Export (0) Print
Expand All

Transforming Microsoft IT: Consumerization & the Cloud

Quick Reference Guide

Published: August 2013

Download

Download Quick Reference Guide, 328 KB, Microsoft Word file

Executive Overview

Products

What’s in it for you:

This reference guide describes how we are transforming Microsoft IT to embrace two major trends in the technology industry—the consumerization of IT, and adopting cloud-based services. Learn about the infrastructure investments we are making, the changes to IT governance policies, and the best practices we have learned along the journey.

Microsoft IT is the first and best customer for Microsoft products, and our transformation has resulted in a rebalancing of products used across our infrastructure.

Enabling consumerization of IT and the cloud

The key Microsoft products that enable our transformation include Windows 8 and Office 365 on employee PCs, Windows 8 phone, System Center 2012 for management, Windows Azure and the Cloud OS, and SkyDrive for cloud storage.

  1. Gain insight into Microsoft’s IT transformation. This document will help you understand the motivations behind our extensive changes, the changes we’ve put in place across the infrastructure stack, and key characteristics of our new IT environment.
  2. Understand the investments required. Migrating from a traditional, locked down enterprise IT environment to a more open, cloud based environment requires a significant rebalancing of investments, with a corresponding change in the required skillsets for IT personnel.
  3. Learn about key governance policy changes. With the change to a cloud-enabled consumerization model, we have had to make a fundamental shift in mindset from device control to data governance. Learn about how we protect sensitive information and help secure our IT environment.
  4. Gain from our experience. While this document is not intended to be a comprehensive cataloging of all the actions and investments in this effort, it will help you understand the issues and challenges you might face in making a similar transformation of your IT infrastructure, and understand the areas of focus to help you build your own implementation roadmap.

The Microsoft Workforce

While in many ways Microsoft is a unique environment—many of our people are deeply rooted in developing the technology we deliver—in most ways our businesses and employees have the same issues and requirements of companies of across industries and across the globe.

Our people and businesses expect:

  • Use any device they choose to use—company and personal

  • Simple, intuitive access to apps and information

  • Ubiquitous connectivity from anywhere

  • Personal and professional social connections

  • New applications and services rapidly deployed and continually refreshed

To meet these expectations, Microsoft IT has three main goals—to connect our employees to their applications and data, to provide experiences that serve and delight, and to enable the new range of cloud services that drive efficiency and productivity:

Connect Microsoft. Enable real-time IT to support Microsoft’s new business models, and bake security into everything we access

Delight Our End Users. Provide a no compromise app and data access experience, and empower our users to realize their full potential with access anytime, anywhere, from any device

Enable the Cloud. Access to Azure is transparent, and as easy as Corpnet, removing access barriers to cloud adoption

From IT-centric to People-centric

Microsoft IT has supported Consumerization for the better part of a decade with technologies such as Outlook Web Access (OWA), Virtual Private Networks (VPN) and Exchange ActiveSync (EAS). However, as we move forward, we have been building out our infrastructure and policies to make the end-user experience richer and more seamless.

  1. Any permitted information. This means the availability of personal information, access to work related resources based on robust permissions, and seamless access to social content.

  2. On any device. In addition to company-issued devices, we support a bring-your-own device (BYoD) model, where profiles follow the user on any device they authenticate; employees can use virtualization on non-Windows devices to access Windows applications and data stores, and employees can access and share their content in the cloud.

  3. At any place. This principle includes providing high performing and secure global network coverage; accessing corporate resources is seamless from home, work, or remote locations with Direct Access; and campus support for enhanced cellular coverage provides reliable performance when connected to a cellular network.

  4. At any time. Employees should enjoy a productive experience at any time—their services and data are always available through resilient software services, and new applications and capabilities are available rapidly, not after a protracted deployment.

This migration has been underway for some time, but has rapidly accelerated in the past 18-24 months. The workforce of today is demanding this, and Windows 8, Windows Azure, Office 365, and SkyDrive are all are making the vision a reality.

Microsoft IT by the Numbers

Microsoft IT operates at a massive scale…

  • We have 180,000 end users worldwide

  • We connect 2 million remote connections per month

  • We have 1.1 million IP address on corporate network

  • There are about 311,000 PCs managed by System Center

  • Over 468 locations connecting to corpnet

  • We maintain over 25,800 wireless access points, and these are continually growing

  • There are 94,000 Windows Phone devices synchronizing to corpnet

  • We manage over 2,900 applications

  • We maintain over 176,000 SharePoint sites

  • We supply more than 26PB of storage

Plus—Microsoft has invested over $15b in cloud infrastructure, to support over 200 online services, reaching more than 1 billion people and 20 million business in over 76 markets.

The Transformation of Microsoft IT

The two major trends that are affecting every major organization is affecting us dramatically—the Consumerization of IT to empower people, and embracing the cloud to support the modern workforce while driving greater efficiency, agility, and scale. While viewed by some technical areas as functionally discrete, from a systems view they are in many ways inter-related.

  • The Consumerization of IT means knowledge workers use many devices to accomplish their tasks both on premise and off; and expect access to information where ever it is, from any device. For customers, this would mean that licensing moves to a per-user model from a per-device model

  • Embracing the Cloud means IT delivered is a service. This changes the nature of IT work as the focus moves to delivering and managing services, not managing infrastructure. Our environment is hybrid, but we are moving as many workloads to Azure as practical and prudent.

From an IT infrastructure management perspective, we have a number of areas we need to address—both in the areas of technology and processes. However, in many ways they are interrelated:

  • The Cloud is enabling rapid support of Consumerization. At the individual user and department level, these are cross-enabling and symbiotic, but in certain functional areas the investments and actions taken are discrete.

  • Where services are migrating to the cloud, the requirements and supporting technologies are interrelated—such as access and identity, and network infrastructure.

  • A unique situation arises when people bring devices and need access to corpnet resources. It’s no longer practical for IT to have full control and administrator rights to allow access.

Challenges with a Traditional IT Environment

In a traditional IT environment like the one we operated until recently, we faced many challenges—both at the end-user level and in the back-of-the-house data center infrastructure.

End User Challenges

  • Limited flexibility & choice in devices

  • Multiple device use creates disparate profiles & data libraries

  • Corporate resources unavailable or difficult to access

  • Unmanaged devices pose potential security risk

Data Center Challenges

  • Major capital investments in infrastructure

  • Significant resources devoted to low value-add administrative tasks

    • Racking & deploying servers

    • Installing images & applications

    • Patching and updating

The transformation of Microsoft IT is an effort to move away from an environment held captive by these challenges, and move to a model where the Windows Azure cloud enables IT as a service with routine administrative tasks managed at scale and automated, and end users gain more flexibility and productivity through the modern desktop environment and cloud-based services.

Modern Microsoft IT Delivery Framework

As we transform Microsoft IT, we focus on four areas of investments:

  • Server Infrastructure

  • Network Capability and Performance

  • Identity and Authentication

  • Device Management

  • Applications and Services

  • Governance,  Policy, Security

The balance of this Quick Reference Guide will explore the changes we are making across these areas.

Server Infrastructure

As we move to support a cloud-based infrastructure model, our server strategy is undergoing dramatic change.

In a traditional enterprise IT model:

  • Users log onto corpnet to access their applications and data

  • Infrastructure is behind a private 10.x firewall and interconnected by a private backbone

  • Applications and services reside on dedicated servers

  • The entire environment smacks of “big iron”

In the cloud IT model, the critical factor is connecting our users and services together though a high quality connection to an edge node. The applications and services reside in a Windows Azure data center, with storage on a SkyDrive account.

The result is greater agility, efficiency, and sustainability:

  • Agility because we can rapidly provision new services or end users can self-provision

  • Efficiency because the scale at which Windows Azure operations allows better resource utilization and more automation of routine tasks

  • Sustainability because the cloud infrastructure we maintain to support Windows Azure itself delivers far more computational output per energy unit consumed than a traditional on-premise data center.

Network Infrastructure: Design Principles

Following is the set of network design principles that support consumerization and cloud computing:

  • We maintain a high performance & flexible core that allows dynamic and intelligent routing of traffic

  • Our network is capable to segregate & prioritize unique traffic types to insure isolation

  • We engineer in an intelligent & secure services edge which is distributed in nature

  • We manage a consolidated-global-centralized management of traffic flow, security policy and violations, and routing

  • We build in flexibility to allow for varying degrees of security policy enforcement to be implemented by location, group, or ideally identity

  • And, our network has embedded capability to be programmable

Network Infrastructure: Investments

As our network is a critical area for both consumerization of IT and cloud adoption, we have significantly rebalanced our investments in IT infrastructure to better support wireless connectivity, edge connectivity, firewalls, identity & authentication, and security.

Physical Buildings

  • WiFi: High performance 2.4GHz 802.11g/n for BYOD and Guests

  • Open Guest WiFi for on-campus internet access of non-domain-joined devices

  • Carrier MPLS VPN services to provide a more resilient network connection for buildings

  • Implementation of in-building cellular coverage to improve cellular network access

Regional Interconnects

  • Backbone capacity to scale up for dramatic increase in connected devices, developer workflow & cloud-based applications

  • Redundancy & designed-in resiliency to maintain “always on” status

  • “On-ramp” connections/edge nodes that reliably get people to their applications and data from anywhere

Identity and Authentication

The Microsoft IT Access strategy revolves around three key themes—empower our end users, modernize our access foundation, and provide secure access to Microsoft resources:

Empower our End Users

  • Any device with light & opt-in management

  • Seamless wireless connection to public, corporate resources

  • All applications “just work”

Modernize our Access Foundation

  • Productivity on Day One

  • Right identity for the right purpose

  • Open Guest access to internet on campus

  • Secure Social Solutions

Provide Secure Access to Microsoft Resources

  • Identity is always ensured

  • Corporate data is appropriately protected and secure

  • Secure management for the enterprise

Device Management

To support the devices our employees and guests use on our premises, Microsoft IT follows a tiered approach to device management:

  1. Fully Managed. This level provides access to Microsoft Exchange services, plus LOB applications and corporate data (based on permissions level) through an opt-in model for management.

  2. Trusted. This level provides access to Microsoft Exchange services (email, calendar, social, Lync) through Microsoft Exchange ActiveSync. The requirements to reach this level is to establish a PIN for unlocking the device, Autowipe for deleting all device data remotely in the event of a lost or stolen device, and Encryption for preventing unauthorized access to a data on drives.

  3. Unmanaged. This level provides guest access, and/or access to an internet connection but provides no access to corporate resources.

Applications and Services: Development and Publishing Models

Application development in the era of the Consumerization of IT requires a user-centric model:

User Requirements

  • Consistent, agile apps that are rich and compelling, yet easy to leverage

  • Apps that are available across devices and platforms, with a consistent look and feel

  • The ability to provide input, and effect change with respect to app development

Developer Requirements

  • Develop smaller, flexible teams or app factories that provide small, workable, consumable applications that users can leverage quickly and easily. Applications must be content-driven, and provide workable solutions that employees need

  • Developers must embrace Consumerization of IT by relying more on engineering and support teams to listen to customers and innovate in an agile way

  • We need to deliver an immersive, engaging experience, and need to provide more and better LOB applications

  • Development teams must publish apps to the Internet, then protect with federated authentication

  • Applications to be designed to be tolerant of hardware failure, so that if a server or a data center goes down, the application automatically fails over to another instance

  • Once marketed and distributed, we need to control and monitor apps by using Windows Intune and System Center Configuration Manager

Governance, Policy, and Security

In supporting Consumerization of IT and embracing the cloud, we have made a marked shift in the policies we employ across the environment. The key change is a shift in perspective from device control to data governance. We begin with classification of data sensitivity based on business impact if it were to fall into the wrong hands, with an “Opt-in” model for readying devices to access corporate resources:

  1. High Business Impact (HBI) is fairly specific, covering PII (Personally Identifiable Information) and financial reporting data

  2. Moderate Business Value (MBI) data includes Microsoft IP, our Employee Directory, Purchase Order data, and similar items

  3. Low Business Value: (LBI) includes publically available websites, published documents, brochures, and other materials that wouldn’t impact the business if misplaced.

The guidance we give to business and end users is to:

  • Choose the Right Level of Protection and Label your Data as HBI / MBI / LBI—by labeling your SharePoint sites, documents, and emails it allows others to know how to handle the information contained in them appropriately

  • Encrypt your data in documents & e-mails—enable Information Rights Management (IRM) to grant or deny permission to view, save, copy, modify, print, and forward your documents or e-mails. This can help prevent sensitive information from being inappropriately distributed.

  • Manage who has access to your document repositories—use Security Groups to manage permissions on your SharePoint site prevents unauthorized individuals from being to view or edit the contents of your site. 

Currently, Microsoft IT supports Contain, Embrace, Allow W/Policy, and Block categories for all of the mainstream Consumerization of IT technology. Here is a breakdown of the four areas of governance:

  1. Contain: Microsoft IT restricts usage of these technologies, and no service is provided. Technologies that fall into this category have a low Total Cost of Ownership (TOC) but are too important to employees to block completely. Examples include non-Windows devices.

  2. Embrace: Microsoft IT expects more entrances into this area especially when employees begin using these applications for support and marketing. However, these technologies require a substantial investment, but the business value could be significant. These include Windows devices and Microsoft social media applications.

  3. Allow w/Policy: Microsoft IT has not evaluated this technology and taken action. Future action is to be determined. These include third-party social media applications.

  4. Block: Microsoft IT blocks very few technologies, simply because of the cutting-edge culture at Microsoft. Technology that has a low business value and which is risky falls into this category. Examples here are File sharing applications that violate IP, and applications that have a poor security profile.

Security Strategy

To secure our users, data and infrastructure, we employ a two pronged approach:

Prevent Breach is a defensive strategy aimed at predicting and preventing a security breach before it happens, involving:

  • Port scanning and remediation

  • Perimeter vulnerability scanning

  • OS Patching to latest updated security software

  • Network level DDOS detection and prevention

  • Multi-factor authentication for access

Assume Breach is a future looking offensive strategy to automatically identify unexpected activity, analyze the cause, and mitigate security gaps found; we use this with Office 365. This involves:

  • Collects anonymous data on a massive scale

  • Analyzes attack patterns

  • Creates baselines of normal system behavior

  • System proactively detects suspicious conditions; responds quickly and automatically

Implications for Service Groups and IT

Consumerization requires a flexible approach to service delivery

  • Access will come from many devices and many locations—provide a consistent experience

  • Build on a robust identity and authentication foundation

Design applications and services for a common cloud infrastructure

  • Removing ‘undifferentiated heavy lifting’ frees up developers & IT to focus on value-add

  • Eliminating the need to reserve infrastructure capacity speeds service time-to-market

  • Reducing infrastructure complexity improves service quality

  • For on premise workloads, fungible physical assets yield dramatic improvements in server utilization

Embrace the shift from five-nines enterprise-scale to three-nines cloud-scale infrastructure

  • Physical systems will fail—availability and performance is a software challenge

  • The scale at which IT needs to operate requires designs, principles, and operations that won’t break at 5x, 50x, or 100x the volume

Lessons Learned

As we look back at the experience we’ve had up to this point, there are several lessons learned that are important to keep in mind as you embark on this journey:

Rebalance investments before making changes

  • Network infrastructure upgrades

  • Identity/authentication

  • Security policy updates

Be systematic around access & security policies

  • Rebalance and prioritize the sensitivity of information

  • Design systems to protect according to priority

  • Retain highly-sensitive information on premise

  • Open up low-sensitivity information

Anticipate IT employee resistance

  • Help your organization understand and embrace the strategy

  • Many roles will change; traditional roles will be in less demand (rack servers, deploy software, administer patches)

Ready your IT workforce with cloud skills

  • Solution assessment & vendor selection

  • Project & program management

  • Network & security management

  • End-user support for ‘self-service’ model

Looking forward: 2015 and Beyond

As we look forward two years our, we expect that:

  1. The Public cloud adoption accelerates to more than 80% of new instances

  2. Specialized hardware will be required for less than 5% of the population; the remaining dedicated workloads move to virtualization or go to public cloud.

  3. Our management infrastructure will transition to cloud-based systems, with CMP mainstreamed into products and services and management services centralized

  4. Our standard networking will simply be the internet, with a small number of specialized internal business and R&D networks in place for specific needs

  5. We will have adopted the “Cloud OS” we’ve recently begun telling customers about, with OS fabric parity between off and on-premise cloud storage, commodity SSD are the standard with traditional HDDs becoming the exception, and “storage from anywhere” is delivered to our employee population base.

Implementation Checklist

While some of the items listed below might be specific to our environment and workforce, they do serve as a useful planning guide for organizations looking to support the Consumerization of IT, and embrace cloud services:

  1. Provide dedicated wireless access for personal devices

  2. Build strong authentication plan for consumer devices

  3. Provide remote access connectivity solutions for consumer devices

  4. Support management of FTE-owned consumer devices

  5. Create service and catalog browsing experience for loading apps on devices

  6. Embed User Experience (UX) on device to access corporate sites, including Application install

  7. Onboard applications—submit and manage apps through their lifecycle

  8. Develop and distribute common process and guidance for LOB Application Development

  9. Provide guidance for Employee Owned Devices

  10. Develop policies for Software, internal IT Systems, & Devices

Resources

www.microsoft.com/microsoftIT

www.Facebook.com/ITShowcase

http://microsoft.com/itinstitute

Microsoft Work Smart Productivity Guidance

For More Information

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to http://www.microsoft.com or http://www.microsoft.com/microsoft-IT

© 2013 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft