We have been able to quickly address any concerns that we've had during the contracting process, in large part as a result of one, years of learnings, of customer conversations.
But two, knowing what is standard in the industry and knowing what those controls are out there from a compliance perspective, but also what our competition, what our peers are doing, making sure that we're meeting that bar and exceeding it.
40:11 - Future Directions: AI Integration and Big Data
David McKenney
That's great. Well, we're moving through a lot of content and time here, and I want to talk a bit about some of the AI things going on. So, financial planning and analytics, I think you used that acronym earlier, FP and a. So to date, you guys are using AI ML capabilities in your software solution?
Mark Angle
Yes, we are, and that's also been a journey. We've gone from initially using a plugin for machine learning and a very simplistic sort of dashboard. Here we'll give you the tools, you roll your own with it on top of our platform, using whatever solution you want in the market to developing a what we call sensible machine learning, sort of a predictive analytics view of the world. We've obviously got that financial data in the platform, and FP and a wants to predict what that's going to be over the next period, whether that be a month, a quarter, a year, whatever. So anything that they can do to really get that edge in prediction. Using AI has been a great use case for that.
We've had really good results with our customers who are using that tool, and now we're branching out into other LLM stuff within the product and other things that are on our roadmap that I can't share yet, but we have a whole fleet of, as you can imagine, AI products that we want to either sell or are going to be embedded in our platform.
David McKenney
So I was going to ask a question about. So, given the sensitivity of the data, your AI and ML solution set, are there some self learning capabilities that are built into it? So as it's looking at, as it's analyzing data, is it also taking, because it needs the data to learn, but are you taking some of those learnings back into the product?
Mark Angle
So we have to be very careful about that. We go back to the earlier part of this conversation, talking about security. One of the challenges with AI and ML, right, they're very closely related, is that, for instance, the large language models that are out there for the public to use, the chat GPTs of the world, they are trained on a data set, a broad data set of the Internet, whatever they could get their hands on. And we all know the conversation around that. For a machine learning AI tool in a secure environment like this, where you need to make sure that, one, that data is not going anywhere, and two, that the data is accurate, there's no question it has to, can't be 99.5% accurate. It has to be 100% accurate coming back, right. You cannot get your financial book of record wrong, period.
You just can't do it in planning, it's different. Right. For planning, there's the ability to sort of forecast into the future with a degree of a percentage of accuracy. We are using as much as we can, but we're offering it in a user control method right now. So we're not doing anything automatically with AI. What we're doing is being very transparent about, we are going to implement this ability of using a large language model to have a chatbot within, or a helper within the product, and you will have your own segmented library of information that you will train that on and be able to use it for. And if you think about this, our product is primarily gauged at the office of the CFO, but there are other areas of the business that will potentially use our product.
So, and even within the same department, you need to have segmentation of authority, right. You can't have a person who is a lower level, let's say an intern, right, who came in for the summer, is going to work in the accounting department, inputting numbers on something. You can't have them have the ability to look up in an AI tool what the latest balance sheet numbers were. There's a level of secrecy or segmentation that has to happen to make sure that the right people have the right level of identity and access management. Yeah.
David McKenney
And so this is definitely well suited for like the rag model where you're getting the retrieval augmented like data. So if your customers data isolated to them, and are you saying that the AI or ML that you're using is really confined to their solution? That you're not taking learnings from one customer and applying them to say another? It's all contained. Yeah, that's what you just said about that read up, write down problem. Somebody's ability at a lower security level, being able to read data from hire. It's interesting because maybe just putting it out there, you're blending really borderline, unparalleled data driven advice using AI, but also the need for that human touch and governance about the sensitivity of the data and make sure that power doesn't overstep its boundaries.
Mark Angle
Yeah. Without fail, every conversation that I've had from a security perspective, when we're in conversations with a prospect trying to get a deal sold, is about data security. Now, there is a difference between a customer's data and data about the environment that happens to be running a customer. Those two are two different things, right? Customer data is their financial numbers, their ids, their names, all that information that goes into the platform that is 100% them and you have to be careful. We make sure that it's segmented to them, right. We're not doing any sort of learning or sharing or anything like that.
Now on the other hand, what you can call metadata, although we use the term metadata for a lot of different things, metadata about performance of the memory, performance of the cpu, storage capacity within the database or hard drives on the virtual machines or the containers. Like all of these different technical or it related metadata elements that we do use aggregated AI for to make sure that we understand as a fleet what our environments are doing right.
David McKenney
Because that then helps drive performance up, potentially drive costs down. Make sure that if you're making changes to the platform that they're aligning with your objectives makes total sense. Well, let's round it out with one last just looking into the future. Are there any particular, whether it's with compliance or AI or any other technologies in the cloud world that have you excited about the years to come and what OneStream is doing the biggest?
Mark Angle
Well, I'll say two things. Obviously the AI conversation is huge. Trying to figure out where we go from this momentary bubble to leveling out and figuring out what the growth trajectory of that is going to be. The more that companies can use AI to give a more precise prediction of what their input of revenue is going to be, what their stock on hand needs to be, all of those sort of aspects of their financial life that translates into really big, real dollars. So that is something that's not just useful, but is extremely valuable for our customers to be able to do so. Continuing to evolve that and where it evolves from a public perspective and where we evolved it within OneStream, both of those are very exciting.
The other piece is what's been a thing for quite a number of years now, which is big data. Our platform and what we do as a company is all about financial data. But the more that you want to analyze and the more you want to predict, the bigger and bigger that data set gets. Right. We've had customers who obviously the basics are we bring in the GL data at a certain level and predict, or we either report on it at a consolidated level from all your different divisions and accounts, everything we're predicting, what that's going to look like, that's pretty obvious. But when you start getting a little bit outside the box, you look at things like weather data for a retail operation, holidays, and predicting things based on that, a lot of it.
You bring in all these other data elements that affect our lives as people on a day to day basis and in turn affect how a company operates, what their finances are going to look like. You have a pandemic. What does that do to you? Right. How do you, that's one of those things that's very difficult if not possible to predict. But it's not happened. You know, it's not the first time it's happened in history. Right. It happened 100 years ago as well. So maybe there is a predicting element to that. But the more big data that you bring into those models and the more big data that you bring into just analyzing your data without AI, the more insight you tend to get on your data.
So we're finding our customers and natively what we're trying to push out there is more and more data that's going into the product and giving more and more capability to crunch those numbers and get something valuable out of it.
David McKenney
That's a great way to finish this off because I couldn't agree more that while it's fun to see what AI is doing right now, and it's very, a lot of it is very industry specific, even like foundational models. But where it's really going to get interesting is when the external telemetry and the things that you might out of the gate say that's not associated with finance planning. That's weather in your statement. Well, no, let's show you how the two actually can be interrelated and actually do it within reasonable means. I'm really excited for that. I think it's going to open up new occupations, a lot of new everything really, just to be honest. So this has been fantastic. Thank you so much, Mark. I think we'll wrap it up here for anybody who wants to get more information.
And you should about OneStream, head over to OneStream.com comma, all one word, a really neat product and keep track of what these guys are doing because as Mark's pointed out, they are evolving constantly. Right, Mark?
Mark Angle
That's absolutely right. And the amount of things that we have in the hopper right now is going to blow people's minds.
David McKenney
Thanks, Mark.
Mark Angle
We'll see.
David McKenney
Everybody.
Mark Angle
Thanks for everything.