consumerization of it at microsoft: adapting to … of it at microsoft: adapting to change published...
TRANSCRIPT
Consumerization of IT at Microsoft:
Adapting to Change Published March 2014
The following content may no longer reflect Microsoft’s current position or infrastructure. This
content should be viewed as reference documentation only, to inform IT business decisions
within your own company or organization.
Microsoft IT is embracing the consumerization of IT. The trend is spurring
substantial investment at Microsoft in the areas of devices, identity,
applications, and social experiences.
Strategy
Microsoft is an environment of change, with the latest software and hardware advances constantly
pushing the boundaries of corporate IT’s charter. To effectively manage both users’ expectations
and the mandates of information security, Microsoft IT needed to develop a programmatic
approach to technology adoption—one that would foster innovation without increasing risks by
introducing uncontrolled technologies. This is particularly true when considering the impacts of
trends in Bring Your Own Device (BYOD) scenarios.
MSIT’s assumption is that employees do their best work when using the devices they love, and
that allowing greater flexibility in the methods of access to information helps employees be more
productive. Thus, Microsoft’s internal investments in Consumerization of IT have focused on
delivering solutions centered on the desires of our end-users, and on delivering the usability they
are requesting. Through multiple efforts across the four key CoIT categories, Microsoft
implemented practices to enhance individual productivity with developments in Internet access,
remote access, and LOB application experiences.
2 | Consumerization of IT at Microsoft: Adapting to Change
Executive Overview
Microsoft Information Technology (Microsoft IT) manages the infrastructure, applications, and services
across the global operations of Microsoft. At Microsoft IT, we began to see a shift in how employees
were accessing corporate resources. As in other IT organizations around the world, an increasing
number of users were bringing their own devices, Internet identities, applications, and social networks
with them to work. Moreover, these entities were being linked to Microsoft systems in a way that
simultaneously let employees conduct work on personal devices and engage consumer services from
company-owned systems. We call this shift the consumerization of IT.
These changes have influenced employees’ daily lives, enabling a comingling that at once improved
productivity and efficiency. These changes also assisted in developing a better balance between home
and work. In addition, new product launches of Windows Phone and Microsoft Surface devices in
2012 meant that employees were rapidly adopting a new generation of company-owned
smartphones and tablets. These products introduced myriad applications and services designed for
mobile platforms. The fast-moving business environment at Microsoft pushed users to seek new
collaboration tools and communication methods that integrated with personal social networking
technologies.
This case study provides an overview of how Microsoft is adopting initiatives for the consumerization
of IT, along with trends and benefits.
Opportunities in the Consumerization of IT
The driving force behind the consumerization of IT is to encourage and enable employees’
productivity by using whichever portable and mobile devices they prefer to use. Providing such a
work environment at Microsoft is a top priority as we seek to empower users in a rapidly changing
business. We believe that the benefits of the consumerization of IT can be measured in terms of end-
user productivity gains and better control of work versus personal demands.
The New IT
There are numerous definitions for the consumerization of IT across the industry. In 2011, after
extensive research, Microsoft IT developed an approach and strategy for the consumerization if IT. We
defined it around four primary categories with which to evaluate industry needs and developments.
Table 1 defines these categories.
Table 1. Categories of the consumerization of IT.
Category Definition
Devices
Individuals expect to use personal devices to gain access to work data and
applications.
Identity Identity spans both personal and work experiences, enabling access to
enterprise resources through consumer identities.
Applications Consumer applications exist in the enterprise, and business applications
exist on employees’ personal devices.
Social experiences Social experiences exist for collaborating and for augmenting line-of-
business (LOB) applications.
Industry View
The major industry trends associated with the consumerization of IT provide an overview of the
pressures on enterprise IT groups from consumer technologies.
3 | Consumerization of IT at Microsoft: Adapting to Change
4 | Consumerization of IT at Microsoft: Adapting to Change
Devices
Smartphones achieved a major milestone in 2012: For the first time in history, the number of devices
sold worldwide exceeded the number of PCs sold. With this growth, enterprises will continue to see
user demand for access to corporate resources from personal devices.
Industry research shows that adoption of personal devices for work-related usage (sometimes called
“Bring Your Own Device” or BYOD) has been steadily increasing and is now at an all-time high. For
example, almost 100 percent of Microsoft employees have at least one companion device that they
use to read and compose email from both work and personal accounts.
Identity
Many businesses employ identity federation (the sharing of identities across organizational
boundaries) as the method to enable collaboration between entities. But deployment is time-
consuming and requires IT organizations to establish trusted relationships with one another. We are
now seeing demands for simpler methods to authenticate users from modern devices that still meet
corporate requirements.
For example, entering a 20-character password along with a domain\username combination is not a
good experience on a small-screen phone. Users need alternatives for authentication on personal
devices, because today’s smart cards do not work with phones or tablets. In addition, we believe that
more organizations will view consumer identity providers (such as Google, Yahoo!, Facebook, and
Microsoft) as not only acceptable, but preferred as the authentication method to gain access to
certain business functions.
Applications
The primary opportunities in the application category are the expected growth in LOB marketplaces
and the use of consumer applications in the enterprise. The use of consumer applications in the
enterprise can increase by users’ choices or by being embedded in enterprise products.
Industry players—including Amazon, Microsoft, Google, and Salesforce—recognize the consumer
trends around mobile marketplaces (for example, Microsoft Windows Store or Google Play). These
companies are delivering application store platforms and ecosystems to bring compelling value to
end users. As new mobile devices join work environments, enterprises will want to distribute LOB
applications to users through the same model. We expect to see continued interest in the
development of such marketplaces, and in the guidance for businesses to implement their own
application stores.
In addition to the blurring between consumer and business purchasing mechanisms, we are seeing
increased integration of consumer applications and services with enterprise software. However,
businesses must educate employees about proper usage. Security controls are not readily available
for these types of consumer services. Corporate IT groups generally do not have jurisdiction to
control them, either. Essentially, this end-user empowerment means that users wield greater control
over, and greater responsibility for, the actions that they take on company-owned data.
Social Experiences
The continued massive growth of Facebook, Twitter, and other social media environments is leading
to a convergence of social experiences in classic software applications. Early evidence shows that
users appreciate when social and mobile usage is combined with search, email, and LOB applications.
These developments are inspiring enterprises to foster such experiences in order to benefit from the
social phenomenon. These enterprises anticipate increased productivity resulting from greater sharing
and collaboration within their organizations.
5 | Consumerization of IT at Microsoft: Adapting to Change
Understanding the Consumerization of IT at Microsoft
The approach to the consumerization of IT at Microsoft centers on delivering solutions that deliver
the usability that users want.
Our assumption at Microsoft IT is that employees do their best work when they are using the devices
that they love. So allowing greater flexibility in the methods of access to information helps employees
be more productive. This provides the business impetus for giving employees varied options to use
devices and applications in the way that suits them best. The choice of personal device also enables
employees to more effectively balance work and life demands. And it increases user satisfaction with
their work environment.
We completed an internal in January 2013 that gauged Microsoft employees’ usage of personal
tablets. Figure 1 shows the results of the January 2013 tablet survey.
Figure 1. Number of hours per week that employees spent doing work with a personal tablet.
Excluding the most advanced users, 56 percent of Microsoft employees said they used their personal
tablet for up to 10 hours per week for work-related tasks. At the other end of the spectrum, 17
percent said they did not want to use their tablet for work at all. Those employees most commonly
cited a preference to keep their personal and work tasks separate.
The survey also detailed what work employees were doing with their devices. Figure 2 provides survey
results of replies to the question "How important is it to you to be able to do the following activities
on your tablet?" Results like these help us understand what employees want.
5–10 hours per week29%
5 hours or less per week
27%
More than 10 hours per week
27%
Not likely / not at all
17%
6 | Consumerization of IT at Microsoft: Adapting to Change
Figure 2. Activities that employees want to perform on their tablets.
In line with our expectations and investments, the top three tasks that employees identified included
surfing the Internet, accessing email, and viewing Microsoft Office files or PDFs.
As an example of the overall approach to the consumerization of IT at Microsoft, we focused on these
areas by making it easier for employees and business guests to connect wirelessly to the Internet via
MSFTOPEN. MSFTOPEN is a wireless guest network that is similar to a public hotspot. It helps
encourage productivity while helping to prevent unknown devices from joining the main corporate
wireless network.
The fundamental goal was to deploy a basic infrastructure that would support simplified, security-
compliant access to the Internet from mobile endpoints (personal phones, tablets, and laptops) on
internal networks.
In Review: Microsoft IT Investments
We have implemented practices to enhance individual productivity through measured programs and
support. These investments are in the areas of Internet access, remote access, and LOB application
experiences.
Devices
Most full-time Microsoft employees have a Windows 8 phone as well as a Microsoft Surface RT tablet,
yielding an IT-provided device-to-person average ratio of 2:1. And although other device types at
Microsoft will not grow significantly, employees, business guests, and vendors on the network are
using other technologies such as Android, Apple iPad, Kindle Fire, Windows 8–based computers, and
Microsoft Surface Pro.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
7 | Consumerization of IT at Microsoft: Adapting to Change
Recent improvements in Windows-based devices, such as device encryption, mean that modern tablet
designs and phones will see greater security controls. These controls will make them better suited to
access the Microsoft corporate network.
We expect individuals to continue using non-corporate devices for access to consumer-level and
enterprise-level applications and services—from both on and off the corporate network. Users
increasingly want to be productive with these personal devices. This productivity takes advantage of
the broad range of mobile client software that is now available for cloud applications (such as
Microsoft Lync communications software and Microsoft SkyDrive storage technology).
Core Device Scenarios
Our goals include enabling users to be more productive with enterprise information, communication
services, and business tools. The adoption of mobile devices, therefore, leads to a set of use cases.
Each employee or guest needs to:
Easily access the Internet wirelessly.
Use a device to access email, calendar, and contacts.
Use a device to access Microsoft Office files.
Easily identify how to enroll in “light management” experiences.
Enroll in data governance mechanisms to gain greater levels of access (virtual private network
[VPN] or corporate applications).
Access applications that were typically used only from IT-provided computers via Remote
Desktop.
Investments and Progress
Microsoft IT has undertaken a number of projects to bring the preceding scenarios to life.
We deployed MSFTOPEN at scale for business guests and employees to use with their personal
devices, while still maintaining the security and integrity of corporate data. MSFTOPEN is operational
across Microsoft buildings in the Puget Sound region. A focus on broader deployment to other US
and worldwide offices is under way.
We partnered with the Microsoft System Center product team to define the concept of a “light
management” scenario” and improve multiple-device management capabilities. The latter task
included implementing health validation capabilities such as machine certificates, security policy,
device encryption, monitoring, and logging. These efforts also enabled both employee-owned and
managed devices to access resources on the corporate network.
In addition, working with the Windows Division, we helped develop a VPN client for Windows RT to
enable remote access. We have invested in the VPN infrastructure to accommodate greater scalability
for an increasing number of user devices.
Identity Providers and Consumer Identity Providers
The technology industry is moving toward accepting identity credentials from multiple providers—
instead of strictly corporate directory services—for accessing data and applications. This acceptance
will apply to federation agreements with business partners, consumer identities for public services (for
example, marketing event sites), and online service offerings.
At Microsoft IT, we must provide clear guidance for acceptable usage to internal developers and
product teams when we are integrating such public services with the Microsoft implementation of
Active Directory Domain Services (AD DS) or other corporate online services. In the near term, this
mandate requires us to develop an inventory of identity providers, and then categorize the providers
into levels of assurance and acceptable usage for various levels of data privacy for resources at
Microsoft.
8 | Consumerization of IT at Microsoft: Adapting to Change
Core Identity Scenarios
As with mobile devices, we developed several key use cases for authenticating to different identity
mechanisms.
In the first group, end users need access to LOB applications and services through a simple solution
that is appropriate for a variety of modern devices, such as tablets and smartphones. In addition,
users need corporate access services (for example, VPN or Remote Desktop Gateway) which use
virtual smart cards or other form factors that are appropriate for strong security.
In the other group, developers must be able to easily build applications that accept an authentication
solution for modern devices. The authentication solution must be able to validate device health and
user claims to determine appropriate levels of access. This use case includes new and compelling
scenarios for applications by using social graph information from different Microsoft online services.
Investments and Progress
Our investments have focused on building a virtual smart-card provisioning service for Surface RT and
Windows 8–based client computers. In addition, we drafted formal guidance for the appropriate
usage of consumer identities for Microsoft business needs.
Applications
As one of the higher priorities for investments, applications represent the largest change in thinking
from prior strategies. Previously, we focused on proper access to consumer applications, and enabling
remote access to existing applications in the enterprise via either web publishing or Terminal Services
solutions. The assumption was that keeping applications on the internal corporate network without
exposing them to the Internet would be the most secure approach. Access required users to transit
via VPN or Terminal Services publishing connections.
However, recent research has shown increased protection by enabling enhancements in application
development so that more sensitive applications (for example, applications that access Human
Resources information) can enforce appropriate security controls. These enhancements will, in turn,
validate device and user attributes that allow applications to make authorization decisions instead of
having an infrastructure service make access decisions on their behalf.
To be a leader in this area and an example to customers, Microsoft IT must itself seek to publish these
sensitive applications to employees’ consumer devices. We must also encourage product teams to
deliver aligned capabilities. We are currently defining this application design model, and future
investments will focus on developing architectures and standards that are related to this approach.
Core Application Scenarios
The primary audience for these more compelling mobile applications and experiences is, of course,
the end user. Microsoft employees need to access sensitive information—such as personal
employment data or healthcare data—wherever they may be. They need access not just from a web
browser on a laptop, but from personal devices at remote locations.
Thus, developers need to be able to:
Build applications that make authorization decisions based on user and device attributes.
Access repeatable guidance and reference architectures to accelerate the development of
applications for modern devices.
Have one process for submission of applications to LOB marketplaces for Windows, Microsoft
Office, and Windows Phone.
An additional community, security professionals, must review and confirm that LOB applications have
the right level of security controls to permit access while helping to protect the applications and
corporate data.
9 | Consumerization of IT at Microsoft: Adapting to Change
Investments and Progress
Our investments have focused on developing a company hub application (an application that equates
to the corporate intranet portal) on Windows Phone. Our investments have also focused on providing
guidance for developers to produce compatible modern applications that can display certain sensitive
data on personal devices, and broader information on corporate devices or corporate-connected
devices.
In addition to the company hub, Microsoft IT delivered pilots for application publishing via Terminal
Services. These pilots demonstrated how the mechanism is an effective solution that provides good
segmentation of security boundaries.
Social Media
In 2012, Microsoft acquired social networking service Yammer. The direction in the industry is that
social experiences and capabilities will become integrated with enterprise applications and services
such as Microsoft Office, Windows, and Microsoft Office 365 hosted productivity software. Product
groups within Microsoft are moving the same direction.
From an enterprise perspective, it is interesting to have software with built-in social capabilities. But
the real value of social experiences will occur when social capabilities are integrated across LOB
applications in addition to packaged products and services.
Core Social Scenarios
We carefully consider how users interact with peers and information through social services. And we
realize the importance of fostering communications without impeding productivity, and without
risking exposure to information leakage, trademark and brand reputation issues, or patent and
copyright issues.
The steps that we are taking center on:
Enabling users to collaborate with internal and external users, share data, and participate in
conversations easily and securely.
Enabling users to access media content on personal devices for training, education, and business
purposes.
Enabling developers to build applications with social experiences in mind.
Investments and Progress
The focus so far has been on providing education and awareness to employees regarding acceptable
use of social media and networks. With the Microsoft acquisition of Yammer, we are also focused on
proofs-of-concept for external network collaboration along with new forms of user-empowered
governance for these social communities.
Future Efforts
To determine further investments in the consumerization of IT, Microsoft identified goals for
providing rich experiences while allowing personal devices and services to be used inside the
company. Indeed, to provide leadership to the industry, Microsoft had to re-envision how its own
users could consume emerging technologies through simplified, consistent mechanisms.
The basic strategy for enabling the use of personal devices and services in Microsoft is to build on
what we defined as the Variable User Experience (VUE) concept. Figure 3 illustrates the concept. The
idea is simple: gaining access to application and data resources requires validation of the user, device,
and location.
10 | Consumerization of IT at Microsoft: Adapting to Change
Figure 3. VUE concept.
We believe that in the future, employees will use their own devices for accessing LOB applications
natively, without going through additional steps for connectivity (for example, VPN or Terminal
Services).
In the short term, our investments in consumerization of IT will focus on enabling productivity
through enhanced experiences on modern devices:
Device management and registration across multiple platforms
Delivery of “showcase” modern LOB applications on employees’ personal devices
Remote connectivity to corporate desktops to enable user productivity from personal devices
Security-compliant synchronization of data across multiple devices
Summary
We see a great opportunity to accelerate the adoption of the consumerization of IT at Microsoft. We
also see a great opportunity to provide guidance to the industry by enabling our own users to access
both work and personal resources from the devices that they prefer. The consumerization of IT is
important to Microsoft employees who want to save time and be more efficient. We estimate that, on
average, Microsoft will see a benefit of an additional hour in employee productivity each week.
We recently defined a longer-term strategy for consumerization at Microsoft. And we initiated a
number of proofs-of-concept and pilots to deliver experiences where users can be productive on
personal devices. Collaboration between Microsoft product groups to align consumerization scenarios
and use cases across multiple products and services will benefit our customers in the future by
providing new ways to take advantage of innovative technologies.
We will continue our investments in enabling the use of personal devices for LOB applications, with
integrated identity and social experiences.
11 | Consumerization of IT at Microsoft: Adapting to Change
For More Information
For more information about Microsoft products or services, call the Microsoft Sales Information
Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750.
Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access
information via the World Wide Web, go to:
http://www.microsoft.com
http://www.microsoft.com/microsoft-IT
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Lync, Office 365, SkyDrive,
Surface, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. The names of actual companies and products mentioned herein
may be the trademarks of their respective owners. This document is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.