The consumerisation of IT trend is hurtling towards most IT shops and it’s clear from those I talk to that they’re just trying to deal with things as they happen. The MD wants to attach his cool new device but what does that mean for IT – are they expected to support it? What’s the cost of doing that? What else needs to change? It’s clear to me we need a more strategic approach to consumerisation that allows for flexibility and helps reduce costs whilst still permitting the choice that end users now demand.
It’s something Microsoft has been thinking about and you’ll start to see us talking about consumerisation in terms of devices, security and management, productivity and application development. A clear understanding of an evolving trend is always going to be difficult to build, but it’s good to see that we’ve thought about a way to frame our thinking. Whilst it clearly needs deep thought, it’s a good place to start from.
At the forefront of the trend is probably the fact that new devices are coming into organisations at an uncontrollable rate. More tech-savvy consumers are bringing their kit into the office excited by the potential that those devices hold. People expect access to their email at any time and many even expect to converse with their friends or organise their social lives when they’re in the office. They will find whatever way they can to use their devices, and sometimes that will comply with IT policy, but often it won’t.
We’ll tackle the management of those devices in a few paragraphs. First, let’s just have a little look at the potential advantages that using those devices will bring to your business. Strategically you should consider allowing a couple of options over device choice for your users. The first is to allow them to Bring Your Own Computer, or BOYC. BYOC has a number of advantages for you as an organisation, not least of which is that you don’t need to own the asset or have it on your books and depreciate it over time. You could consider a couple of ways of doing this; one might be to give your employees a “technology allowance” that works in a similar way to a car allowance. Obviously there are tax implications for doing this for your employees, but it would move the cost to Opex from Capex.
That wider choice will also help make your employees feel more valuable and more trusted because you’ll be giving them the chance to make their own decisions. You can still centralise purchasing control and exercise some guidance around devices by bringing in a computer leasing company, just like with a car scheme. Just be aware that, unlike cars, computers are actually quite cheap and this could backfire on you if people choose not to lease from your list. It may just be better to allow your employees to buy whatever they like off the shelf.
The other option for device acquisition is to spruce up your list of approved devices. Select kit that appeals to your user base but that is still worthy of your support and the time required for your IT team to support it.
You should also think about the types of devices you’ll support. You also need to be really crisp and clear about what “support” means to your end users. This is where clear communication comes in and it leads to the idea of having a communications team or (better still) a marketer whose job it is to communicate IT services updates to your organisation. If you’re wondering why I’ve suggested a marketer it’s because marketers understand the environment into which they are selling (and your IT department is now selling itself). You may find that you need to redefine the term “support” within your organisation, changing user expectations dramatically.
Not sure what I mean by redefining support? Well, with consumerisation you need to focus on providing flexibility, and that will probably mean evolving your support functions into connection functions, ensuring that any device can be connected in a safe and secure way that meets business requirements. Realistically, you want to be looking at a way to support the people for whom you need to be most flexible (you know the ones - usually they have a C at the start of their job title!) in a way that seems similar to everyone else – it’s far easier to play to the highest common denominator in this case.
We’re starting to get into some familiar ground here around security and management, but before we do and whilst we’re on support, it’s important to note that you probably need to do some heavy lifting using self-service to reduce the load for simple fixes. General things like “how do I do this formula in Excel” are best handled by a Bing search or something similar internally. You can find out more in this post about why self service is so important to consumerisation and cloud.
Device selection is an obvious area for concern. It would be helpful if you could guide your employees to use the right kind of kit, because if they’re buying their own devices you need to make sure they will still be securable and manageable. Think, for example, about how you remote wipe a device. It’s really easy when you have a device with a 3G connection, but how do you remote wipe a device that only has WiFi if it gets stolen? Food for thought.
Security and management
When you think about management and security you probably first think of managing and securing Windows PCs. Given that you’re reading this on a Microsoft blog you might be thinking I’d be extolling the virtues of that. I am, but it’s about far more than that. Your management software and security strategy needs to be able to manage your users’ Windows devices, but it must also be able to manage and secure other devices. If your CEO wants to use his iPad you need to be able to secure it, and critically you need to be able to remote wipe it if it goes wrong and he’s syncing his corporate email. Tricky if it only does WiFi. So what do you do in that case? Well, firstly you only allow the devices that you trust to access some parts of your IT. For example, it’s fine to trust people to access their email on a mobile device, but to ensure security and to reduce operational risk you probably want to ensure your users have access to (and know how to use) rights managed email. With that technology you can ensure that sensitive emails are only accessible to the intended recipient and also that they can only access that specific, sensitive email on a secure device, or possibly just through a HTTPS secured web page.
You can probably see now that security and management in a consumerised IT shop needs to take a data-security led approach, but one that differs to most you might have come across before. Traditional data security has a (user perceived) focus on preventing access by working against a lowest common denominator model of ‘block access to people who shouldn’t have access’. It’s been a good approach for the greater part but has led to disenfranchisement of the user base in many organisations. Far better to promote a security model based on circumstance.
The HR Director has access to all personnel records, for example, except if she’s accessing the HR system from a PC that’s facing the window. If you don’t think this is possible then you should have a look at some of the solutions for Remote Desktop from Quest. Perhaps the HR Director also shouldn’t be able to have access to the HR system, which is web based, from a slate device or even from a PC that doesn’t have up-to-date anti-malware. Again, perfectly possible scenarios using solutions like the Forefront family. The big thing to do then is understand the data in your organisation and grant access based on circumstance and identity. Deep understanding of data is something you need for the cloud, too, so it’s a good project to kick off.
Flexibility in security and management solutions is also required, because in order to deal with security based on circumstance you need to be thinking about a devices lifecycle. When you think about lifecycle you start to realise that a device tends to go through stages - things like power on, load OS, pre-logon, sleep, hibernate, wake from sleep, power down, internet connected, no internet connected, LAN connected, WAN connected, VPN connected…the list goes on. Here you soon start to notice you need security solutions that start and stop as early as possible and remain constantly pervasive.
This is where solutions such as DirectAccess (a remote network solution enabled by Windows 7 and Windows 2008 R2 and enhanced by ForeFront) come in. DirectAccess starts early on in the lifecycle of a Windows 7 device and creates a tunnel back into your corporate network that effectively brings the devices onto your LAN and into your management sphere. This means it’s possible to quickly deliver patches, do remote control and manage every aspect of the device. Windows Intune provides a similar solution in a different way. Rather than forming a tunnel into the corporate network, the management agent simply talks to the cloud. That immediately means that patches, antivirus and policies can be deployed, and soon you’ll be able to deploy your own software over the Internet, too – a feature already in the beta.
Questioning the idea of “secure” also needs to be a prime concern when dealing with consumerisation. Do you trust your LAN? Unfortunately the answer should probably be no. You’ve probably had to deal with a virus outbreak already in your life, possibly more than one, and they typically happen because a device on your network doesn’t have enough security to prevent infection. That infection will spread and eventually take hold, leading to lost weekends and overtime. Technology like Network Access Protection (NAP) allows you examine devices connecting to your network and if they don’t match your standards they don’t receive an address, or are placed into a “remediation” network. A remediation network can provide access to services like Windows Update for patching but perhaps doesn’t allow access to your internal HR or email systems. In a consumerised IT shop, though, it could be a good idea to treat your remediation network as the Internet – give people access to everything if at all possible.
- Devices: Think about what “support” means, about changing how you buy devices
- Security and management: Think about data, provide access to it whilst considering the circumstances
In part 2 we’ll take a look at some of the thoughts you need to keep in mind around productivity and application development. For now though knowing that a modern desktop and management are key parts of the puzzle I’d suggest deepening your thoughts about getting off XP and onto Windows 7 and implementing management with System Center. The Springboard resources that we have available are a good place to start investigating Windows 7 deployment.