Consumerization of IT at Microsoft: Adapting to Change
Business Case Study
Published March 2014
The following content may no longer reflect Microsoft’s current position or infrastructure. This content should be viewed as reference documentation only, to inform IT business decisions within your own company or organization.
Microsoft IT is embracing the consumerization of IT. The trend is spurring substantial investment at Microsoft in the areas of devices, identity, applications, and social experiences.
Business Case Study, 477 KB, Microsoft Word file
Microsoft is an environment of change, with the latest software and hardware advances constantly pushing the boundaries of corporate IT's charter. To effectively manage both users' expectations and the mandates of information security, Microsoft IT needed to develop a programmatic approach to technology adoption—one that would foster innovation without increasing risks by introducing uncontrolled technologies. This is particularly true when considering the impacts of trends in Bring Your Own Device (BYOD) scenarios.
MSIT's assumption is that employees do their best work when using the devices they love, and that allowing greater flexibility in the methods of access to information helps employees be more productive. Thus, Microsoft's internal investments in Consumerization of IT have focused on delivering solutions centered on the desires of our end-users, and on delivering the usability they are requesting. Through multiple efforts across the four key CoIT categories, Microsoft implemented practices to enhance individual productivity with developments in Internet access, remote access, and LOB application experiences.
Microsoft Information Technology (Microsoft IT) manages the infrastructure, applications, and services across the global operations of Microsoft. At Microsoft IT, we began to see a shift in how employees were accessing corporate resources. As in other IT organizations around the world, an increasing number of users were bringing their own devices, Internet identities, applications, and social networks with them to work. Moreover, these entities were being linked to Microsoft systems in a way that simultaneously let employees conduct work on personal devices and engage consumer services from company-owned systems. We call this shift the consumerization of IT.
These changes have influenced employees' daily lives, enabling a comingling that at once improved productivity and efficiency. These changes also assisted in developing a better balance between home and work. In addition, new product launches of Windows Phone and Microsoft Surface devices in 2012 meant that employees were rapidly adopting a new generation of company-owned smartphones and tablets. These products introduced myriad applications and services designed for mobile platforms. The fast-moving business environment at Microsoft pushed users to seek new collaboration tools and communication methods that integrated with personal social networking technologies.
This case study provides an overview of how Microsoft is adopting initiatives for the consumerization of IT, along with trends and benefits.
Opportunities in the Consumerization of IT
The driving force behind the consumerization of IT is to encourage and enable employees' productivity by using whichever portable and mobile devices they prefer to use. Providing such a work environment at Microsoft is a top priority as we seek to empower users in a rapidly changing business. We believe that the benefits of the consumerization of IT can be measured in terms of end-user productivity gains and better control of work versus personal demands.
The New IT
There are numerous definitions for the consumerization of IT across the industry. In 2011, after extensive research, Microsoft IT developed an approach and strategy for the consumerization if IT. We defined it around four primary categories with which to evaluate industry needs and developments. Table 1 defines these categories.
Table 1. Categories of the consumerization of IT.
Individuals expect to use personal devices to gain access to work data and applications.
Identity spans both personal and work experiences, enabling access to enterprise resources through consumer identities.
Consumer applications exist in the enterprise, and business applications exist on employees' personal devices.
Social experiences exist for collaborating and for augmenting line-of-business (LOB) applications.
The major industry trends associated with the consumerization of IT provide an overview of the pressures on enterprise IT groups from consumer technologies.
Smartphones achieved a major milestone in 2012: For the first time in history, the number of devices sold worldwide exceeded the number of PCs sold. With this growth, enterprises will continue to see user demand for access to corporate resources from personal devices.
Industry research shows that adoption of personal devices for work-related usage (sometimes called "Bring Your Own Device" or BYOD) has been steadily increasing and is now at an all-time high. For example, almost 100 percent of Microsoft employees have at least one companion device that they use to read and compose email from both work and personal accounts.
Many businesses employ identity federation (the sharing of identities across organizational boundaries) as the method to enable collaboration between entities. But deployment is time-consuming and requires IT organizations to establish trusted relationships with one another. We are now seeing demands for simpler methods to authenticate users from modern devices that still meet corporate requirements.
For example, entering a 20-character password along with a domain\username combination is not a good experience on a small-screen phone. Users need alternatives for authentication on personal devices, because today's smart cards do not work with phones or tablets. In addition, we believe that more organizations will view consumer identity providers (such as Google, Yahoo!, Facebook, and Microsoft) as not only acceptable, but preferred as the authentication method to gain access to certain business functions.
The primary opportunities in the application category are the expected growth in LOB marketplaces and the use of consumer applications in the enterprise. The use of consumer applications in the enterprise can increase by users' choices or by being embedded in enterprise products.
Industry players—including Amazon, Microsoft, Google, and Salesforce—recognize the consumer trends around mobile marketplaces (for example, Microsoft Windows Store or Google Play). These companies are delivering application store platforms and ecosystems to bring compelling value to end users. As new mobile devices join work environments, enterprises will want to distribute LOB applications to users through the same model. We expect to see continued interest in the development of such marketplaces, and in the guidance for businesses to implement their own application stores.
In addition to the blurring between consumer and business purchasing mechanisms, we are seeing increased integration of consumer applications and services with enterprise software. However, businesses must educate employees about proper usage. Security controls are not readily available for these types of consumer services. Corporate IT groups generally do not have jurisdiction to control them, either. Essentially, this end-user empowerment means that users wield greater control over, and greater responsibility for, the actions that they take on company-owned data.
The continued massive growth of Facebook, Twitter, and other social media environments is leading to a convergence of social experiences in classic software applications. Early evidence shows that users appreciate when social and mobile usage is combined with search, email, and LOB applications. These developments are inspiring enterprises to foster such experiences in order to benefit from the social phenomenon. These enterprises anticipate increased productivity resulting from greater sharing and collaboration within their organizations.
Understanding the Consumerization of IT at Microsoft
The approach to the consumerization of IT at Microsoft centers on delivering solutions that deliver the usability that users want.
Our assumption at Microsoft IT is that employees do their best work when they are using the devices that they love. So allowing greater flexibility in the methods of access to information helps employees be more productive. This provides the business impetus for giving employees varied options to use devices and applications in the way that suits them best. The choice of personal device also enables employees to more effectively balance work and life demands. And it increases user satisfaction with their work environment.
We completed an internal in January 2013 that gauged Microsoft employees' usage of personal tablets. Figure 1 shows the results of the January 2013 tablet survey.
Figure 1. Number of hours per week that employees spent doing work with a personal tablet.
Excluding the most advanced users, 56 percent of Microsoft employees said they used their personal tablet for up to 10 hours per week for work-related tasks. At the other end of the spectrum, 17 percent said they did not want to use their tablet for work at all. Those employees most commonly cited a preference to keep their personal and work tasks separate.
The survey also detailed what work employees were doing with their devices. Figure 2 provides survey results of replies to the question "How important is it to you to be able to do the following activities on your tablet?" Results like these help us understand what employees want.
Figure 2. Activities that employees want to perform on their tablets.
In line with our expectations and investments, the top three tasks that employees identified included surfing the Internet, accessing email, and viewing Microsoft Office files or PDFs.
As an example of the overall approach to the consumerization of IT at Microsoft, we focused on these areas by making it easier for employees and business guests to connect wirelessly to the Internet via MSFTOPEN. MSFTOPEN is a wireless guest network that is similar to a public hotspot. It helps encourage productivity while helping to prevent unknown devices from joining the main corporate wireless network.
The fundamental goal was to deploy a basic infrastructure that would support simplified, security-compliant access to the Internet from mobile endpoints (personal phones, tablets, and laptops) on internal networks.
In Review: Microsoft IT Investments
We have implemented practices to enhance individual productivity through measured programs and support. These investments are in the areas of Internet access, remote access, and LOB application experiences.
Most full-time Microsoft employees have a Windows 8 phone as well as a Microsoft Surface RT tablet, yielding an IT-provided device-to-person average ratio of 2:1. And although other device types at Microsoft will not grow significantly, employees, business guests, and vendors on the network are using other technologies such as Android, Apple iPad, Kindle Fire, Windows 8–based computers, and Microsoft Surface Pro.
Recent improvements in Windows-based devices, such as device encryption, mean that modern tablet designs and phones will see greater security controls. These controls will make them better suited to access the Microsoft corporate network.
We expect individuals to continue using non-corporate devices for access to consumer-level and enterprise-level applications and services—from both on and off the corporate network. Users increasingly want to be productive with these personal devices. This productivity takes advantage of the broad range of mobile client software that is now available for cloud applications (such as Microsoft Lync communications software and Microsoft SkyDrive storage technology).
Core Device Scenarios
Our goals include enabling users to be more productive with enterprise information, communication services, and business tools. The adoption of mobile devices, therefore, leads to a set of use cases. Each employee or guest needs to:
- Easily access the Internet wirelessly.
- Use a device to access email, calendar, and contacts.
- Use a device to access Microsoft Office files.
- Easily identify how to enroll in "light management" experiences.
- Enroll in data governance mechanisms to gain greater levels of access (virtual private network [VPN] or corporate applications).
- Access applications that were typically used only from IT-provided computers via Remote Desktop.
Investments and Progress
Microsoft IT has undertaken a number of projects to bring the preceding scenarios to life.
We deployed MSFTOPEN at scale for business guests and employees to use with their personal devices, while still maintaining the security and integrity of corporate data. MSFTOPEN is operational across Microsoft buildings in the Puget Sound region. A focus on broader deployment to other US and worldwide offices is under way.
We partnered with the Microsoft System Center product team to define the concept of a "light management" scenario" and improve multiple-device management capabilities. The latter task included implementing health validation capabilities such as machine certificates, security policy, device encryption, monitoring, and logging. These efforts also enabled both employee-owned and managed devices to access resources on the corporate network.
In addition, working with the Windows Division, we helped develop a VPN client for Windows RT to enable remote access. We have invested in the VPN infrastructure to accommodate greater scalability for an increasing number of user devices.
Identity Providers and Consumer Identity Providers
The technology industry is moving toward accepting identity credentials from multiple providers—instead of strictly corporate directory services—for accessing data and applications. This acceptance will apply to federation agreements with business partners, consumer identities for public services (for example, marketing event sites), and online service offerings.
At Microsoft IT, we must provide clear guidance for acceptable usage to internal developers and product teams when we are integrating such public services with the Microsoft implementation of Active Directory Domain Services (AD DS) or other corporate online services. In the near term, this mandate requires us to develop an inventory of identity providers, and then categorize the providers into levels of assurance and acceptable usage for various levels of data privacy for resources at Microsoft.
Core Identity Scenarios
As with mobile devices, we developed several key use cases for authenticating to different identity mechanisms.
In the first group, end users need access to LOB applications and services through a simple solution that is appropriate for a variety of modern devices, such as tablets and smartphones. In addition, users need corporate access services (for example, VPN or Remote Desktop Gateway) which use virtual smart cards or other form factors that are appropriate for strong security.
In the other group, developers must be able to easily build applications that accept an authentication solution for modern devices. The authentication solution must be able to validate device health and user claims to determine appropriate levels of access. This use case includes new and compelling scenarios for applications by using social graph information from different Microsoft online services.
Investments and Progress
Our investments have focused on building a virtual smart-card provisioning service for Surface RT and Windows 8–based client computers. In addition, we drafted formal guidance for the appropriate usage of consumer identities for Microsoft business needs.
As one of the higher priorities for investments, applications represent the largest change in thinking from prior strategies. Previously, we focused on proper access to consumer applications, and enabling remote access to existing applications in the enterprise via either web publishing or Terminal Services solutions. The assumption was that keeping applications on the internal corporate network without exposing them to the Internet would be the most secure approach. Access required users to transit via VPN or Terminal Services publishing connections.
However, recent research has shown increased protection by enabling enhancements in application development so that more sensitive applications (for example, applications that access Human Resources information) can enforce appropriate security controls. These enhancements will, in turn, validate device and user attributes that allow applications to make authorization decisions instead of having an infrastructure service make access decisions on their behalf.
To be a leader in this area and an example to customers, Microsoft IT must itself seek to publish these sensitive applications to employees' consumer devices. We must also encourage product teams to deliver aligned capabilities. We are currently defining this application design model, and future investments will focus on developing architectures and standards that are related to this approach.
Core Application Scenarios
The primary audience for these more compelling mobile applications and experiences is, of course, the end user. Microsoft employees need to access sensitive information—such as personal employment data or healthcare data—wherever they may be. They need access not just from a web browser on a laptop, but from personal devices at remote locations.
Thus, developers need to be able to:
- Build applications that make authorization decisions based on user and device attributes.
- Access repeatable guidance and reference architectures to accelerate the development of applications for modern devices.
- Have one process for submission of applications to LOB marketplaces for Windows, Microsoft Office, and Windows Phone.
An additional community, security professionals, must review and confirm that LOB applications have the right level of security controls to permit access while helping to protect the applications and corporate data.
Investments and Progress
Our investments have focused on developing a company hub application (an application that equates to the corporate intranet portal) on Windows Phone. Our investments have also focused on providing guidance for developers to produce compatible modern applications that can display certain sensitive data on personal devices, and broader information on corporate devices or corporate-connected devices.
In addition to the company hub, Microsoft IT delivered pilots for application publishing via Terminal Services. These pilots demonstrated how the mechanism is an effective solution that provides good segmentation of security boundaries.
In 2012, Microsoft acquired social networking service Yammer. The direction in the industry is that social experiences and capabilities will become integrated with enterprise applications and services such as Microsoft Office, Windows, and Microsoft Office 365 hosted productivity software. Product groups within Microsoft are moving the same direction.
From an enterprise perspective, it is interesting to have software with built-in social capabilities. But the real value of social experiences will occur when social capabilities are integrated across LOB applications in addition to packaged products and services.
Core Social Scenarios
We carefully consider how users interact with peers and information through social services. And we realize the importance of fostering communications without impeding productivity, and without risking exposure to information leakage, trademark and brand reputation issues, or patent and copyright issues.
The steps that we are taking center on:
- Enabling users to collaborate with internal and external users, share data, and participate in conversations easily and securely.
- Enabling users to access media content on personal devices for training, education, and business purposes.
- Enabling developers to build applications with social experiences in mind.
Investments and Progress
The focus so far has been on providing education and awareness to employees regarding acceptable use of social media and networks. With the Microsoft acquisition of Yammer, we are also focused on proofs-of-concept for external network collaboration along with new forms of user-empowered governance for these social communities.
To determine further investments in the consumerization of IT, Microsoft identified goals for providing rich experiences while allowing personal devices and services to be used inside the company. Indeed, to provide leadership to the industry, Microsoft had to re-envision how its own users could consume emerging technologies through simplified, consistent mechanisms.
The basic strategy for enabling the use of personal devices and services in Microsoft is to build on what we defined as the Variable User Experience (VUE) concept. Figure 3 illustrates the concept. The idea is simple: gaining access to application and data resources requires validation of the user, device, and location.
Figure 3. VUE concept.
We believe that in the future, employees will use their own devices for accessing LOB applications natively, without going through additional steps for connectivity (for example, VPN or Terminal Services).
In the short term, our investments in consumerization of IT will focus on enabling productivity through enhanced experiences on modern devices:
- Device management and registration across multiple platforms
- Delivery of "showcase" modern LOB applications on employees' personal devices
- Remote connectivity to corporate desktops to enable user productivity from personal devices
- Security-compliant synchronization of data across multiple devices
We see a great opportunity to accelerate the adoption of the consumerization of IT at Microsoft. We also see a great opportunity to provide guidance to the industry by enabling our own users to access both work and personal resources from the devices that they prefer. The consumerization of IT is important to Microsoft employees who want to save time and be more efficient. We estimate that, on average, Microsoft will see a benefit of an additional hour in employee productivity each week.
We recently defined a longer-term strategy for consumerization at Microsoft. And we initiated a number of proofs-of-concept and pilots to deliver experiences where users can be productive on personal devices. Collaboration between Microsoft product groups to align consumerization scenarios and use cases across multiple products and services will benefit our customers in the future by providing new ways to take advantage of innovative technologies.
We will continue our investments in enabling the use of personal devices for LOB applications, with integrated identity and social experiences.
For More Information
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Lync, Office 365, SkyDrive, Surface, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.