Managing the consumerisation of IT is something Microsoft began doing for its own employees long before the term “consumerisation” was coined and applied to IT, Redmond-based Microsoft enterprise technology architect Patrick Hevesi said at his Tech.Ed 2011 presentation, “How to secure and manage the consumerisation of II”, in Auckland today.
“I’m actually not sure who created the term ‘consumerisation'," Hevesi said.
Even when he started at Microsoft more than 10 years ago, it was possible to bring in “any machine” and get it connected “at some level”, but the idea of consciously managing a plethora of consumer devices that accessed corporate data and applications was in its infancy.
However, over the years, Microsoft built up policies and practices around managing employees’ own devices that they bring to work, and from which they access company data remotely.
Initiatives such as a company-wide Rights Management Server, Gateways and the extension of Exchange active synchronisation to all personal devices used by employees, are allowing the management of those devices, he said.
A key step in managing the devices was dividing all corporate data into three levels of confidentiality – low business impact, medium business impact and high business impact.
“When I was a developer at Microsoft, I had access to Windows source code,” he said.
“That was considered to be high business impact.”
On the other hand, data from Microsoft’s internal CRM systems was labelled as medium business impact, and emails were general low business impact.
“However, there may be a high business impact item within an email,” Hevesi said.
Similarly, every SharePoint document created within Microsoft is given a high, medium or low rating, with sensitive ones encrypted, and each document has a recognised, recorded owner.
The owner of the document uses the Rights Management regime, through Windows Server, and the distributed Active Directory service, to manage the document and determine who has access to it using consumer and personal devices.
Similarly, Network Access Protection, under which all devices that carry Microsoft content have management agents tracking them, and the Unified Access Gateway and Citrix Access Gateway, provide levels of protection of data, including allowing sensitive data to be accessed via consumer devices, but not downloaded to them.
Running applications such as Microsoft Word, PowerPoint and Excel via the Citrix gateway is often a better option than providing remote access to them via a desktop, he said.
But remote desktop access does have many benefits and is enabled with varying degrees of availability of data and applications.
Direct access to many Microsoft applications is available for many employees, and the consumer and home devices that employees access the applications from can be managed by Microsoft’s IT department, using management agents.
Patching those devices is also done automatically by IT, Hevesi said.
When managing the consumerisation of IT in an organisation, it’s not enough to know remote users’ user names and passwords, he said; what device they’re using is also essential, as different consumer devices have different characteristics.
An audience member asked Hevesi in what order the various steps around managing consumerisation of IT should be implemented; he replied that getting encryption, setting up a Rights Management Sever, then putting in Network Access Protection and Access Gateways, before enabling Remote Access, was the correct order.