Managing Data Privacy and Security in Your IT Landscape with SAP Conversational AI Chatbots
The primary focus of this article is on the various ways to integrate SAP Conversational AI into your IT landscape while maintaining data privacy and security. We’ll look at a few scenarios where the user has data in an on-premise environment with varying data privacy constraints.
Key concepts that you’ll need to understand
The sentence entered by the user is referred to as an expression.
A keyword that is extracted from an expression.
An intent is a collection of expressions that mean the same thing but are constructed in different ways. Intents are the heart of your bot’s understanding. Each of your intents represents an idea your bot can understand.
If you’d like more information about these concepts, you can find comprehensive product documentation here.
High-level overview of how SAP Conversational AI connects to your system
To better understand how SAP Conversational AI fits into your IT landscape, we need to start with the various pieces involved:
- Natural language processing (NLP) engine
- Bot Builder
- Bot logic
- Bot Connector
The diagram below will help you understand how these pieces fit together. We’ll go into these interrelationships in more detail further down the article.
Natural language processing (NLP) engine
The NLP engine uses artificial intelligence to better understand users, regardless of how the sentences they enter are phrased. In the past, chatbots relied on a rule-based framework that required specific queries to provide results. However, this approach was cumbersome, inefficient, and didn’t scale well. The NLP engine extracts and returns actionable data, including recognized intents, entities, and user sentiments from expressions.
The Bot Builder sometimes referred to as the dialog runtime, is the graphical user interface (GUI) where you can build out the conversation flow. Simply put, this is where you tell the bot how to respond once we know what the user wants. The Bot Builder provides an intuitive user experience with a drag-and-drop (no-code) environment that accelerates the development process.
The bot logic is a middleware application that can be hosted on SAP Cloud Platform. This application is responsible for:
- Calling and ingesting OData services from the back-end database/system and exposing that information to SAP Conversational AI.
- Using the bot logic, you can incorporate additional custom logic as an extension of the logic defined in the Bot Builder
The bot logic can be written in the programming language of your choice and must be exposed as a Web API.
The Bot Connector is an adaptor that helps SAP Conversational AI connect to various communication channels such as Slack, Skype, and others. For a full list of channels, see the section of the product documentation. Important note: The Bot Connector can be entirely redeveloped on-premise to meet custom requirements.
Implementation styles of SAP Conversational AI
Now that you understand the pieces involved, we’re going to look at various implementation styles. Here are the key factors you should think about when choosing the style of implementation:
- Are you currently using a private cloud solution, an on-premise solution, or a public cloud?
- Can you expose your chatbot conversations to the cloud?
- Are you planning on making the move to the cloud?
Standard implementation – cloud solution utilizing on-premise database
In this example, we’re looking at the implementation that requires the least amount of development work. This company has the following needs:
- It requires a back-end on-premise database for information
- It would like to use SAP Cloud Platform to host the bot logic.
- It wants to take advantage of the prebuilt Bot Connector to connect to various communication channels.
Now I’ll walk you through the process from start to finish.
The user enters an expression in one of the channels shown below:
The expression goes into the Bot Connector and gets translated into a format that SAP Conversational AI can process.
Then the expression is pushed into the dialog engine (a combination of the NLP engine and dialog runtime)
- The NLP engine extracts the intents and entities from the expression.
- The dialog runtime controls the flow of the conversation based on the extracted intents and entities.
If the conversation requires information from the back-end system to continue, the dialog engine calls the bot logic from SAP Conversational AI.
The bot logic receives information as a JSON package.
- This package includes the state of the conversation, confidence scores, triggered skills, and so on.
- Using this information, the bot logic connects to the back-end system and retrieves the required information or triggers a certain transaction.
- The bot logic is also responsible for formatting the response to the chatbot so that SAP Conversational AI can understand the information. To reiterate: This is custom-coded logic, so you can freely customize the bot’s actions from the back.
To expose the data from your back-end system in a safe and secure manner, OData services can be exposed from your storage through services such as SAP Gateway. SAP HANA Cloud connector will allow you to do this without opening ports on your firewall. If your database is in the cloud, you don’t have to worry. You can directly connect your bot logic to your data if you expose it as a Web API.
Key points of this approach:
- You leverage the natively built Bot Connector, NLP engine, and dialog runtime.
- The bot logic is the only application you have to develop on your own.
- You have to configure SAP Gateway and SAP HANA Cloud connector for this implementation style.
Data privacy with this approach
The standard implementation approach exposes your data to the cloud. SAP Conversational AI has built-in data protection policies to help ensure you comply with GDPR.
Identity protection in this approach
You can enable single sign-on for identity protection and to make sure people have access to only the information they are permitted to see. Here’s a great blog providing step-by-step instructions to enable SSO with SAPConversational AI.
SAP Conversational AI NLP integration – minimum public cloud exposure, maximum data privacy
This approach results in the least public cloud exposure and is primarily used for augmenting applications hosted on your intranet. The architecture can also prevent any sensitive data from being exposed to the cloud. This would be ideal for a private cloud or on-premise customer who wants minimum cloud exposure. B it uses less of the prebuilt content, this approach requires more development effort. To reiterate: This approach is only suitable for internal use cases.
In this infrastructure, almost the entire chatbot ecosystem remains within the client infrastructure, whether that is on-premise or in a private cloud. Now let’s dive into how this architecture works.
Webchat will be your on-premise channel for users to communicate with your bot, so the first step is for you to enter an expression “X” in the webchat.
Once the webchat receives an expression, it routes it to your on-premise Bot Connector:
- The Bot Connector (open source) must be redeveloped and deployed in your on-premise environment.
- The Bot Connector translates the user input into a format that can be consumed by SAP Conversational AI.
The Bot Connector then transfers the expression “X” to the bot logic.
In order to extract the intents and entities within the expression “X”, the bot logic will then send the expression to the NLP engine on SAP Conversational AI. To maintain data privacy, you can first encrypt all your crucial information in expression “X” before sending it to the NLP engine. This way, none of your sensitive information will ever be exposed to the cloud.
The NLP engine sends a response with the intents and entities. Once the bot logic receives this, it can move the conversation forward with an appropriate response, which sometimes requires back-end API calls to the on-premise database or back-end system.
Data privacy with this approach
This is entirely an on-premise setup, where the only instance of the data leaving your firewall is in the form of an API request to the NLP engine in SAP Conversational AI to extract the intents and entities.
Key points of this approach:
- In this architecture, the Bot Connector and bot logic will be hosted in the on-premise/private network.
- With this architecture, you can ensure no information from the back-end database or back-end system is exposed to the cloud.
- You can make sure all expressions sent to the cloud have all their sensitive information encrypted before they leave your on-premise environment.
SAP Conversational AI hybrid integration – zero exposure of back-end data
This implementation style is perfect if your goal is to avoid exposing OData services from your back end. The major differentiation is that you host the bot logic on your on-premise system, ensuring that your back-end data never has to leave the on-premise network. Now let’s dive into how this would work:
- The user enters the expression in one of the various communication channels, and the expression is passed to the Bot Connector.
- The Bot Connector, which is hosted on SAP Cloud Platform, then sends the expression to the bot logic which is hosted in your on-premise network.
- The bot logic handles the expression and makes a request to:
- The back-end system, if this is necessary to move the conversation forward.
The NLP engine in the cloud to extract entities and intents from the expression.
- Once this information is collected, the bot logic has everything it needs to move the conversation forward.
Data privacy with this approach
In this approach, the information entered by the user is the only information that is exposed to the cloud. Sensitive information within expressions entered by the user can be encrypted using the bot logic before sending it to the NLP engine. In addition, all your back-end system data stays within your firewall since the bot logic is housed on-premise.
- Your back-end system data is not exposed to the cloud.
- You need to custom build your bot logic because you’re not using the built-in dialog runtime module of SAP Conversational AI.
- This is ideal for a customer-facing bot where you must provide confidential information that you don’t want to expose to SAP Conversational AI.
SAP Conversational AI is developing rapidly, with updates every quarter designed to make integration with SAP and security processes even easier. For more information on the implementation styles presented here, feel free to leave a comment below or go to SAP Answers.