October 5, 2009
I recently presented at Forrester’s Security Forum (Twitter: #FSF09) and Forrester’s Infrastructure & Operations and Security & Risk Leadership Board meetings on how companies can make BYOPC a reality. Overall, the feedback was great! Yes, there were absolutely skeptics in the room (especially the security pros), but slowly I was able to alleviate most of their concerns. It really goes back to what I have said in the past, BYOPC is really just an advanced form of remote access. And Google, Citrix, and Cisco agreed — each had their CSO/CIO up on stage with me talking about their own respective BYOPC and consumerization programs.
Overall, here were my talking points about the necessary components to make BYOPC work:
- Device: Self-explanatory – let the user choose the device he/she wants to use
- Desktop and application virtualization: This is how you deliver applications and desktops environments to unmanaged devices. When possible, using hosted desktop and application virtualization will deliver best results as you can just have users access their desktops/apps over any network connection. For users that are mobile and can’t be guaranteed a network connection, local desktop and application virtualization will do the trick.
- VPN: First and foremost, with BYOPC, all users should be considered un-trusted. This means that they should never connect directly to the LAN. With that said, a VPN is how you give secure access from the user’s PC to the datacenter hosted desktops and apps – it will also make sure that all connecting PCs abide by your security policies, such as up-to-date AV. VPNs are not new to any of you as these technologies have been used for years to give remote workers, contractors, etc. access to corporate resources. Now, we will just use the technology more broadly. My recommendation is an SSL-VPN to prevent the required install of a client.
- DLP: Data leak prevention tools should be used to protect the data where it lives. So, this means putting rules in place on the data in your employees’ VMs (either hosted or locally installed) about what the user can do with it. For example, making sure that confidential information can never be removed from the VM and brought down to the user device.
- Client management and security: Using your standard client management and security tools, you can make sure that all VMs look identical to your managed machines. So, companies will need to use client management to configure, patch, etc. the VMs (both hosted and locally installed) that the users work on, and client security will remain in place to secure those VMs. The only thing to keep in mind is that client security now needs to be in two places – the VM and the BYOPC.
Using these five components will make BYOPC possible – and most attendees, after some initial hesitation, agreed. The best quote from an attendee from a financial services company was this: “If BYOPC is a competitive advantage today [because it has been known to help with recruiting and employee satisfaction], it will be a requirement tomorrow.” I couldn’t have said it better myself.
October 2, 2009
So, yes, I am late on putting my quick thoughts together about walking the showroom floor at VMworld, but better late then never, right? Anyway, VMworld definitely had a BYOPC buzz this year – VMware refers to it as “Employee-owned IT.” While I disagree with the name (because the overall enterprise computing environment will still be owned, managed, and secured by the IT department), VMware — and many of the showcasing vendors — are all talking about a world where IT no longer owns the physical asset that employees use to get their work done.
So how will they do it? VMware promotes local desktop virtualization as a means for giving a non-corporate asset and managed environment – Moka Five boasts similar functionally based on VMware technology. Then there are vendors like Ring Cube that look at BYOPC as a way to virtually turn the non-corporate PC into a managed environment during the work day. Citrix, on the other hand, believes that BYOPC is made possible by a virtualization stack that delivers hosted desktops or apps (apps can be delivered locally as needed).
Regardless, VMworld made it clear that vendors are trying to find where they fit in a BYOPC world, yet the underpinnings of this world will be virtualization.
August 26, 2009
I was talking with a large enterprise today that has a remote access solution in place so that employees, not in the office, can access their applications from their home machine. So why, I asked, was BYOPC such a foreign concept? Think about it…a home machine is just another “unmanaged” device. This “unmanaged” device is simply requesting access to applications that will enable the employee to get her job done.
I think most organizations are over-thinking BYOPC. Yes, it may mean making more applications available to employees over Citrix XenApp (formally Presentation Server, formally Metaframe) or Microsoft Terminal Services, but it is not an entirely new architecture like people think. Most companies already have these types of solutions in place today for remote access and complex applications, so why not expand this implementation? Alternatively, many organizations are already looking at hosted desktop virtualization (also known as VDI) for contractors, offshore employees, call centers, etc., why not expand the implementation to provide a managed desktop environment to an employee-owned unmanaged device? I mean, isn’t this exactly what a contractor or an offshore employee has?
I know I am over-simplifying he technology underpinnings of (and the costs associated with) BYOPC, but the concept is not new. Yes, BYOPC will require you rethink the capacity of your remote access solution, but you don’t have to rethink the architecture. Honestly, my interest would be if Microsoft Direct Access can solve the capacity issues…what do you think?
August 18, 2009
CNET recently reported that Apple’s upcoming Snow Leopard OS will support Microsoft Exchange Server 2007. Why is this important for BYOPC? Because until this release, BYOPC presumed some amount of virtualization (in most cases desktop virtualization) to support the killer app — email. According to the CNET article, “Improved Exchange support will be integrated into Mail, iCal and Address Book in Snow Leopard, which means email, calendar appointments, to-do lists and contacts from Outlook will be viewable on your personal calendar, mail and address books. It also allows things like dragging and dropping contacts into iCal to schedule meetings, and your Mac will be able to discover time conflicts between personal and work calendars and change the meeting time and location.”
So, with virtualization no longer needed to support the killer app on a Mac, organizations will need to rethink how they will support users that want to use Mac’s in their native state for corporate activities. However, this is a huge step forward for employees wanting to use Mac’s in the corporate environment…IT can no longer hang their hat on email not being supported.
This opens a few questions for me:
- will IT shops have the proficiency to support the Mac?
- will email work well on a Mac and live up to expectations?
- will this follow a similar trajectory as the iPhone with execs just demanding it?
- what is the fate of VMware Fusion and Parallels?
Regardless, my advice is this: Walk down to your local Apple store and offer the Genius behind the counter a job!
July 21, 2009
Last week I was speaking with a large travel company — one of their major IT initiatives over the next 6 months is to understand and implement BYOPC. Why? Because they believe that being the fun company to work for is a competitive differentiator as well as a recruiting benefit. This has been a key message from their HR departments for years.
In addition, they have a very demanding employee population that is embracing consumerization with or without IT. Key employee groups are already bringing in their own laptops and smartphones and using them for company activities. IT has decided that fighting this at a corporate level was not worth the risk to their internal brand with their employees.
Moving forward, this company believe that BYOPC will be part of their DNA for all employees.
July 8, 2009
Yes, I know Citrix is a vendor with a solution to sell. But, they are also a business — one with the same challenges of managing the PC environment as anyone else. So, when I talked with their CIO about their BYOPC initiative, I learned a lot about the hoops he had to jump through to get this project off the ground. In the end, Citrix now allows employees (with manager approval) to take a $2100 stipend, buy a machine of their choice (an accompanying 3-year service contract), and use this device as their corporate/personal machine. Using technologies such as VPNs, application virtualization, and desktop virtualization, Citrix is able to deliver a full experience to their workers independent of the device.
In the end, Citrix found that “happy employees are productive employees. The majority of the employees who participated in the program believe that their productivity increased as a result. Why? Because using the machine and operating system of their choice fostered a pride in ownership. In fact, Citrix found that users more often than not chipped in their own money to get an even better machine. As a result, users: 1) simply used the device more often; 2) increased their willingness to finish up that one last task or log a few extra hours on the weekend; and 3) took better care of the device since they had invested their own money.” (Bring Your Own PC Reinvents The Corporate PC: A Citrix Systems Case Study)
Here is the executive summary of my report that has just published on forrester.com:
Bring your own PC (BYOPC) programs are becoming increasingly popular for today’s businesses. Why? Because they allow individuals to work from the device of their choice, which not only increases employee satisfaction but also lowers IT costs. Getting started with a BYOPC initiative can be overwhelming for organizations because many new issues must be taken into account, such as device security, application delivery, and hardware support. Citrix has developed an extensive BYOPC program that not only allows employees the freedom to choose but also takes into consideration all of the important security measures needed to do it right. Centered on 10 BYOPC rules, the Citrix program serves as a great example to others looking to bring BYOPC into the workplace in a secure and cost-effective way.
The full report can be found at: