You Can Bring Your Own Device, but Identity too?

Jim DuBois is interim CIO of Microsoft. DuBois is responsible for the company's global security, infrastructure, IT messaging, and business applications. He was named to this position in May 2013. DuBois' prior assignments with Microsoft include leading IT application development and support teams, managing the corporate IT infrastructure, leading the IT organization in Asia as well as Europe, Middle East and Africa.
During the past months I've been fortunate to attend industry and Microsoft events with other enterprise CIOs to learn from them and share how Microsoft runs its internal IT organization. The conversations ranged from governance and risk management to cloud computing and devices. Yet what's struck me is that devices, especially personal devices in the enterprise, is discussed first and foremost. With the growth of personal devices and consumer experiences in the enterprise, users are expecting the ability to use personal devices to gain access to work data and applications. Alternatively, they're expecting to access consumer services from both personal devices and from company-provided devices.
The part of the discussion that is overshadowed by talk of 8-inch and 10-inch devices is identity. After all, when it comes to Bring Your Own Device (BYOD), there is no "i" in BYOD. And yet, Microsoft IT and other enterprise IT organizations are moving to a world where our data and applications will need to accept identity credentials from multiple providers versus only internal corporate Active Directory services. There are business needs for accepting these multiple providers, such as: federation agreements with business partners; usage of consumer identities for public services such as marketing event sites; and online service offerings. Regardless of the reasons, use of consumer identity providers is on the rise and IT organizations need to provide clear guidance for acceptable usage by their organizations.
In this blog post, I'll update you on Microsoft's internal adoption of BYOD, including what we're doing around identity.
What do you want to do now?
Microsoft IT enables employees to bring their own devices to work. IT distributes personal hardware budgets to internal departments. We have worked hard to make IT-standard devices be compelling and easy to acquire, but teams can buy what they want. We have clear practices related to support based on the device.
We expanded our device support with the growth of tablets and smart phones. We believe internal users should opt into being managed by IT, where they give up some control in order to get more access to corporate resources. For example, if the device doesn't have TPM-enforced bit locker and multi-factor authentication, the user can't get to sensitive data. We recommend Windows-based devices over others due to usability and security, and we provide guidance to employees with personal devices. That said, we have more than 10,000 iOS and Android devices on our network, and many more Macs (Microsoft has software for the Macintosh and a dedicated business group). Download the IT technical case study on unified device management for more details here.
The device information is useful concerning IT manageability and security. But the more important knowledge for IT is to know what employees want to do with the devices. Armed with this knowledge, we can enable productivity with any device.
Microsoft IT recently surveyed employees' interests regarding tablet and smart phone use. The surveys allowed us to compare user desires between tablets and smart phones. Tablet use to augment work decreased to 69% from 83% last year (not shown on chart). The importance of social activities at work using a tablet dropped to 54% from 68%, but moved to smartphones, which is up to 47% from 0% a year prior. I believe both of these trends are due to hardware refresh in the company, and greater capabilities of Windows Phone to access corporate assets. This last point is reinforced by the survey responses that showed interest increased more than 20% for connecting to more internal applications and services, for both tablets and phones.

You can see we're enabling many of these use cases today, have introduced new capabilities and continue to pilot new capabilities. I'll highlight one case, which is around IT managing and accommodating the proliferation of devices while enabling the user to be in control of the experience. We're using a hybrid approach, System Center Configuration Manager connected to Windows Intune, to provide additional mobile device management capabilities beyond Exchange Active Sync to personal devices. Employees can opt-in devices to be governed without being domain joined, and for that they'll be able to access more corporate resources than otherwise.
But Who Are You?
While the work we're doing with devices is important, it unfortunately overshadows the important work around identity. Microsoft has a complex business model, with multiple channels reaching multiple types of customer segments around the world. This type of business model requires IT to accept multiple identity providers. In our case, federation agreements with thousands of Microsoft business partners, usage of consumer identities for public services such as Microsoft marketing event sites, and even Microsoft on-line service offerings. To give you a better sense of the federated identity scale we operate, we now have 300 authentications per second via Active Directory Federation Services, compared to 100 authentications per second a year ago.
Consumer identity provider usage is on the rise in our IT environment, and likely yours, and my team needs to provide clear guidance for acceptable usage to Microsoft developers, marketers, sellers and more. The near-term requirement will be to provide an inventory of identity providers, categorize these into levels of assurance and acceptable usage for High Business Impact, Moderate Business Impact, or Low Business Impact resources at Microsoft.
I'll share with you the core identity scenarios we're managing:
  • As a user, I can authenticate to line-of-business applications and services with a simple authentication solution for a variety of modern devices.
  • As a user, I can authenticate to corporate access services (VPN, remote desktop gateway) with virtual smart cards or other form factor with appropriate strong authentication solutions.
  • As a developer, I can easily build applications to accept an authentication solution for modern devices.
  • As a developer, my application has the ability to validate device health and user claims to determine appropriate levels of access.
With these scenarios as a backdrop, we invested in building virtual smart cards provisioning service for Microsoft Surface RT and Windows 8 clients. In addition, we initiated research on options for strong authentication solution for modern devices and applications, with the conclusion that one-time password using Windows Azure Multi-factor Authentication would be a viable delivery channel. Finally, formal guidance was drafted as to the appropriate use of consumer identities for Microsoft business needs.
Going forward, our primary focus will be on defining the appropriate strong authentication solution that is easily consumable for modern devices and accepted by modern applications. A second area of focus will be working with the system management team to further the definition and usage of device health validation scenarios, and piloting the use of these device claims in mock-up applications that can showcase these scenarios.
As you can see, it's time to start putting an "i" in BYOD.

Jim DuBois