Swiss company Virtual Network Consult AG (VNC) aims to empower users with control over their data through its communication software stack, VNClagoon, built on open source technologies. In a candid conversation with OSFY’s Yashasvini Razdan, VNC’s Andrea Wörrlein, Managing Director, VNC and Bernd Rodler, Community Leader, VNC, spoke about the company’s focus on digital autonomy, community collaboration, and India’s role in its operations.
Q. How would you describe VNC to a non-technical CEO of a prospective client?
A. VNC is a global company focused on developing a comprehensive software stack for communication and collaboration. Our team spans Switzerland, Germany, Eastern European countries, India, Pakistan, Vietnam, Dubai, the US, Canada, and Southern America. As our products are built on open source technologies, collaboration with community leaders worldwide is crucial. While our headquarters are in Switzerland, our international DNA shines through as we bring together top expertise from diverse locations. Our goal is to deliver a software suite that competes with Microsoft Office 365, offering customers the option to be digitally autonomous, controlling their data and information sharing. This is especially important for government customers who require full control over their data and personal information. Our mission is to empower users with the right to determine the fate of their data.
Q. What do you mean when you say VNC is a leading developer of open source based enterprise applications? Is it different from open source software?
A. No, it is not. When you look at the VNClagoon suite, it is leading compared to any other open source-based communication and collaboration stack. Regarding this complete suite of communication and collaboration, and what we are doing, we are based upon open source platforms and technologies, and all our partners and customers have complete access to every line of code. We are open to audits and collaboration with partners who are developing their own solutions based upon VNClagoon. That is what we are doing with the software. It’s auditable, open, and transparent.
Q. What is VNClagoon?
A. VNClagoon is the umbrella term for our software suite for secure communication and collaboration. This suite comprises approximately two dozen products, with one of them being VNCtalk, our secure alternative to WhatsApp or MS Teams. Another noteworthy product within our stack is VNCcrm, a customer relationship management tool. In VNCcontacts, each contact is represented by an avatar, containing not only address information but also records of conversations. Furthermore, a user can easily start activities in this action wheel such as a new chat or new call to the contact. All products and functionalities are integrated, stored, and centrally managed. VNClagoon is the overarching suite, and within it, we currently offer around 20 products, with the number continually increasing.
Q. How does your product range of solutions and services compare to what your competitors offer?
A. Two global giants stand as our primary competitors in the market with Microsoft Office 365 and Google Workspace. There are some other niche products in the open source space, but they lack the completeness and integration seen in Microsoft and Google offerings. We are confident that our product covers all the relevant functionalities provided by Microsoft in MS Office 365 and goes beyond in areas like sophisticated project management, archive integration as well as low-code/no-code technologies.
Our comprehensive groupware is comparable to Microsoft Exchange, with numerous successful migrations from Exchange to our VNCmail product. We seamlessly integrate file sync and share functionalities, akin to OneDrive or Dropbox, into our product stack. Our product, VNCchannels, combines elements comparable to Slack and SharePoint, offering content creation and collaboration. We have developed tools for software development, code management, and automated testing as well as project management, all fully integrated into our product stack. For instance, within our system, every interaction with individuals is stored and tracked, providing a complete history of communication methods used, whether it’s email, chat, or video conferences. This integrated approach extends to customer relationship management (CRM), where each action within our product updates the corresponding avatar, providing a comprehensive view of interactions behind the virtual equivalent of a person’s identity.
Q. Could you explain the technology that allows you to view all interactions behind an avatar representation, and how does it benefit your customers?
A. To achieve this, we employ sophisticated technology in the background, such as an enterprise index called Solr. We chose Solr over Elasticsearch due to its scalability, used even by entities like Bloomberg. This powerful index allows us to query information from our backend tools and present it on the UI. This separation of backend functionality from the frontend sets us apart. We have our own frontend client, VNCuxf (user experience framework), based on open source Google Angular. This setup enables us, our customers, and partners to modify the UI easily, add or change functionality, and integrate third-party applications as long as they are web-ready and cloud-ready. This flexibility allows our partners to tailor the offering according to their needs, whether they are SaaS providers, telcos, or large enterprises with their own branding and representation of the product.
Q. What are the technological differences between your suite of software and the proprietary ones?
A. When comparing open source solutions like ours with proprietary ones such as Microsoft and Google, there are notable distinctions. For instance, Microsoft and Google focus on user interfaces that may not align with professional organisational needs. Consider the example of Gmail, where tags are emphasised for email organisation, whereas some users prefer the structure provided by folders. Similarly, tools like Google Task Manager might lack the functionalities required for effective team organisation in a business setting. While these platforms offer modern and technologically advanced features, they are centrally hosted, requiring users to place complete trust in providers like Google, Microsoft, Oracle, or Salesforce. This centralised hosting model raises concerns, especially in security-related businesses where trust is a critical factor. From a technological perspective, platforms like Google Angular provide excellent front-end technology, but the key distinction is the ability to use such technologies under our control. This approach involves leveraging open source components, enabling development and hosting within our customers’ data centres. In the case of Microsoft, products like MS Exchange and MS SharePoint, despite their historical significance, may struggle to keep up with the evolving landscape. Attempting to modernise older systems proves challenging, and there is need for a fresh start to stay in line with the rapidly advancing technology landscape.
Q. How would you explain or convince your prospective customers (CIOs and the IT decision-makers), who are evaluating your solutions with respect to other solutions, to buy your product?
A. We bring modernity and innovation. Open systems consistently outperform closed systems, as in the case of Tesla, which operates as an open source company, even sharing its so-called patents. Security is the second crucial factor. How can a US company assure its customers, held accountable by the Cloud Act, that their data is secure? Similarly, convincing an Indian government institution that their data is safe in the US is a dubious claim. Lastly, total cost of ownership (TCO) is a key consideration.
Operating on Linux and Kubernetes, our stack requires significantly fewer resources compared to Microsoft’s often outdated components. For instance, Microsoft Exchange is decades old, whereas we leverage state-of-the-art web, cloud, and SaaS technologies. If the functionality is comparable to Microsoft and these three aspects are considered, many large industry-leading customers approach us. We have invested a decade building this suite and are now entering the market with full force, partnering with companies like Intel, Fujitsu, and Bechtle AG, Germany’s largest independent IT systems integrator. Bechtle AG has selected our product as a strategic offering to address their extensive customer base with a new technology based on open source. In Europe, the open source movement is gaining momentum, and we anticipate significant growth in the next two to three years. The prediction is that open source will dominate the entire space of communication and collaboration, with VNC being a leader in this transformation.
Q. Why do we see companies such as Intel, whose main business is very proprietary in nature, venture into the open source space?
A. From our point of view, Intel is well aware that open source technology, along with the associated engineering and development practices, represents the future—a future they must embrace. While they currently hold a substantial market share, making them the undisputed leader, they recognise the need to adapt. In the rapidly evolving landscape of SaaS and cloud environments, where major players like Google and Apple are developing their own chips and processors, staying ahead requires vigilance. With VNClagoon we can use so-called confidential computing based on Intel Software Guard Extensions (SGX) to handle data confidentiality during storage, transmission and, for the first time, during processing through encryption. The hardware-protected process ensures that access to such data is only possible for the client, thereby minimising the risk of accidental data leaks. By running various microservices of the VNClagoon implementation in SGX enclaves, increased protection of data during processing was achieved. As the central ‘guard’ of the VNClagoon deployment, the so-called NGINX Ingress Controller of the Kubernetes cluster was first protected in this way. Work is also underway to protect key management in Hashicorp’s vault and encapsulate the central user database.
For instance, the technology we employ to encrypt compute processes within the processor, known as Grammine, is part of an open source community. This open approach is crucial for ensuring secrecy and privacy around processor technology. While Intel may not open up its patents currently, the surrounding software is entirely open source, a practice we value and appreciate.
Q. How do you generate your revenue from your partner ecosystem?
A. Our revenue model is straightforward. Partners may sell subscriptions for the complete VNClagoon stack or for individual products, and we provide them with an attractive margin. Our subscription fees cover product maintenance, current versions, and basic support. We explicitly state that we are not a SaaS provider and have no intention to become one. We are cloud-native and SaaS-native, but we strictly operate through indirect channels. Our partners are our direct customers, ensuring we never compete with them in the SaaS space. Significant customers may request our involvement in kickstarting a project, but our focus is on involving partners early on for operations, consulting, services, help desk, and third-party integrations. As developers, our focus is on the future, and we commit to no interference with any partner’s operational aspects.
Q. When your partners customise your product and sell it to other people, does the pricing change, and if it does, how?
A. Partners utilise our core suite or select components based on their needs. The suite is highly modular, allowing them the flexibility to choose specific products rather than adopting the entire suite. They can start with one product and, if they identify a need for additional features catering to their target audience, they are encouraged to develop those components. We invite them to contribute and innovate freely. If they wish to collaborate with us for selling the developed component in other territories, a percentage of the list price is negotiable to cover administrative, sales, and other associated costs. This concept is akin to platforms like the Apple marketplace.
Alternatively, if partners prefer to develop features exclusively for their customers without reselling through our platform, they are welcome to do so independently. We refer to this approach as the VNCfactory, emphasising our commitment to fostering a collaborative development platform. Partners are encouraged to build and provide customers with enhanced solutions tailored to their specific needs, recognising that regional variations may result in unique requirements for different markets. Only in cases where we are involved in reselling do discussions about the marketplace and associated terms come into play. This vision underpins the entire product development strategy, positioning it as not just a product but also as a versatile development platform.
Q. Do you provide any sort of support? If yes, are you monetising that support model?
A. We acknowledge the need to support our personnel, including support and consultants, for tasks like setting up substantial infrastructures. However, our aim is to swiftly transition such responsibilities to our partners, who provide support in 90% of cases. Considering this, we’ve explored ways to simplify our partners’ lives. Our VNClagoon stack installs within an hour, ready for use on any Kubernetes flavour, whether it’s Google Cloud, Amazon Cloud, IBM Cloud, or an on-premises Kubernetes in a data centre. This optimised deployment allows for rapid recovery in the event of a disaster, with crucial components up and running within 10 minutes. This is our unique selling point, as hardly any other solution in the market achieves such swift deployment, which is beneficial for our partners, including telcos, SaaS providers, governments, and large enterprises. With standard technologies and a fully open source platform, operators or DevOps teams can quickly grasp the installation and setup, taking only about a few hours — in multi-node environments — with minimal support from our end.
Q. What kind of partners are you looking for in India?
A. We seek partners who serve customers with security concerns, such as entities working for government clients, banks, insurance companies, and businesses dealing with customer data that requires strict security and confidentiality measures. We had earlier partnered with an entity based in India that offered hosting services. Our partners include businesses of varying sizes – small, medium-sized, and large enterprises, as well as private consumers seeking communication and collaboration products. Whether it’s an alternative to Microsoft Teams, Microsoft Exchange, or Jira for project management, our partners offer diverse solutions for the unique needs of their clientele.
Q. How has the response been from your target market, and how do you plan to expand it?
A. We have a compelling example here in Europe, where we started as a company. However, our aspirations extend beyond Europe, and we are currently receiving numerous requests from the Middle East. An interesting development is the rapidly growing influence of the BRICS nations. India, being a part of BRICS, has played a significant role from the outset, contributing to this expansive and emerging market. Notably, an increasing number of nations have expressed interest in joining BRICS. Some of these nations are approaching us with the proposition of establishing a sovereign IT environment tailored for their specific communication and collaboration needs. This ongoing development is truly fascinating.
Q. What role does India play in your operations?
A. VNC heavily relies on our exceptional team members in India, as our journey began around 11 years ago, and at that time, India was among the few countries with the requisite knowledge and expertise for the innovative tools we aimed to develop. One of our core products originated in India, created by the renowned Satish Dharmaraj. This product, named Zimbra, served as one of our initial components, later enhanced with additional functionality. Over the past decade, we have collaborated with 300-400 developers from various parts of India, spanning Kerala, Gujarat, New Delhi, Mumbai, and Bangalore. This collaboration resulted in an integrated, feature-rich suite of products. We maintain strong relations with many of these developers and are proud to have initiated this venture from Switzerland and India.
Q. Is India only relevant to you because of its developer community or are you also looking at it as a potential market?
A. Unfortunately, India presents a unique challenge for selling software due to it being a software development powerhouse. Many Indian software development companies find it challenging to pay for software, asserting that as a nation of software development, they shouldn’t have to pay or, at the very least, not as much.
Q. When running multiple platforms, how does the licensing model play out?
A. We have a core component called VNCdirectory, a directory service and integration platform similar to Microsoft Active Directory, for managing organisations, sub-organisations, users, and roles. In VNCdirectory, you can define permissions, such as allowing a specific group of users in an organisation or sub-organisation, or with a certain role (e.g., marketing) to use VNCchannels. User activity is tracked, allowing us to generate detailed reports. We trust our partners, and the invoicing process is straightforward, with monthly invoices sent based on actual usage — for example, if 10,000 users are using VNCchannels.
Q. What kind of licences do you use for your open source platform — traditional open source licences, or source available licences, and why?
A. We must find common ground. The minimum, or least possible denominator, as it’s called, is quite straightforward for us. We adhere to the General Public Licence (GPL), specifically the latest version. Given the multitude of components within our stack, there are automated tools that consistently check the tools used in a given environment, along with the associated licences. So, we always aim for a licence that comprehensively covers everything, typically opting for GPL. Regarding licensing changes when the product is passed on to our partners and they make modifications, the licensing component itself remains unchanged. The product undergoes customisation as needed. Yes, the stack we deliver is under the GPL, and if a partner decides to enhance functionality for a particular project, they have the freedom to do so. There’s no obligation to contribute it back, except if they intend to resell it – in that case, adhering to the licensing requirements would be appreciated. This sometimes leads to misunderstandings with open source; developing open source in a project doesn’t necessitate sharing it unless there’s an intention to resell it.
Q. Are there any new developments or additions to the technology stack of your product?
A. In terms of our future developments, we are currently in the beta phase of introducing a low-code/no-code platform to our stack. This platform empowers managers and government administrators to interact with data from VNClagoon’s backend. They can build tables, charts, and even geo-mapping without the need for coding skills. The strength of low-code/no-code lies in its front-end tools that allow manipulation and interaction with applications and data, akin to a pivot table in a spreadsheet.
Another addition in our agenda is the incorporation of AI tools. Many discussions around AI often focus on statistics or, at best, machine learning. However, we are actively integrating a variety of AI tools into our stack. For instance, we are collaborating with a large German customer managing billions of documents, some even handwritten. To digitise such information efficiently, we are embedding machine learning capabilities into our product. This is just one example, and we are also developing AI applications within project management. An exciting project in collaboration with an AI expert in Mumbai involves creating a ‘robot planning’ feature. This AI analyses a developer’s behaviour and ticket information to streamline and prioritise tasks automatically, enhancing productivity. These AI and machine learning additions are progressively becoming part of our product stack.
Q. How secure is the code if AI is a part of the development process?
A. The question you raised is indeed a challenge, shedding light on a significant issue with AI. It’s crucial to address concerns about privacy and data security when feeding models with our own and our customers’ data. The idea of government institutions handing over data to external entities like Google TensorFlow or ChatGPT raises valid concerns about national sovereignty. Operating in this manner poses risks, making it imperative to always closely monitor and adapt our approach to AI.
To mitigate these risks, the preference should be for AI models that are prebuilt and installed locally. By keeping the data within your control, you feed it into the model, enhancing precision and facilitating learning. Crucially, this approach ensures that the model’s insights remain private, never shared with the external world. The ongoing discussion surrounding AI centres around this critical question.
Elon Musk recently emphasised the need for a freeze or moratorium on AI development due to its increasing dangers for societies, citizens, and nations. This highlights the importance of careful consideration before proceeding. Shifting the focus to cybersecurity threats, it’s essential to recognise the dynamic nature of the entire system, emphasising the need for continuous vigilance and adaptability.
Q. How does your company stay updated with the emerging security trends and technologies, and how do you ensure that your application is secure?
A. We are engaged with highly skilled individuals, particularly in Germany and other European nations, with a focus on security, and have formed close partnerships such as the one with Intel. One of the critical aspects we focus on is what occurs when data is in the processing phase, computed within the processor. This led to the formulation of our zTOP (zero trust onion principle) strategy, featuring a seven-layer architecture. Starting with layer number seven, we collaborate with experts, including individuals from the US security core community, to virtualise the Linux kernel to make it more resilient. Continuous audits of software are emphasised at layer one, with vendors being encouraged to open up their software for rigorous auditing. Without open source, real audits become impossible, relying solely on trust in the vendor. This approach aligns with our commitment to maintaining control over security and privacy. Layer six introduces confidential computing, where Intel’s involvement becomes crucial. We’ve leveraged Intel’s SGX processor compute technology within the VNClagoon suite.
Continuous audits are essential, and this is achievable when the software is open. For security to be effective, customers need the flexibility to operate in a manner that aligns with their specific needs and security requirements. For maximum protection, even during collaboration, customers must have the freedom to operate the suite where they choose. If they are compelled into a SaaS model with predefined hosting, discussing security becomes challenging. For instance, customers in the defence and military sectors are adamant about not hosting their critical systems on platforms like Google Cloud. They prefer to operate independently, maintaining full control over their environment.
Q. What is the kind of issue tracking procedure in this system?
A. We have a fully integrated help desk system, which is even ITIL (Information Technology Infrastructure Library)-based to a certain degree, providing a structured approach to handling processes. Our Indian teams excel in tracking problems and attempting to resolve them independently or escalating them to our engineers. This constitutes the first part of our process.
For more complex issues, our engineers take charge of resolving them. Driving and overseeing this process is a crucial aspect of our responsibilities. We don’t simply wait for a community to address issues in an extended timeframe. If external audits reveal problems, we actively engage with the community members’, pushing them to expedite solutions. While we can handle many tasks internally, there are instances where we need to stimulate and accelerate the community’s response. Time sensitivity is essential; we cannot afford to wait for extended periods, especially when dealing with threat levels three, four, or five. In such cases, immediate action is imperative.
Q. How do you drive and incentivise the community to participate in such exercises?
A. Developers are motivated to participate in the community from the sheer enjoyment of solving problems—an engineering approach. This intrinsic drive is shared by our team members. They are not primarily motivated by monetary incentives; rather, three key factors contribute to their commitment to our organisation —- curiosity, the diverse and interdisciplinary nature of their work, and a multicultural approach.
A steady stream of problems to solve keeps these developers engaged; otherwise, their work would become mundane and uninteresting. Second, unlike a narrow focus on a single product, our developers appreciate the interconnectedness of various products within the suite. This diversity allows them to transition between products, collaborate with team members globally, and broaden their skillsets. Third, the younger workforce is keen to collaborate with individuals from different cultures. Despite initial language barriers, friendships form quickly, fostering a dynamic environment of shared learning.
Q. As a community leader, how do you manage conflicts in such a large community?
A. Managing conflicts within such a vast community involves constant communication. Dialogue, negotiation, and discussion are key components. Whenever conflicts arise, the approach is to initiate discussions through video calls or group chats to address the issues promptly. The VNCtalk messenger was specifically developed to facilitate communication within the community, recognising that developers often prefer chatting over video conferences or phone calls. The emphasis is on maintaining open communication channels, negotiating solutions, and adhering to the company’s ethical guidelines, which outline how to work effectively within a virtual organisation with flat hierarchies and a meritocratic structure.
