Government agencies wrestling with data silos across Microsoft and Amazon clouds just got a practical path to break free—without moving a single byte. Hitachi Solutions Europe’s eight-week proof of concept showed that Microsoft Power Platform, Dynamics 365, and Copilot can securely operate on live, highly sensitive case data residing in AWS, sidestepping the need for costly and risky data duplication.
This PoC, first reported by PublicTechnology on September 9, 2025, isn’t a theoretical lab exercise. It deployed real-time dashboards, workflow automation, virtual assistants, and AI-driven analysis on secured case management data, all while the sensitive records never left their AWS residency. The implications for government IT modernization are profound: agencies can now pick the best tooling for the job while honoring ironclad data residency requirements.
The Multi-Cloud Government Dilemma
Public sector IT landscapes are rarely clean. Citizen data and mission-critical systems commonly span Microsoft Azure, AWS, Google Cloud, and specialized sovereign clouds. This sprawl forces a painful trade-off: either move or duplicate sensitive data to use modern application tooling, or limp along with outdated manual processes. Both options carry risk—migration invites compliance violations, duplication creates governance nightmares, and stagnation fails citizens.
The Hitachi PoC directly attacks this dilemma. By combining Microsoft Dataverse virtual tables, private cross-cloud networking, and Zero Trust security controls, the Secure Multi-Cloud Connector (SMCC) allows familiar low-code Power Apps and Copilot assistants to query and interact with live AWS-hosted records as if they were local Dataverse entities. No ETL pipelines, no overnight syncs, no stale copies.
Inside the Secure Multi-Cloud Connector
At its core, SMCC rests on three proven building blocks:
- Data virtualization via Dataverse virtual tables – These are a mature Microsoft capability that presents external data sources inside Power Platform without persistent copying. The PoC leverages virtual tables to surface AWS-resident records in real time, preserving the “no duplication” promise.
- Private cross-cloud networking – By using AWS Direct Connect and Microsoft ExpressRoute (or neutral fabrics like Equinix Fabric), all traffic stays off the public internet. This reduces exposure, manages egress fees, and provides predictable latency—critical for regulated workloads.
- Zero Trust enforcement – Identity is federated through Entra ID (formerly Azure AD), with conditional access policies, least-privilege RBAC, and end-to-end encryption. Every application request is authenticated, authorized, and logged, creating a full audit trail for compliance evidence.
The innovation isn’t in any single technology, but in how Hitachi hardened this combination for government requirements. The PoC demonstrated bi-directional integration (subject to governance controls), enabling not just read-only dashboards but also write-back workflows—though the specifics of transactional integrity remain to be fully disclosed.
Why This Matters for Government Services
For agencies stuck with data locked in a specific cloud due to law, contract, or policy, SMCC offers a genuine escape hatch. Instead of choosing between tooling and sovereignty, they can have both. The PoC delivered three immediate service-level benefits:
- Live caseload dashboards that eliminate stale reporting and speed up triage decisions.
- Automated workflows and alerts that cut routine manual processing, freeing caseworkers for higher-value tasks.
- Copilot-driven virtual assistants that accelerate decision-making and chip away at backlogs.
Those aren’t cosmetic gains. In welfare, justice, or healthcare settings where lives depend on timely intervention, shaving hours—or even minutes—off processing times directly improves citizen outcomes. And all of this happened without moving sensitive personal data from its approved AWS home.
Technical Credibility: What’s Proven and What’s Not
The public record supports the PoC’s foundational claims. Dataverse virtual tables are a supported pattern for reading external data without duplication. Private cross-cloud links via Direct Connect and ExpressRoute are well-established. Zero Trust components—identity federation, conditional access, encryption—are standard in high-assurance environments.
Yet several critical gaps remain before any production deployment:
- Formal accreditation artifacts – The PoC announcement lacked published impact level (IL) assessments, penetration test reports, or FedRAMP-equivalent certifications. For government workloads handling sensitive personal data, these are non-negotiable. Agencies must demand and verify full assurance packages.
- Operational performance at scale – Virtual table access works well for on-demand reads and moderate transaction volumes, but heavy transactional systems, offline clients, or features requiring full Dataverse capabilities (such as native auditing) may still need data replication or hybrid approaches. Real-world load testing, latency baselines, and failure mode analysis are essential.
- Write semantics and transactional guarantees – Bi-directional integration was referenced, but the PoC description omitted details on write-through consistency, rollback procedures, and conflict resolution when modifying AWS data from Microsoft tooling. Without explicit contractual commitments, departments must design their own compensating controls.
Treat the eight-week PoC as a credible milestone, not a turnkey guarantee.
Strengths: What SMCC Delivers Well
Even with the above caveats, the connector’s value proposition is strong:
- Data sovereignty preservation – Sensitive records remain where the law demands, while modern tooling operates on top.
- Reduced duplication and overhead – Eliminates ETL pipelines, redundant stores, and the security exposure they create.
- Accelerated feature delivery – Low-code apps and AI assistants can be developed rapidly when they can directly query live AWS data. This shortens time-to-value for pilots and transformation initiatives.
- Policy alignment – The approach embodies interoperability, reuse, and security-by-design principles championed by government technology codes of practice.
Risks, Trade-offs, and Governance Landmines
Adopting SMCC isn’t a purely technical exercise; it requires navigating a maze of legal, procurement, and operational hurdles:
Accreditation and Assurance
A PoC provides no guarantee of production accreditation. Departments must map the architecture to their specific impact level, commission independent penetration testing, and maintain evidence packages that satisfy auditors. In the UK, that means NCSC guidance and IL assessments; in the US, FedRAMP or DoD equivalents.
Operational Complexity
Private cross-cloud networking, identity federation, and continuous monitoring demand specialized skills that many government IT teams lack. Budget for training, runbook development, and ongoing managed support. A single misconfigured conditional access policy could expose citizen data.
Feature Gaps and Performance Trade-offs
Virtual tables have known constraints: auditing, offline sync, and certain Dataverse plug-in behaviors may not work. For transactional systems of record, a hybrid model—caching critical reference data locally while querying live AWS for case details—might be safer. Departments must evaluate Dataverse limitations against use case requirements and plan compensating controls.
Legal and Data Protection Complexity
Cross-cloud access shifts complexity from technical migration to legal domain. Agencies must document data flows, update data protection impact assessments, and ensure contracts cover interconnect responsibilities, vendor access, and cross-jurisdictional law-enforcement disclosure regimes. The cloud where the data sits determines which sovereign laws apply—a detail often overlooked.
Vendor Concentration
SMCC reduces lock-in at the data layer, but it concentrates workflow, automation, and AI tooling within Microsoft’s stack. While this isn’t inherently bad, agencies should plan for portability: test API-level interoperability with other platforms and maintain an exit strategy.
Practical Checklist for IT Leaders
Before procuring SMCC or a similar solution:
- Confirm the regulatory/accreditation requirements for your workload and demand a published assurance plan from the supplier.
- Run a focused pilot with production-scale data, including failover, latency baselines, and full audit logging.
- Evaluate Dataverse virtual table constraints against your feature set (auditing, offline, transactions). Design compensating controls where gaps exist.
- Define the network model and redundancy (Direct Connect/ExpressRoute or neutral fabric), test egress costs, and measure latency under load.
- Map identity, conditional access, and RBAC end-to-end, testing from non-admin contexts. Verify telemetry aggregation and alerting.
- Update procurement templates to codify multi-cloud interconnect, incident responsibilities, and continuous compliance attestation.
- Plan skills uplift, runbooks, and a managed operations model for ongoing support.
Procurement and Policy Shifts
The SMCC PoC changes the fundamental procurement conversation: from “which cloud do we pick?” to “which capabilities do we need, and where must the data remain?” This enables modular buying where data hosting decisions are driven by legal and mission needs, while tooling choices are based on functionality and user experience.
To capitalize on this, procurement teams must update standard clauses to include cross-vendor interconnect terms, shared incident response obligations, and ongoing assurance responsibilities. The approach aligns well with technology codes of practice that emphasize interoperability and reuse, but those policy benefits only materialize when assurance, operational models, and contracts are in lockstep.
Globally, similar shifts are visible in centralized buying programs like the US OneGov initiative, which secures discounted access to Copilot and cloud services. However, central deals accelerate adoption; they do not replace workload-specific assurance.
Questions to Press Hitachi (and Partners) On
Before signing any procurement agreement, demand answers to these questions:
- Can you publish the architecture’s accreditation artifacts (pen test reports, security architecture attestation, IL/FedRAMP equivalence)?
- How are write operations handled end-to-end? What transactional guarantees and rollback controls exist?
- What latency and throughput SLAs are achievable for representative workloads, and what redundancy models exist for the private interconnect?
- Which Dataverse features work natively with virtual entities, and which require replication? What compensating controls do you recommend?
- How do contracts handle cross-vendor incident response, and what continuous compliance attestations will you provide?
Broader Industry Context
SMCC reflects two converging industry currents: vendors building integration points to let organizations mix best-of-breed hyperscaler services, and the maturation of neutral interconnect fabrics (Equinix Fabric, Megaport) that make secure, low-latency cross-cloud routing practical for regulated workloads.
Hitachi’s positioning as a multi-cloud integrator with deep partnerships across both Microsoft and AWS gives it the organizational muscle to productize such connectors. The real question for government departments is whether assurance, procurement, and operational processes can evolve fast enough to absorb the innovation without compromising security.
The Road from PoC to Production
Hitachi Solutions Europe’s Secure Multi-Cloud Connector is a credible, technically plausible step toward true multi-cloud interoperability in government. The combination of Dataverse virtual tables, private connectivity, and Zero Trust controls proves that agencies can unlock Microsoft’s AI and low-code capabilities without disturbing sensitive AWS-resident data.
But the path from proof of concept to production requires disciplined execution: published accreditation artifacts, performance validation under realistic load, clear contractual responsibility for cross-vendor incidents, and a sustained operational model with the right skills. Agencies that pair SMCC-style architectures with rigorous assurance and procurement modernization will gain a powerful lever to accelerate digital transformation while preserving the legal and security constraints that protect citizens.
More departments will likely trial the approach. Those that treat the eight-week PoC as a starting milestone—and not a ready-made solution—will be best positioned to turn cloud interoperability from aspiration into everyday reality.