Microsoft Enterprise Web Site
This is a guest post by Bret Arsenault, chief information security officer, Microsoft IT
A few months ago, a gentleman from Dell wrote a blog why CIOs can’t ignore consumerization of IT. I tell CIOs ignore at your own peril.
The topic is a déjà vu moment for me. More than 20 years ago I worked in the IT department of a Fortune 20 company, and the business wanted to start using Microsoft Excel. And at the time I said, “why would I ever bring a PC into my environment to run Excel when I use SAS tabulator, and why would I ever want my data coming off my SAS and VMS system and put it on a PC that could go out the door?” In hindsight, I was wrong then, and I eventually helped the company adopt Microsoft Excel.
Today, it’s a similar discussion with devices, social networking and mobile applications. Chief information security officers are being asked by the CIO, CEO and boards of directors to lead the evaluation and decision process around programs involving personal devices in the workplace, and access to applications that are used for both personal and professional use. I know this because I’m one of those CISOs. Our environment has more than 90,000 mobile devices that sync with Exchange each month, over 600,000 SharePoint 2010 sites housing different types of data, and 1.3 million devices accessing various data our network each month.
My approach will differ from CISOs in other industries and countries because we have different government regulations and industry requirements. That said, I see three common practices that can be applied to assess risk levels and instill the right internal policies to help safeguard access to sensitive information.
First, the IT department needs to invest in raising the bar on IT controls and employee empowerment. It’s a balancing act, and the safety net is called risk and compliance. For our employees, I need to look at how do they consume, create, collaborate and communicate with the activities they perform, as opposed to just consume. Let’s look at a couple of examples.
One example is laptop choice. Microsoft employees can choose from a range of laptops that the company will buy on their behalf, and we refresh them every three years. A TPM chip is required in each laptop, like the Samsung 9 Series, MSI WinPad, or the upcoming Asus B121 slate, so that the employee can use DirectAccess to remotely connect to the company network from anywhere and receive full help desk support when needed. This technology has helped our nomadic workforce stay productive anywhere. However, if employees want to use their own device for work, they can but they’ll receive a different level of help desk support and different level of access to company assets. We publish this policy so employees can make informed decisions.
A second example is Windows Phone. We have tens of thousands connecting to our network, and our employees will be upgrading to the next version called, “Mango.” Enterprise email becomes better with “Mango” because as soon as employees join their phone to the Exchange Server, they immediately have the ability to send and receive rights-protected email. No connecting to download certificates, it works out ofthe box. This feature is important since as approximately 10 percent of company emails are rights-protected. The “Mango” phones also improve employee access to Office365 and Windows Live SkyDrive, and we’re in the process of testing and validating Mobile Clients for Microsoft Lync 2010 with “Mango”phones. We plan to deploy Mango to Microsoft employees later this year.
What about employees who use non-Windows phones? Like the PC choice, employees can use other phones can but they’ll receive a different level of help desk support and access to company assets. We also have a software partner, called GigaTrust, that enables iPhones, iPad and Blackberry devices to read rights-protected emails.
Second, the IT department needs to focus on the data. Devices come and go; data will always be treasured. So we standardize our data classification in the following way: high business impact (HBI); moderate business impact (MBI); low business impact (LBI). By focusing on the data, we can adapt to the ever-changing consumer demands. We also can educate employees on the impact of HBI and MBI data to them and the business. I believe that data classification is more important than questioning which device or application will be used.
Third, IT departments need to develop a framework that balances business value and risk mitigation. We’ve defined trustworthy dimensions, and apply that framework to create policy of what devices and social applications we’ll embrace, allow, contain and block from employees. This step is fundamental to keeping employees productive, especially those who work at client sites and rarely connect to your corporate network. A notable percentage of devices connected to our network are either un-managed or self-managed, and they need to be made compliant so the employee can be productive. More customers are seeing the same trend, and more times than not CISOs in regulated industry are choosing to block the un-managed environment.
I’m interested to hear your thoughts on these three practices.
If you want to know more about how Microsoft IT is managing this situation, you’re in luck. You can read more details of our consumerization of IT strategy here. Or you can watch a nine-minute video from our IT Showcase program here, or the related article here: “How Microsoft Deployed Windows Phone 7 in the Enterprise.”