A proof-of-concept led by Hitachi Solutions Europe has demonstrated that UK government departments can securely operate Microsoft Power Platform, Dynamics 365, and Microsoft Copilot on live data residing in Amazon Web Services (AWS) without copying or moving the sensitive information. The Secure Multi-Cloud Connector (SMCC) uses a private, Zero Trust-aligned network link and Dataverse virtual tables to achieve real-time access while preserving data sovereignty and compliance controls. Completed in just eight weeks, the PoC marks a significant step toward practical, non-duplicative multi-cloud interoperability in the public sector.

The public sector’s multi-cloud dilemma

Government agencies routinely hold data and workloads across multiple hyperscalers—Azure, AWS, Google Cloud, and private environments. Until now, bridging Microsoft’s productivity and AI tools with AWS-hosted systems has forced IT teams into expensive, risky data migrations or fragile synchronization layers that introduce latency and compliance headaches. The SMCC changes that equation by establishing a direct, private conduit between the two clouds, so that caseworkers and decision-makers can harness familiar Microsoft applications without disrupting where their most sensitive data lives.

Under the hood: virtual tables and private pipes

At the core of the PoC is Microsoft’s Dataverse virtual tables capability. Virtual tables allow Power Platform apps and Dynamics 365 to treat external data sources as if they were native Dataverse records, retrieving information on demand and never duplicating it. This pattern eliminates nightly ETL jobs, avoids stale data, and drastically reduces the attack surface that comes with additional data stores. For read-heavy dashboards, on-demand lookups, and AI-assisted workflows, virtual tables are a supported, production-grade integration method.

On the network side, the SMCC stitches together AWS Direct Connect and Microsoft ExpressRoute—likely through a neutral colocation fabric like Equinix or Megaport—so that no traffic touches the public internet. This private, high-bandwidth path ensures low latency, predictable performance, and a clean security boundary. Coupled with Entra ID (Azure AD) for identity, conditional access policies, role-based authorisation, and comprehensive audit logging, the architecture aligns with the UK government’s Zero Trust principles and security frameworks.

What the PoC claimed to deliver

According to PublicTechnology’s coverage and Hitachi’s own presentation, the eight-week pilot achieved several operational milestones:

  • No data duplication: Microsoft Copilot and Power Platform operated on live AWS-hosted case data without copying it into Azure or Dataverse.
  • Private connectivity: The entire data flow stayed within a private network, never exposed to the public internet.
  • Rapid use-case deployment: The team built real-time case-load dashboards, automated workflows for caseworkers, virtual assistants, and AI-driven analysis tools.
  • Bi-directional, cloud-agnostic design: Hitachi described the solution as bi-directional, scalable, and easily extended to Google Cloud Platform.

If these claims hold at scale, government IT chiefs gain a powerful new option: they can choose the best Microsoft SaaS tools for the job while leaving data exactly where governance, legal contracts, or sovereignty mandates require.

Why this matters now

The PoC addresses three acute pain points:

  1. Procurement paralysis – Departments often delay modernisation because picking a “preferred cloud” triggers turf wars. The SMCC decouples tooling choice from data residency, letting agencies adopt skills faster.
  2. Migration risk – Moving petabyte-scale case files or health records is fraught with cost, security exposure, and operational complexity. Virtual access sidesteps that risk entirely.
  3. AI and low-code acceleration – Exposing live data to Copilot and Power Platform without building separate analytics silos dramatically shortens the path to AI-assisted decision-making, automated triage, and intelligent case management.

Independent verification: the building blocks are real

Scepticism is healthy with any PoC announcement. A thorough cross-check of the technical components, however, confirms that the SMCC is not vapourware.

  • Dataverse virtual tables are a supported, documented Microsoft feature. The official Microsoft Learn portal details how virtual tables surface external data in real time without physical replication.
  • Private cross-cloud networking using Direct Connect and ExpressRoute is a mature, vendor-recommended pattern. AWS and Microsoft both publish engineering guidance on exactly this kind of interconnect.
  • Hitachi’s multi-cloud pedigree is well-established. The company has public strategic partnerships with Microsoft, AWS, and Google Cloud, and has productised several cross-cloud integration offerings over the past two years.

Collectively, these facts demonstrate that the PoC rests on a solid technological foundation. That does not yet guarantee enterprise-scale readiness, but it elevates the SMCC from a conceptual sketch to a credible, repeatable pattern.

Strengths and immediate opportunities

  • Unlocks best-of-breed tooling – Departments can suddenly pair Microsoft’s low-code Power Platform and generative AI Copilot with deeply secure AWS-hosted datasets without waiting for a multi-year cloud consolidation programme.
  • Lowers total cost of ownership – Avoiding data duplication cuts infrastructure spend, simplifies compliance audits, and reduces the overhead of managing synchronisation pipelines.
  • Speeds up citizen services – Real-time dashboards and automated workflows promise measurable reductions in case-processing times and staff admin burden.
  • Aligns with government interoperability goals – The pattern naturally embodies “security by design” and reuse, key tenets of the UK Government’s Technology Code of Practice.

Risks, caveats, and what to watch for

No engineering breakthrough comes without trade-offs. Government IT leaders should weigh these factors carefully.

  • Accreditation gap: A working PoC is not an accredited production service. Departments must map the SMCC architecture to specific UK impact levels (e.g., IL3, IL4) and obtain formal assurance before processing live casework. The public announcement includes no penetration test results or compliance attestation.
  • Operational complexity: Private multi-cloud networking, identity federation, and secure connector management demand deep cloud networking and security skills—skills that are scarce across the public sector. Teams must budget for training, runbooks, and 24/7 monitoring.
  • Virtual table limitations: Dataverse virtual tables currently have restrictions around auditing, change tracking, offline mode, and certain Power Platform features. For heavy transactional workloads or scenarios that need robust write-back, a pure virtualised approach may fall short.
  • Legal and procurement complexity: Cross-cloud data access does not erase data-protection obligations. Agencies must still document data flows, maintain Data Protection Impact Assessments (DPIAs), and untangle contractual terms across multiple cloud vendors.
  • Vendor concentration risk: While the pattern reduces dependence on a single hyperscaler for storage, it concentrates workflow and AI tooling within Microsoft’s commercial stack. Exit strategies and portability tests remain essential.

A practical checklist for government IT leaders

If your department is considering the SMCC approach, work through this checklist before committing.

  1. Map accreditation requirements – Confirm the impact level (IL), NCSC guidance, and any FedRAMP equivalency needed for the workload.
  2. Run a production-like pilot – Test failover, latency under load, logging fidelity, and incident response with representative data volumes.
  3. Evaluate virtual table constraints – Compare required features (auditing, offline support, rich reporting) against known limitations; design compensating controls where needed.
  4. Harden identity and access – Implement Entra ID conditional access, least-privilege roles, and step-up authentication for sensitive operations.
  5. Design for network resilience – Use redundant Direct Connect/ExpressRoute links through a neutral fabric provider; benchmark egress costs and latency under realistic traffic patterns.
  6. Plan for sustained operations – Develop runbooks, a 24/7 monitoring strategy, incident playbooks, and a skills development roadmap for your cloud networking and identity teams.
  7. Document legal and data-protection posture – Maintain up-to-date DPIAs, lawful processing records, and cross-vendor incident response agreements.

Reshaping procurement and policy

The SMCC should shift government procurement conversations from “which cloud do we pick?” to “where must the data reside, and what capabilities do we need?” In this modular model, data hosting is chosen for legal and regulatory reasons, application tooling for usability and speed, and secure interconnect is procured as an independent, integral service. Standard government contracts will need updates to cover multi-cloud interconnect fees, continuous compliance attestations, and shared incident response responsibilities among vendors.

The SMCC is the natural product of two converging forces: hyperscalers investing heavily in cross-cloud integration points, and the maturation of neutral, carrier-grade networking fabrics that make private, low-latency routing between clouds operationally simple. Hitachi’s visible investments in multi-cloud services—spanning joint announcements with Microsoft, AWS, and GCP—position the company as a credible integrator capable of delivering such architectures at government scale.

What still needs independent proof

A few claims from the PoC warrant further scrutiny:

  • The eight-week timeline is impressive for a tightly scoped pilot but may not translate to departments with legacy environments, slow procurement, or no pre-existing ExpressRoute links.
  • Specific accreditation artefacts (design attestations, pen-test results) have not been published; agencies must demand these before production rollout.
  • Bi-directional write handling was mentioned but not detailed. How the SMCC manages transactional integrity, rollback, and conflict resolution in a write-through scenario is critical for casework systems and must be validated in any procurement.

The bottom line

Hitachi Solutions’ PoC is more than a glossy proof-point—it demonstrates a technically sound, practically relevant pattern for real-time, private, Zero Trust access from Microsoft applications to data resident in AWS. The underlying components are supported and recommended by the cloud vendors themselves, and the architecture squarely addresses genuine government pain. But moving from a controlled eight-week pilot to accredited, at-scale production demands rigorous, department-specific assurance work. When that work is done, the SMCC has the potential to end costly data migrations, accelerate AI-powered public services, and preserve the data sovereignty that citizens expect—all while giving government IT teams the freedom to use the best tools for the job.