The Consumerization of IT Within Microsoft from the CIO's Perspective
Published: February 2012
The Consumerization of IT within Microsoft requires Microsoft IT to strike a delicate balance between ensuring the security and integrity of the enterprise's intellectual property, and increasing employee productivity and satisfaction by enabling employees to use their personal devices for their work. This requires Microsoft IT to balance the risks versus the rewards, which are plentiful, not only for employees, but for Microsoft, as well.
|Intended Audience||Product & Technologies|
Article, 41 KB, Microsoft Word file
The Consumerization of IT is not a new concept in the technological world. In fact, since the advent of portable computers, it has been steadily gaining ground as enterprise employees increasingly want to use their personal electronic devices to do their jobs. Employees also want to utilize the same technologies and applications at work that they use at home. This blending of consumer and enterprise technologies is, in fact, the essence of the Consumerization of IT.
Today at Microsoft, most employees are working with at least two portable devices at any given time, and there are approximately 1.3 million devices on the Microsoft corporate network. Most employees expect to be able to use their own devices for work, and are not keen to accept restrictions on doing so.
However, like most enterprise information technology (IT) departments, Microsoft IT (MSIT) is not eager to incorporate changes that could compromise the security of the valuable intellectual property on the Microsoft corporate network. Therefore, the Consumerization of IT requires that IT departments perform a delicate balancing act. IT departments must enable employee productivity and increase employee satisfaction, while at the same time, safeguard the integrity and security of vital and confidential corporate data.
MSIT has informally supported the Consumerization of IT for a number of years by allowing employees to utilize consumer technologies, and by enabling IT services, such as email, instant messaging, and teleconferencing, for personal smart phones. This compromise has been a challenging yet positive way in which to satisfy employees, while simultaneously ensuring that intellectual property remains fully protected from accidental disclosure or malicious users.
Historically, employees would use only the devices that IT departments procured and managed for them. Today, the Consumerization of IT shifts that historic model by allowing employees to personally select many of their own devices, and incorporate them into their everyday work lives.
Rather than pushing back and not supporting this flow of technology from the consumer market into the workplace, MSIT decided to embrace it by instituting security policies and procedures that would allow employees to use their own devices, while ensuring the security of Microsoft intellectual property. MSIT has had to change the way it approaches and enforces control of access to Microsoft data, so that it can support employees in using their personal devices for both work and their personal life.
Tony Scott, Microsoft IT corporate vice president and chief information officer (CIO), believes that the Consumerization of IT is a multifaceted topic that has deeper implications for enterprises that most people realize.
"It covers a fairly broad area of things, like devices, but very different from ones traditionally seen in the enterprise" Scott said. "It covers applications, again very different from the ones solely produced by the IT department or packages that we bought that were designed for the enterprise. It also means a whole bigger set of things that cover data, that cover employee experience, that cover productivity and application frameworks that we have. It covers (many facets) that don't typically come up in the top number one or two when we typically talk about the Consumerization of IT."
"I think this landscape is very broad," Scott added. "It has very broad implications for the way an IT organization, and indeed the whole company, has to think about what's happening in our world today. I think for us, it's a balance of a number of things. First, it's the recognition that people have devices that they want to use for both work and home. They want to use (these devices) for their life, and so we have to support that. I think the trick is moving from a mindset of control over devices to governance, and having the right policy in place, that you then enforce through technology"
It's Just Good Business
In keeping with this mindset, MSIT has begun enforcing data control through policies and technology that influence how employees access the corporate network and its intellectual property, rather than through managing the hardware that employees use to gain access. To do this, MSIT built a foundation for the Consumerization of IT within Microsoft on four pillars that enable it to support a hybrid environment of Windows® devices, and non-Windows devices. Those four pillars include:
Windows PCs and other devices: MSIT defines the classifications for enterprise standard, consumer, and non-standard devices, and determines the various support models for those devices. Additionally, MSIT evaluates the risk of specific device classes, and blocks those that pose risks to the enterprise.
Security and management: MSIT determines how to manage and control these devices and their users' access to intellectual property, while ensuring data integrity and security once users place the data on these devices.
Productivity: MSIT considers what applications and technologies to support on employees' devices to ensure that employees continue to be productive and happy.
Unified application development: MSIT has established best practices for line-of-business (LOB) application development, and ensures a secure development life cycle and marketplace for these applications.
The Consumerization of IT within Microsoft has required MSIT to ask itself, "How do we support our employees? What are their needs? How do we meet those needs, but also protect our organization's intellectual property?" On any given day, there could be a number of answers to those questions. However, within the bounds of the Consumerization of IT, a few of these answers are resulting in an increase in collaboration and productivity, risk management, and benefit to the enterprise.
Promoting Collaboration While Ensuring Data Security
Collaboration is key to success in today's workplace. However, the historic version of collaboration--where people had to be in the same room as their teammates--is no longer mandatory. Video-conferencing capabilities, consumer devices, and social computing are creating a multitude of collaboration possibilities. However, that vast array of options can be a bit scary for CIOs and IT personnel, who often have a persistent worry that users either will expose or compromise data inadvertently.
"I think that's where good education, good policy, and good practice really makes a big difference in the way that things turn out," Scott said. "The old control model just doesn't work the way it did before, and I'm not sure it ever actually worked all that well. But I think in some cases, we convinced ourselves it was working well. I think the new model of governance and managing risk versus benefit is probably a better way for us to think about this particular situation."
Protecting Data by Using Key Policies and Technologies
We worry about data security, not about a device in particular. When you do that, you find that your employees, or consumers of your information, love it, because now they have something that s useful to them both at home and at work. It s also a recognition on the enterprise's part that a lot of our information comes from outside, not from internal IT systems.
Microsoft Chief Information Officer and Microsoft IT Corporate Vice President
With a framework that focuses on data, policy, security, and risk, MSIT has been able to consider the broad landscape that the Consumerization of IT within Microsoft requires. Foremost for MSIT was establishing an effective system of governance, so that it could establish rules and policies for data security and classification. Of key importance was that employees are able to understand and implement those policies in their everyday lives.
"Employees across the company are the ones who, on a day-to-day basis, are going to enforce whatever policy you have, or violate it, as the case may be," Scott said. "So it not only has to be understood, it has to make sense to employees."
"I think you have to have a risk framework that balances the interests of productivity and ease of use versus risk and security," Scott added. "I think if you have that balance—I call that business value versus risk—I think you can do a better job of coming up with something that makes sense to employees, which you can enforce. And then if you use tools like System Center across your whole environment, whether it's the cloud or a private cloud or a public cloud, or you own virtualized environment, you have a set of tools that allow you to enforce those policies consistently across the platform."
MSIT uses Microsoft System Center 2012 Configuration Manager to manage devices on the corporate network. System Center 2012 Configuration Manager captures and aggregates knowledge about enterprise-standard systems, policies, processes, and best practices.
Microsoft® Exchange ActiveSync® is another key technology that MSIT uses to control, by policy, whatever device an employee is using. Exchange ActiveSync allows mobile phones to access an enterprise's information on a server that is running Microsoft Exchange. The information that users can access with mobile phones includes email, calendar, contacts, and tasks. It further enables access to that specific information when users are working offline. Exchange ActiveSync has a certification logo program for devices, which ensures that they respond correctly to ActiveSync security and management policies. MSIT leverages the Exchange ActiveSync logo program, and only enables certified devices and operating-system versions to connect to the corporate network.
Additionally, some devices that employees opt to use have only consumer capabilities and software, which means that they will have limited access to the network's intellectual property. However, if employees select devices that have enterprise capabilities—such as the ability to join a domain and utilize a Trusted Platform Module (TPM) chip—then those employees can access data from those devices just as they would if they were sitting in front of their office computers.
The following list describes other important technologies that MSIT is using to support the Consumerization of IT within Microsoft:
Microsoft Office 365, which provides secure access from anywhere to email, shared calendars, instant messaging, video conferencing, and document collaboration.
Windows® 7 DirectAccess, which enables employees to connect remotely without needing a virtual private network (VPN). In fact, MSIT has saved approximately $300,000 U.S. dollars annually per facility, by enabling employees to connect remotely by using DirectAccess.
Microsoft Lync® and Lync mobile clients, which enable employees to use their personal computers to conduct meetings and collaborate with others The fact that Lync is a multiplatform product—used for Windows, Mac, and mobile clients—makes it one of the highest rated services in MSIT. Utilization of such unified communications at Microsoft have saved the enterprise approximately $212 million U.S. annually.
Microsoft OfficeTalk, which permits employees to share information about their work, and collaborate to develop solutions for, Microsoft Office products.
These technologies increase employee productivity and collaboration, and benefit Microsoft's bottom line.
"As a CIO, one of the things that we're trained well to do is to try to measure the benefits of things," Scott said. "We use technologies like Microsoft DirectAccess, which not only gives us better productivity for our employees, and gives us a better user experience, but we also save $300,000 a year. I like that. Better productivity, better user experience, save money: those are good things as far as I'm concerned."
"We're also seeing a rise in the use of video extensively across Microsoft, whether it's one-on-one video conferencing, or group conferencing, or even external conferencing. That's hugely popular inside Microsoft, and something that we've had to make adjustments for," Scott said. "But we see a corresponding reduction in travel costs, and an increase in productivity, and our users love it. So again, it's the same model: productivity, better user experience, save money. You gotta love it."
Governing Data, Not Controlling Devices
At a recent conference that Scott and Steve Ballmer, Chief Executive Officer (CEO) of Microsoft, recently spoke at together, Ballmer summed up perfectly what exactly the Consumerization of IT means to employees in the workforce today. He told the gathered crowd that 50 percent of the information that he uses on a daily basis comes from outside the Microsoft network, and not from MSIT.
"I laughed, but I knew that already," Scott said. "It was an important acknowledgement of the reality of life in the corporate world today, and we just have to embrace that."
MSIT's primary focus as it embraces the Consumerization of IT is to protect Microsoft's intellectual property by ensuring its confidentiality and integrity, while ensuring its availability to employees. MSIT provides secure data-access options that can support a broad set of device types and security models, including MSIT-managed devices, unmanaged devices, and consumer devices. Depending on the device's security and an employee's credentials, MSIT can control access to data based on its security classification. The Microsoft data-security classifications are high impact, moderate impact, or low impact.
"For years, I think I, and a lot of other CIOs spent a lot of time—too much time, frankly—on the device, and not on data governance and on the broader picture," Scott said. "I think we've moved smartly in the last few years as the Consumerization of IT became evident, to switching from control to governance. We worry about data security, not about a device in particular. When you do that, you find that your employees or consumers of your information love it, because now they have something that's useful to them both at home and at work. It's also a recognition on the enterprise's part that a lot of our information comes from outside, not from internal IT systems."
In keeping with this switch, MSIT currently supports the following operating systems on devices:
Windows Server® 2008
Windows Server 2003
MSIT assures data access by establishing clear policies for the identity that a user must utilize to access the corporate network, and then what level of data access that specific identity holds. Furthermore, when combining that with the use of solid policy and reporting solutions, like System Center 2012 Configuration Manager, MSIT is becoming more sophisticated in tracking what data specific users, computers, and devices are accessing at any given time.
Supporting a Hybrid Device Environment
MSIT supports a mixed-use environment for employees who are leveraging the Bring Your Own Device (BYOD) to work movement. Microsoft employees routinely use Windows devices, although some employees prefer non-Windows devices. However, it is also important to note that some devices do not comply with MSIT procurement guidelines, based on cost or security features, and some devices are not available globally.
When considering the user experience with enterprise standard (nonconsumer) Windows devices, MSIT does the following:
Highlights Microsoft technology. MSIT supports non-Windows devices, but stresses that for an optimal experience, users should use Windows devices.
Provides driver support for factory imaging and for Windows Deployment Services.
Provides a three-year warranty for Windows devices, and help-desk support.
Enforces and supports global standards.
Manages OEMs proactively.
Conducts testing on a regular basis of new Windows operating systems that are being developed.
Determines the best cost for a given technology level.
Provides a return policy for users who purchase their devices from MSIT: 14 days, for any reason.
Develops a Cost Per Head budget that includes peripherals and replacement batteries within two or three years of device use.
MSIT established several policies for Windows device imaging when it began supporting the Consumerization of IT. Additionally, MSIT will:
Provide seamless installation out of the box. Users should be able to configure their device fully within 40 minutes.
Ensure that devices are ready for VPN connection, and can connect to the corporate network immediately.
Support five languages: English, French, German, Japanese, and simplified Chinese.
Conduct testing of drivers and manufacturer applications.
Guarantee preinstallation of basic desktop applications, so users do not have to locate and download them.
Providing Technologies That Expand User Productivity
As employees continue to blend their personal and professional lives, while they are working, they will want to capitalize on experiences that they have outside of work. This includes their experiences on Facebook, blogs, and other social media. By making those productivity channels available, MSIT allows employees to be more flexible, and attracts a strong pool of potential employees who expect to be able to blend their personal and professional lives by utilizing those channels while they work.
The following are the MSIT-established policies for utilizing social media applications and technologies:
External services: Employees are utilizing social-networking services as a way to communicate with customers, business partners, and consumers. MSIT does not block such activity. However, MSIT has established policies for what information users should and should not share via social networking. MSIT blocks very few sites, and actually encourages users to utilize social media actively.
Internal services: MSIT promotes the use of social-networking services that Microsoft provides, such as Microsoft SharePoint®, the SharePoint Server feature My Site, and Lync. Additionally, MSIT has built custom analogs to consumer services, which provide capabilities such as microblogging and video sharing.
Rich media: MSIT does not block rich media services, because these are becoming a valuable means of distributing information. Similar to social media, MSIT is recommending Microsoft internal media services as appropriate communications channels.
Windows 7 AppLocker®: Some consumer applications are problematic from a legal perspective, especially peer-to-peer sharing applications. MSIT uses AppLocker to block known applications at the network firewall, and does not allow them to run. This prevents employees from launching these hazardous applications on a domain-managed system.
Developing Applications That Users Want and Need
Today, LOB developers are writing applications for traditional enterprise endpoints. Additionally, these developers are now targeting specific consumer devices, such as Windows® Phone, and are writing applications that are web-based and device-agnostic.
The following is a list of best practices that MSIT currently is evaluating for unified application development:
Develop applications in HTML5, which is device-agnostic and provides an excellent user experience.
Provide a backend infrastructure that supports the user experience.
Support employee-driven development, so that user-centric designs will emerge.
Develop applications for users, and design the experience to provide support for failures.
Remember cloud computing. The future of application development is to enable users to access and utilize applications from anywhere, on any device.
"I think that balance of what's good for IT, and good for security and governance, but also that enables the employee, is the perfect spot to be in."
Microsoft CIO and MSIT Corporate Vice President
Developing and Deploying LOB Applications
One step that MSIT has taken to ensure security and transparency with regard to application development is to work closely with the Windows Phone development community on the design and deployment of LOB applications.
According to Scott, "I think of this as developing applications that meet our business needs. Those needs vary across the many audiences that we try to serve. The reality is that we know today that it's going to be across lots of different devices, and so our development framework has to embrace that, and manage risk versus value. But we also have to make it cost effective, because you can't have a development platform (focused only) on a particular device or a particular means of consumption."
"Having a good framework and good tools that allows you to address the variety of devices and audiences that you're intending to is key," Scott said, adding that the Microsoft .NET Framework, Windows Internet Explorer® 9, Microsoft Visual Studio®, and HTML5 are the tool sets that MSIT supports for application development. "(This is) the toolset that we use to make it cost effective on the IT side, but also to make sure that we have good control over the data that is important to us, and that will deploy on all of the devices that are important to our end-user audiences. I think that balance of what's good for IT, and good for security and governance, but also that enables the employee, is the perfect spot to be in."
Embracing the Consumerization of IT within Microsoft boosts employee productivity and satisfaction, enables Microsoft to attract a talent pool that wants to use the consumer technologies with which they are comfortable and productive, but which does not compromise the security and integrity of valuable data on the Microsoft network.
"Our company response to this Consumerization of IT defines not only who we are, but our reputation and our brand, both with customers and our employees," Scott said. "We see that as key to how we attract and retain employees, but also how we show up in the greater world, in terms of our brand and company reputation. I think getting this right is pretty important, not only for CIOs, but also for the company more broadly."
MSIT very clearly supports the Consumerization of IT within Microsoft by developing and expanding its policy framework, by educating employees about those policies, and by developing tool sets that enterprise employees can use internally, and which Microsoft sells to its customers. Employees are happy and productive, because they can use their personal devices for work. Additionally, MSIT ensures data security by focusing on device governance, data classification, and unified application development.
"It's possible to address Consumerization of IT and protect your company assets," Scott said. "It's not really an either/or. It is a balance of value between risk and business value, and that's key. Data classification and user access are very, very important in that equation. The workplace is everywhere. There is little distinction these days between what's work and what's play, and what's home and office. We just have to recognize that, and address it in terms of how we do policy."
For More Information
For more information about the Consumerization of IT within Microsoft, go to:
Consumerization of IT
Windows Enterprise: Customer Stories
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Center at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information through the World Wide Web, go to:
© 2010 Microsoft Corporation. All rights reserved.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Internet Explorer, Microsoft Exchange ActiveSync®, Microsoft Lync®, Microsoft Office 365, SharePoint, Vista, Visual Studio, Windows 7 AppLocker, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.