X-ray of a Successful Global Enterprise Digital Workplace Strategy

Although the main challenges are very similar to the ones faced by an enterprise, going international brings an extra layer of complexity: 

• Connect offices together, allow easy and secure access to all authorized resources, from anywhere  
• Compliance with local laws and regulations regarding handling and storage of sensitive data, requiring data residency within the EU driving local data center requirements 
• Different management solutions and tools 
• Unique Business cases driving one off technology requirements 
• New process and technology via training 

 
While in theory this is one single company, in practice it is more like several organizations, sharing resources and collaborating while still retaining control and management over their own local resources when needed. 

Employing different ownership models for different devices and other considerations dependent on the business requirements, the organization provided laptops to everyone (ensuring that those devices were encrypted and managed by the corporate policies) and mobile devices for those users that required access to sensitive corporate data and needed access to their data on-the-go.  

Ideally, work data should never be stored on any employee device, either mobile or desktop, personal or corporate. But if so, it is important to avoid any data leaks: 

• On personal devices (BYOD), app containerization is used to ensure work data was fully secured and separated from the rest of the device. 
• On corporate-owned devices (COPE), device containerization is done: 
• • At OS level with Android devices 
  • Using app containerization on iOS devices 

However, going international brings another layer of complexity: data residency. For on-prem services, this could easily be enforced, however, with cloud-based services this was a little more delicate, so it was important to ensure that each office was using a tenant located within its country, or at least within the European Communities for the European office. 

Also, as the company handles sensitive data – corporate, internal, and most importantly customer data – it was crucial to ensure that said data was handled and stored according to the local regulations, as these can differ significantly. 

In Europe, the company had to confirm with all their software and solution providers to ensure their products were compliant with the General Data Protection Regulation (GDPR). In the US, similar to the Personal Information Protection Act (PIPA), Personal Identifiable Information (PII) is regulated and protected. In this aspect, implementing a Data Loss Prevention (DLP) solution to detect and prevent this should be considered. 

To enforce that, a dedicated cloud-based DLP solution was implemented to prevent any potential data exfiltration, intentional or not. All corporate documents, on all corporate endpoints, containing company-specific and/or regulatory sensitive data, were inventoried so any data extraction could be detected, reported, and prevented in real-time. 

The enterprise used a hybrid environment that is a mix of on-site and cloud-based services, so a whole Zero Trust (ZT) approach was taken to provide seamless access to corporate resources, wherever there are located and wherever the employees are connecting from. 

Dedicated connections were established between both offices, using Virtual Private Network (VPN) technology to protect all traffic from being intercepted, accessed, or, even worse, tampered with. 

While employees can access from their office to the other office resources transparently, as both were defined as trusted locations (Conditional Access), this was a little more complex as employees can also connect using their mobile devices or desktop computer, usually from their Home Office but virtually from any location (e.g., customer site, airport). To guarantee that only legitimate connections were allowed, a User and Entity Behavior Analytics (UEBA) solution was implemented which, coupled with Multi Factor Authentication (MFA) technology, ensured all requests were legit before allowing the user access to said resources. A gateway type solution could also be implemented. For cloud-based resources access, a Zero Trust Network Access (ZTNA) solution was used to control access and ensure that only managed, trusted, and safe devices can connect. 
 

All current contracts with service and software providers were reviewed, seeking to consolidate software and solutions used, as well as avoid using two different products for the same thing when possible. The goal was to have easier unified management and a single communication channel with the vendors (e.g., when escalating issues), all resulting in time and cost savings. 

However, this was not possible with all products, not only for technical reasons, but also contractual obligations or simply specific business-driven needs. 

For example, although the same SaaS solution (Microsoft 365) is used by both offices for data residency requirements from the EU office, separate environments were created to ensure European data was stored on a tenant within Europe. The same goes for the corporate SaaS UEM solution used to manage all endpoints. This of course requires extra work from both sides to maintain similar apps, policies, and profiles between both environments, so all employees receive an almost similar offer in terms of services and functionalities, although some local requirements also exist. 

A set of common apps were defined and configured to be automatically distributed, fully configured, and provisioned to the employees’ devices, either personal or corporate, for example Microsoft 365 apps as well as other business apps. 

Since separate environments had to be created for the same solution (M365, UEM) for data residency reasons, there was a need to manage all assets and endpoints from a single pane of glass, as well as having supervision/monitoring and migration capacities, using technology-agnostic tools.  

For that, it was decided to go with the ISEC7 Sphere vendor agnostic management and monitoring solution, as this would also help integrate existing and future solutions more easily and smoothly. This would also ensure that Help Desk and Service Desk employees from all offices would only need to be trained on one common tool, independently of the solution(s) used in the background. 

All these technologies still rely on one critical part of the organization: the employees. 

They were initially trained to understand how integrating a new office into the existing environment would translate in terms of what tools are available, how to access them seamlessly and securely, from where, and what can be done. The larger the environment, the more need for defined processes or procedures. 

But employees are constantly trained every time a new technology, process, or procedure is implemented, using internal, presential or an online session; a cloud-based Learning Management System (LMS) was also implemented so employees could easily access new content from any device, at any time, while managers tracked their progress. 

A digital workplace strategy is only as good as its level of adoption/acceptance, and that requires understanding and commitment which only comes through educating global enterprise employees on the available tools. Employees also need to understand compliance with local laws and regulations regarding the handling and storage of sensitive data, as well as the crucial role of easy and secure access to all authorized resources, from anywhere, no matter where the employee is located. If you are interested in learning more about how implementing a digital workplace strategy for a global enterprise works, please contact us with any questions and the team at ISEC7 can help you better understand your options and what’s needed for your specific environment. 

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group