The Modern IT Experience Microsoft IT shares our perspective on the transforming role of IT, the challenges faced by new technologies, and our experiences in this new era of IT.
The New Era of IT The role of IT in the corporate world has dramatically changed in the last five years. This massive change is driven by consumer expectations around technology innovations and new digital business models for companies. In this New Era for IT, IT organizations around the world are at some level confronting these changes and we have some great resources in our new IT Showcase content on what we call The Modern IT Experience. How do you, as a CIO or IT professional, embrace this modern era while remaining risk neutral? How do you enable employee productivity on any device but guarantee that your company s intellectual property is safe and secure? The Modern IT Experience embraces the employee expectation to leverage any device, personal or otherwise, from anywhere to access corporate resources with the same rich and seamless proficiency that they experience in their personal lives, using a broad set of capabilities. This content is an overview of the Microsoft IT perspective on the transforming role of IT, highlighting the challenges presented by new technologies and sharing strategies and experiences.
Windows 8 Ecosystem The Windows 8 Ecosystem provides a Modern IT Experience that embraces current consumerization trends but it also offers much more, delivering a robust platform and user experience that enables always-on employee productivity. This end-to-end ecosystem offers many options that IT can use to maximize the experience through the convergence of the operating system, devices, the cloud, social networking, and applications. The Windows 8 Ecosystem includes: The Windows 8 client operating system, which balances consumer and work experiences with a single interface on a single device Touch-first devices including enterpriseclass PCs, Windows RT companion devices, Windows Phones, and non- Windows devices based on the ios or Android operating systems. The ecosystem even includes non-devices like Windows To Go which offers a portable and managed Windows 8 environment on unmanaged PCs. Write-once, use anywhere applications that are powerful, connected, and immersive Application discoverability through an online Store or through direct distribution (sideloading) A comprehensive social enterprise platform that includes the new Office, SharePoint, Lync, Yammer, and Skype Anywhere data access and productivity from any device through DirectAccess, Office 365 (Exchange, Lync, and SharePoint), and SkyDrive Enhanced end-to-end security, including protection for the client, the connection, and the infrastructure The ability to manage the entire ecosystem from a single pane of glass using System Center 2012 Configuration Manager or Windows Intune
Devices Like other IT organizations, Microsoft IT has seen a tremendous increase in the number and diversity of devices used by employees. These devices include everything from enterprise devices (PCs and slates) to companion devices (Windows and non-windows tablets and smart phones), to non-devices like Windows To Go. Microsoft IT manages more than 290,000 PCbased devices, and more than 90,000 mobile devices synchronize to the corporate network. Microsoft IT has embraced BYOD, which means employees can use their own devices for work purposes and can pick the best device for the task at hand. Employees retain control over their devices but Microsoft IT enforces policies on how the devices access the corporate network. Embracing Modern IT results in a variable user experience where the level of access to resources is determined by the user s identity, the user s location, the classification of the data, and the device itself. For example, fully managed devices on the Standards List have the ability to join a domain and have a Trusted Platform Module (TPM) chip for device encryption. When a fully managed device is connected directly to the corporate network, a user with appropriate permissions can access anything and everything, including the most sensitive materials. The same user on the same fully managed device can t access the most sensitive materials when connecting remotely to the corporate network through DirectAccess, however. And this same user on the same device would have even more restricted access when connecting from a country like Russia or China. The device itself also determines the user experience. Users of lightly managed devices (no TPM chip and can t join a domain) can only access corporate email and calendar data, and must, at a minimum, allow Microsoft IT to enforce encryption, autowipe, and a 4-digit PIN. The organization needs to establish a matrix (based on the risk tolerance of the organization) that defines the various access scenarios and to determine what data can be accessed. This matrix can act as a purchasing guide for employees to set user expectations and help educate them as to which applications, productivity tools, and data they will have access to from each device. Otherwise, employees might purchase devices that they can t use because don t meet their access needs. Nothing is more detrimental to an IT organization than undermining credibility and trust.
Data Microsoft IT has shifted from a mindset of trying to control all devices (which is impossible with the proliferation of devices today) to a light control model where IT focuses on protecting data and providing access from anywhere on any device. Microsoft IT has determined that it can best protect its data and intellectual property by focusing on governance and user/device identity. Microsoft IT controls whether users have access to data based on: Data classification and security policies. Microsoft uses a simple three-tier data classification model that includes High Business Impact (HBI), Medium Business Impact (MBI), and Low Business Impact (LBI) data. It s essential that employees understand data classification and security policies. Who you are and the permissions attached to your identity. An identity can be a user, group, or service. The identity of the device. Employees can work whenever they want, from wherever they want, provided the device with which they access corporate data can be identified, authenticated, and meets security requirements. Cloud applications in the Windows Ecosystem 8 make it possible to access data from anywhere on any device. For example, employees can use SkyDrive Pro to securely store files and access those files from anywhere on any device (even a non-domain-joined device), just by using a standard browser. SkyDrive Pro also serves as a Data Loss Prevention/Disaster Recovery solution. If the organization spends time and effort on a readiness and adoption program for SkyDrive Pro, the organization can simply back up the SkyDrive Pro environment on the backend and stop worrying about client data backups, which would result in significant cost savings.
Management In addition to focusing on data rather than devices, IT needs to shift to a light control model for devices which means, at a minimum, enforcement of a strong password, remote wipe capabilities, and encryption (optional depending on the risk tolerance of the organization). This sounds risky, but not if you fully protect the data and keep all intellectual property contained within the firewall. The light control model offers significant benefits and savings for the CIO by getting the IT organization out of the patching and OS update business. Microsoft IT uses System Center 2012 Configuration Manager and Exchange ActiveSync (provides access to corporate email and calendar data with policy and wipe capabilities) to track and manage a broad array of devices that connect to the corporate network. System Center 2012 Configuration Manager also provides a management infrastructure for System Center 2012 EndPoint Protection and a single infrastructure for asset, usage, and desired configuration management for personal and virtual desktops. The Windows 8 Ecosystem offers management choices depending on the needs of the organization. For example, Microsoft IT uses Windows Intune to manage Windows RT and Windows Phone devices. Windows Intune offers the ability to wipe just enterprise data from personal devices, leaving personal data intact.
Security Security in the Modern IT Experience is all about managing risk. It s about knowing where your data is and what you re really trying to protect. This is particularly true in an era of Bring Your Own devices, apps, and data. How does IT protect corporate data stored on a personal device? When an employee brings their own application into the enterprise, who is responsible for licensing the application? And who owns the personal data stored on a work device? The Windows 8 Ecosystem provides different solutions based on the level of risk that an organization is willing to take. Microsoft IT sees some common practices that an IT department can apply to assess risk levels while creating appropriate practices and internal policies to help safeguard access to sensitive information: Invest in raising the bar on IT controls (user profiles, authentication, and access to IT resources). Conduct campaigns to raise employee awareness levels. Employees must understand security policies and be responsible for them. Focus on protecting the data through governance (security policy and data classification) instead of trying to control a proliferation of devices. Develop a framework that balances business value against risk mitigation. Microsoft IT uses a four-quadrant approach (Contain, Embrace, Allow with Policy, Block) for new technologies and applications.
Applications New social and communications technologies provide many benefits to the enterprise, but IT has to have an enterprise platform that it can trust and support. Microsoft provides an evolutionary and comprehensive foundation for the social enterprise through the new Office, SharePoint, Lync, Yammer, and Skype. With Office 365 in the cloud, employees can access sites and information hosted on SharePoint Online anytime, anywhere, and stay in sync. Lync and the Lync Mobile client provide dramatic increases in productivity and collaboration and have become part of Microsoft s communications DNA. Employees chat, join meetings, and share desktops, and can quickly escalate an instant message to voice or video, if needed. Employees use SharePoint (and SkyDrive Pro which is a feature of SharePoint 2013) to share, collaborate, and co-author documents. For collaboration, employees can use a SharePoint Online site or a Yammer group. Teams that rely primarily on document management favor SharePoint sites. Teams more focused on conversations favor Yammer. With Yammer, employees connect, learn, and help each other solve business challenges across the globe. For more information about the Modern IT Experience, go to: http://www.microsoft.com/microsoft-it 2013 Microsoft Corporation. All rights reserved. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.