X-ray of a Successful Enterprise Digital Workplace Strategy

Like every other organization before COVID, there was an inkling of a digital workspace in their roadmap, however, there were no plans for an overnight rollout to support the business during the quarantine. Luckily these two organizations started to review their digital workplace needs and were able to get a jump in their digital workplace rollout.  

The center of their digital workplace strategy was built around being able to access the corporate data that resides in their own data centers and SaaS based solutions (Corporate CRM, Ticketing System, etc.) and digital security. Being a hybrid environment with some on-site and mostly remote and mobile, the ability to access the data from a mobile device has added an additional level of complexity to ensure that access to the data is available to the mobility users.   

All these devices process and ultimately have the ability to store business critical data, so they needed to be secured and protected from any cyberattacks or unintentional data leaks. Finally, they needed to ensure their IT/Network, Security, and Mobility teams were working together, enforcing the same strategy while being responsible for their respective realms.  

Employing different ownership models, depending on whom the mobile devices belong to and what their job requirements were, these organization decided to offer two options to their employees: 

COPE devices were fully managed and controlled by IT to enforce stronger device security controls while also leaving room for the employees to install personal apps and manage personal documents. They were delivered to the employees fully enrolled, configured, and provisioned with all required work apps and a dedicated work phone number (together with data subscription) provisioned using eSIM technology; employees were also allowed to eventually put their own personal data into the device, which all support multi-SIM, so they could also send/receive private phone calls with their own number, without having to carry two devices around at all time – the best of both worlds!  

When it comes to desktop computers like laptops, previously heavy, poorly-performing workstations were replaced with light virtual computers as a cost-effective alternative (like a Chromebook), providing access to business apps and services using on-premises and/or SaaS Virtual Desktop Environment (VDI), providing great performance while ensuring corporate is not comprised as it never leaves your back-end infrastructure. 

Ideally, work data should never be stored on any employee device, either mobile or desktop, personal or corporate. But if so, it is important to avoid any data leaks.  

On personal devices (BYOD), app containerization was used to ensure work data was fully secured and separated from the rest of the device. Microsoft 365 does provide that capacity out of the box with all their mobile apps, so password or biometrics (e.g., fingerprints, facial recognition) can be required to unlock them. Additionally, data can only be exchanged between them or with other authorized third-party applications. Only enrolled and managed personal devices can access corporate resources to ensure corporate data is protected and stored on devices that fulfill all security requirements (OS/patch version, password). This also allows to locate them in case they get lost or stolen and take mitigation actions if needed (e.g., block/wipe work apps and documents, but not the device itself).  

The enterprise used a hybrid environment that is a mix of on-site and cloud-based services.  

Most of their services, including corporate mail, instant messaging, non-sensitive document storage, and more were cloud-based and could be accessed directly from any computer, either in the office, with a customer, or at the home office, as virtually available to anyone with an Internet connection. Multi Factor Authentication (MFA) was enabled to strengthen the authentication process and ensure only legit access is allowed, so anytime a user needs to access a sensitive resource, a validation prompt pops up during the authentication process on registered mobile devices.  

However, for privacy and security reasons, some sensitive information (e.g., customer data) and services (in-house app development and related IP) could not be moved to the cloud, and accessing these resources from outside of the office is more challenging, as employees cannot connect from several different locations, such as a home office, a public location (e.g., airport), or a customer premises (e.g., consultant on an on-site assignment), to mention a few.  
  

A Virtual Private Network (VPN) solution was used provide the actual secure, end-to-end connection between the employee device, mobile or desktop, and the internal network from the outside, as most employees are usually familiar with using such solution already, especially if on the road or working remotely. 

The mobile devices fleet was managed using a UEM software/solution, which is a must-have nowadays for any business utilizing a digital workplace to keep its assets under control. UEM solutions deploy apps, provide access to corporate resources, enforce security policies, and take mitigation action when a device is at risk and/or uncompliant. A monitoring solution was implemented in order to have a real-time overview of the global health of all the assets and be able to detect potential issues, and forecast extra capacity requirements (e.g., upgrade endpoints, back-end infrastructure to cope with growing demand).  

Also in light of the rise of cyberattacks, especially since the beginning of the pandemic, with more and more people working from home, the focus has been put on cybersecurity to protect all endpoints and the business critical data stored on them, using a next-generation antivirus solution relying on Behavior Based security.  

Taking into account both offices have their own local IT teams, ownership was defined to avoid organization silos, which is a great challenge where different business divisions, offices, regions, or countries might operate independently from each other and avoid sharing information. While this can be justified in some very specific cases, in general this is not efficient and leads to having as many IT infrastructures as silos, which eventually translates to a higher Total Cost of Ownership (TCO), poorer end-user experience, more complex and time-consuming day-to-day administration, and ultimately a wicker response to everyday security challenges. A unified strategy, combining all assets as much as possible while respecting/considering proper local idiosyncrasies, is always a better call.