Following our article on digital workplace strategies for small to medium-sized
businesses, this week we continue by discussing digital
workplace strategies for enterprise businesses. We’ll use two enterprise organizations as a case study: one organization based on the East Coast of the US with a couple hundred employees and
another organization with a similar sized employee base, except with a couple of offices dotted along the West Coast. Like a lot of organizations in the COVID era, their employees are mostly
remote with a select few in the office. Each has their own IT team, using corporate-owned desktop/laptop computers as their main work devices and mobile device when
What Challenges Do We Need to Address?
Like every other organization before COVID, there was an inkling of a digital workspace in their roadmap, however, there were no plans for an overnight rollout to support the business during the quarantine. Luckily these two organizations started to review their digital workplace needs and were able to get a jump in their digital workplace rollout.
The center of their digital workplace strategy was built around being able to access the corporate data that resides in their own data centers and SaaS based solutions (Corporate CRM, Ticketing System, etc.) and digital security. Being a hybrid environment with some on-site and mostly remote and mobile, the ability to access the data from a mobile device has added an additional level of complexity to ensure that access to the data is available to the mobility users.
All these devices process and ultimately have the ability to store business critical data, so they needed to be secured and protected from any cyberattacks or unintentional data leaks. Finally, they needed to ensure their IT/Network,
Security, and Mobility teams were working together, enforcing the same strategy while being responsible for their respective realms.
How Did We Address These Challenges?
At the center of their digital workplace strategy was their ownership model of the devices, their primary device being laptops that are corporate owner and business only (COBO), then their mobility devices fell into one of two categories.
Employee mobile device
Employing different ownership
models, depending on whom the mobile devices belong to and
what their job requirements were, these organization decided to offer two options to their employees:
- Corporate Owned, Personal Enabled (COPE) for those users that requires access to sensitive corporate data and needs access to their data on the go.
- Bring-Your Own Device (BYOD) for those users that do not need mobile access but it would be beneficial to have access on-the-go.
COPE devices were fully managed and controlled by IT to enforce stronger device security controls while also leaving room for the employees to install personal apps and manage personal documents. They were delivered to the employees fully enrolled, configured, and provisioned with all required work apps and a dedicated work phone number (together with data subscription) provisioned using eSIM technology; employees were also allowed to eventually put their own personal data into the device, which all support multi-SIM, so they could also send/receive private phone calls with their own number, without having to carry two devices around at all time – the best of both worlds!
For the BYOD devices, employees were allowed to use their own if included on the curated list of tested, approved, recommended mobile devices defined by IT department. This was done to guarantee security, compatibility, and a seamless end-user experience. These devices were partially managed by the enterprise, for example, asking for a device password to be set and enforcing a minimum, acceptable level of security, with only the work apps and data were fully controlled. Anything else, like personal apps and documents, were not managed nor visible to the company to respect their privacy. For employees to be able to send/receive work related phone calls with a dedicated phone number, without having to incur into any costs, a Voice-and-Video-over-IP (VVoIP) subscription was provided, either in the form of a mobile app or directly integrated into the mobile device OS (depending on device manufacturers and models).
Employee desktop devices
When it comes to desktop computers like laptops, previously heavy, poorly-performing workstations were replaced with light virtual
computers as a cost-effective alternative (like a Chromebook), providing access to business apps and services
using on-premises and/or SaaS Virtual Desktop Environment (VDI), providing great performance while ensuring corporate is not comprised as it never leaves your back-end
How was sensitive work data handled and stored?
Ideally, work data should never be stored on any employee device, either mobile or desktop, personal or corporate. But if so, it is important to avoid any data leaks.
On personal devices (BYOD), app containerization was used to ensure work data was fully secured and separated from the rest of the device. Microsoft 365 does provide that capacity out of the box with all their mobile apps, so password or biometrics (e.g., fingerprints, facial recognition) can be required to unlock them. Additionally, data can only be exchanged between them or with other authorized third-party applications. Only enrolled and managed personal devices can access corporate resources to ensure corporate data is protected and stored on devices that fulfill all security requirements (OS/patch version, password). This also allows to locate them in case they get lost or stolen and take mitigation actions if needed (e.g., block/wipe work apps and documents, but not the device itself).
On corporate-owned devices (COPE), device containerization was performed at Operation System (OS) level with Android devices and using app containerization on iOS devices. On Android Enterprise devices, employees were provided with a unique end-user experience, with two different workspaces (private, and work), making it clear to them that all apps, data, and documents were separated, one side from another. On iOS devices, the end-user experience was different so mobile app containerization was used (as for BYOD). On both, using a secure hosting service (OneDrive, SharePoint), either on-premises or cloud-based was enforced for work-related documents.
How did employees access data?
The enterprise used a hybrid environment that is a mix of on-site and cloud-based services.
Most of their services, including corporate mail, instant messaging, non-sensitive document storage, and more were cloud-based and could be accessed directly from any computer, either in the office, with a customer, or at the home office, as virtually available to anyone with an Internet connection. Multi Factor Authentication (MFA) was enabled to strengthen the authentication process and ensure only legit access is allowed, so anytime a user needs to access a sensitive resource, a validation prompt pops up during the authentication process on registered mobile devices.
However, for privacy and security reasons, some sensitive information (e.g.,
customer data) and services (in-house app development and related IP) could not be moved to the cloud,
and accessing these resources from outside of the office is more challenging, as employees cannot
connect from several different locations, such as a home office, a public location (e.g., airport), or a customer premises (e.g., consultant on an on-site assignment), to mention a
A Virtual Private Network
(VPN) solution was used provide the actual secure,
end-to-end connection between the employee device, mobile or desktop, and the internal network from the outside, as most employees are usually familiar with using such solution already,
especially if on the road or working remotely.
How did IT manage it all?
The mobile devices fleet was managed using a UEM software/solution, which is a must-have nowadays for any business utilizing a digital workplace to keep its assets under control. UEM solutions deploy apps, provide access to corporate resources, enforce security policies, and take mitigation action when a device is at risk and/or uncompliant. A monitoring solution was implemented in order to have a real-time overview of the global health of all the assets and be able to detect potential issues, and forecast extra capacity requirements (e.g., upgrade endpoints, back-end infrastructure to cope with growing demand).
Also in light of the rise of cyberattacks, especially since the beginning of the pandemic, with more and more people working from home, the focus has been put on cybersecurity to protect all endpoints and the business critical data stored on them, using a next-generation antivirus solution relying on Behavior Based security.
Taking into account both offices have their own local IT teams, ownership was defined to avoid organization silos, which is a great challenge where different business divisions, offices, regions, or countries might operate independently from each other and avoid sharing information. While this can be justified in some very specific cases, in general this is not efficient and leads to having as many IT infrastructures as silos, which eventually translates to a higher Total Cost of Ownership (TCO), poorer end-user experience, more complex and time-consuming day-to-day administration, and ultimately a wicker response to everyday security challenges. A unified strategy, combining all assets as much as possible while respecting/considering proper local idiosyncrasies, is always a better call.
A digital workplace strategy is only as good as its level of adoption/acceptance, and that
requires understanding and commitment which only comes through educating enterprise employees on the available tools. They need to know and understand the security concerns and their own
liability when handling sensitive customer/business data. Always balance security and usability to ensure user adoption and thus a successful digital workplace for your enterprise
business. If you are interested in learning more about
implementing a digital workplace strategy for your enterprise, please contact us with any questions and the team at ISEC7 can better help you understand your options and
what’s needed for your specific environment.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group