BYOD: The Essar WayA case study on Infrastructure in IT/ITeS
CTO, Essar Group
Every time a new device, OS or application, enters our IT system, we like to assume that the device is hostile till proven otherwise.
Say BYOD, and CIOs cringe. They complain of security, supporting a flood of devices and losing control. But the CIO of Essar Group just proved his peers wrong. Here’s how.
- Why you need a BYOD Strategy
- Striking a balance between security and User Experience
- How VDI can help
If there’s anything that’s defined our political and corporate lives in recent times, it’s people power. So much so that it’s beginning to influence how countries are run and how business is done.
Ask IT leaders of corporate India, who are in the midst of a consumer-powered IT revolution, under the less sexy title, BYOD (Bring Your Own Device).
According to a 2010 IDC-Unisys report, consumer-powered IT is being touted as the principal driver behind the fourth wave of corporate productivity. The first wave was inspired by Henry Ford's invention of the assembly line (between 1908 and 1915). The Japanese collaborative model, Kaizen, was the second wave. The third was driven by the Chinese model of mass production, low prices and global domination.
Today, the fourth wave is driven by a network of constantly connected workers. A network connected by mobiles, laptops, smartphones and the like.
It’s a market that’s exploding. IDC predicts that the smartphone market will grow by nearly 50 percent in 2011, taking the number of smartphone users to over 450 million. It's only a matter of time, say experts, before a large number of these consumer devices find their way into enterprises.
But that’s a problem. While employees are enthused at the prospect of bringing their preferred device to work, CIOs aren’t too excited about losing control. An IDC report points out that 95 percent of employees use self-purchased technologies for work,but a majority (70 percent) of CIOs still want to buy standardized technologies for their employees.
But one CIO in the minority—and from the not-so-technology-savvy manufacturing sector—set out to prove that the majority isn’t always right.
The Essar Way
In early 2010, BYOD was still a new kid on the block, but N. Jayantha Prabhu, CTO, Essar Group, was picking up early signs of this disruptive trend. It was a trend that was hard to ignore in an organization where the average age of employees ranges between 28 to 30 years. Prabhu realized that this squad of power users was far ahead of their peers when it came to adopting whiz-bang technology.
“The younger generation may not mind putting in an extra hour of work, but they expect the freedom to work from anywhere they wish, on devices that they are comfortable with,” says Prabhu. “Denying them that freedom could possibly lead to an unpleasant dissatisfied-users situation.”
At the same time, Prabhu was also being pushed to provide C-level business users with anytime, anywhere access to data.
And Prabhu realized that allowing people to bring and manage their own devices would help IT too. It would allow the IT team to focus on strategic innovation instead of fixing
IT issues. Keeping the IT team enthused is an imperative at a time when attrition is rampant and work pressure is mounting. According to the Mid Year Review 2011, 46 percent of CIOs say that their IT departments are shrinking in size and about 18 percent state that their team sizes are likely to remain the same. Worse—especially for Prabhu—46 percent of CIOs in the manufacturing sector confess to significantly increasing work pressure.
For all those reasons, this was the right time for Prabhu to come up with a BYOD strategy. “It would free my IT resources from managing non-strategic assets and help me focus on high business value initiatives. It would also provide a more attractive and flexible workplace environment for employees and increase user productivity,” says Prabhu.
But what Prabhu set out to do would defy conventional wisdom. And that would take fighting the three devils of BYOD: Security, infrastructure and a flood of devices.
Setting the Stage
First steps are hard. They shake you out of your comfort. For Prabhu, it meant stepping out of the four walls of his air-conditioned cabin.
A walk down the work stations at Essar gave Prabhu a picture of employees’ work profiles. He tried to figure out the kind of devices they were likely to adopt, and the applications that were critical to them. Based on user inputs, Prabhu sketched two different tables.
One table listed the kind of devices that were the most common and likely to be adopted by a large number of users. Essar had an existing footprint of 3,500 company-owned Blackberries that were being managed by 15 Blackberry Enterprise Servers. Additionally, Prabhu chose the top three and most popular mobile platforms: iPhone OS, Blackberry and Android.
In the second table, he prioritized the applications that needed support, starting with basics like e-mail, collaboration, productivity, and communications. And later, he would layer on more complex applications like BI dashboards and MIS reporting as per user requirements.
Prabhu’s seven-man technical innovation team set up a lab to test eight different devices at the same time. These devices included a desktop, a thin client, laptop, and a mix of various tablets and smartphones. “Every time a new device, OS or application enters our IT systems, we like to assume that the device is hostile till proven otherwise,” says Prabhu.
In early 2011, the team began testing the company’s applications on various mobile platforms. Over the next one-and-a-half months, the IT team tested latency lags and developed user friendly interfaces.
Finding its feet at Essar, Prabhu’s BYOD strategy was just beginning to feel at home. Now it was time for some real action.
Enter the Devices
The BYOD concept is simple: Everyone is invited. But that makes life complicated for CIOs who struggle to support different devices, looking for ways to standardize.
To handle these devices in their various avatars, says Prabhu, he would require a team of in-house experts to incessantly monitor every new OS and, “make adequate changes to make our applications compatible,” he says.
But that contradicted with one of the basic advantages of BYOD. The resources that Prabhu would have freed would now have to be directed towards managing application support—not actively engaging in innovation.
Prabhu found a way out. Because he was an early mover, Prabhu noted that most technology providers were eager to develop and test mobile and tablet-friendly versions of their products and check their compatibility with the enterprise.
“Over the years, these organizations have built the kind of infrastructure, R&D, support and skill-sets that would help us during the nascent stage of application, platform and infrastructure testing,” says Prabhu.
Companies like SAP and Apple readily agreed to Prabhu’s proposal of constant knowledge sharing with the technical innovation team for app development, eliminating the need for an extensive in-house team. “It’s a quid-pro-quo relationship. With active help from our technology partners, the actual amount of development done by us is minimal and the partners also get a platform to test how enterprise friendly their solutions are,” says Prabhu.
But handing the ropes of app development to his providers wasn’t enough. To make his BYOD strategy successful, Prabhu also needed to ensure he fulfilled all user needs. Like checking if users could multi-task on their devices. So, his team tested a Blackberry Playbook with four windows open simultaneously, each one performing an independent task. They played a phantom movie, accessed e-mail, played a Need for Speed game and ran a local app, all at the same time. It worked like a charm.
But Prabhu was yet to confront BYOD’s biggest enemy.
Don’t Leave the Door Open
‘Anything that can go wrong, will go wrong,’ that’s Murphy’s Law and a party pooper for BYOD. Because the one thing that can go terribly wrong and scares CIOs away from BYOD is security. Prabhu was certain that he wouldn’t go ahead with BYOD till he was sure that, “the security from our end was the closest to absolute,” he says.
That’s a concern voiced by many of his peers. According to ISACA’ 2011 IT Risk-Reward Barometer report, 47 percent of businesses feel that the risks associated with employees using personal mobile devicesfor work activities outweigh the benefits.Prabhu knew that he needed a new weapon to fight security. And he didn’t have to look further than desktop virtualization.
“The surest way in which I could secure data transfer on mobile devices is through VDI because this prevents enterprise data from being stored on the user’s personal device,” says Prabhu.
But VDI is expensive and it’s often difficult for CIOs to prove ROI and get management buy-in. Fortunately for Prabhu, the year 2010 was refresh cycle time for over 15,000 users at Essar. Done the conventional way, the refresh cycle would lead to an investment of Rs 37.5 crore and the IT team would spend months securing data. And worse, the whole rigmarole would have to be repeated during the next refresh cycle.
A VDI implementation would check-mate all of Prabhu’s woes. It would save Essar from a large investment during the refresh cycle, all the while putting an end to security problems hindering his BYOD plans.
With VDI, a client hypervisor sitting on a user’s device generates a partition in the device, creating two virtual devices completely alienated from each other. The user logs into the Essar system from one virtual partition and gains access to enterprise and work related data. However, this partition prohibits users from saving any corporate data on their device due to restrictions enabled on the enterprise’s virtual image. The other partition acts as the user’s personal device independently allowing the user to download, multi-task and, run personal applications.Though VDI managed to reduce security issues, it replaced that with a different problem: Bandwidth. Many businesses have come to rely on leased lines to link remote offices back to the datacenter over the WAN. And these links are often shared by multiple technologies within the enterprise. Prabhu brought in WAN optimization and managed to reduce projected bandwidth requirement by 50 percent. Not only that, he had another smart move up his sleeve to put an end to bandwidth worries. He ensured that users accessed their e-mails and applications from a local VDI server sitting at their location and, “It’s only when users travel that they are directed to access VDI over WAN,” he says.
Case Study Highlights
- Prabhu realized that allowing people to bring and manage their own devices would help IT too. It would allow the IT team to focus on strategic innovation instead of fixing
- To make his BYOD strategy successful, Prabhu also needed to ensure he fulfilled all user needs. Like checking if users could multi-task on their devices.
But VDI alone can’t shield an enterprisewide BYOD project. Prabhu needed to increase his troops on guard. And those came in the form of Mobile Data Management (MDM), DLP and remote wipe tools.
A digital certificate is installed on each mobile device for authentication purposes. Two- factor authentication allows users to gain secure access via a VPN and gives IT a record of user access behavior patterns. Applications other than e-mail may require additional forms of authentication.
While these security tools take care of authentication and access, MDM efficiently manages mobile data through its lifecycle. It takes care of asset inventory, application deployment, patch management, data and voice usage and remote wipe. It also enables IT to deploy security policies on devices grouped by device type and OS.
Prabhu also enjoys the freedom to customize security policies like application restriction, password restriction and camera usage.
He also deployed DLP tools that use a combination of keywords and file property of a document to block sensitive information from leaving the organization.
Prabhu didn’t ignore the basics—like data encryption—either. This ensured that data from one end user device is not read on other devices due to device-specific encryption. But at the same time, Prabhu and his team acknowledge the fact that hardware and software are just one layer of security policy. Most security threats boil down to people, who become the weakest link.
So, Prabhu wanted to devise a policy framework that encapsulates and communicates security guidelines to end users. Today, mobile device usage at Essar is governed by a contract. Users are required to sign the contract before they can add their devices to the enterprise’s system. And that’s extremely crucial for CIOs contemplating BYOD. “CIOs should make it clear to users that the complete management of their devices, patching, upgrades and managing SLAs with their OEMs rest with the users,” he says.
To strengthen Essar's security posture, the IT team frequently shares in-mails and sends reminders to users, warning them of possible security threats.
Currently, the project is being rolled out to about 5,000 users at Essar. In the coming six months to one year, Prabhu plans to extend more core applications like BI to mobile devices. Prabhu aims to allow employees to do much more on the devices they choose, from places they like to work, in a style that suits them best.
“But most importantly, I wanted to build a forward looking organization for the younger employees, to provide them a work environment that does not restrict them from following harmless desires of freedom and endless opportunities,” says Prabhu.
In June, the bank deployed an app, which allows customers to enjoy a number of banking services via a video chat. It’s creating a lot of customer stickiness, says the bank’s CIO.