Checklist for an Employee-Owned Notebook or PC Program

Transcription

1 Checklist for an Employee-Owned Notebook or PC Program Gartner RAS Core Research Note G , Leslie Fiering, 11 March 2010, RA Interest in offering employee-owned notebook programs (also referred to as BYOC, Bring Your Own Computer programs by the press) is growing due to better technology, rising user demand and increasing pressure on organizations to reduce costs. A realistic preparedness assessment prior to planning and deploying an employee-owned notebook program is critical to meeting business objectives and avoiding additional costs. Key Findings The benefits of an employee-owned notebook program include freedom from managing nonstrategic assets; more time for IT staff to focus on high-value, high ROI initiatives; a more attractive workplace to attract new hires; and increased user productivity. Cost reduction is not likely to be a major outcome for the near term to midterm, which could be disappointing to cash-constrained organizations looking to reduce the capital budget. PC-related costs can be moved, but not totally eliminated, through changes in ownership. While a small segment of the user population might opt for a desktop PC at a fixed location, the majority will demand notebooks for the flexibility to work at home (WAH) as well as the office. PC virtualization software with employee-owned notebooks offers a viable way to create a fully secure and manageable environment on an unmanaged, and potentially hostile, host PC. Recommendations Perform a thorough due-diligence check of your organization s readiness to launch an employee-owned notebook program, paying equal attention to the technology and policyrelated issues. Make the availability of all critical applications and the prevention of unwanted data leakage from the enterprise the primary issues when considering remote-access and enterprise digital asset isolation strategies. Get buy-in from HR, legal, finance and business unit leaders, as well as the IT organization.

2 2 Monitor developments in PC virtualization as a preliminary step if you are only considering employee-owned notebook programs as a future option. ANALYSIS 1.0 Introduction While there has been ongoing interest in employee-owned notebook programs for the past five years, the number of serious inquiries from Gartner clients has grown significantly in 4Q09 and 1Q10. PCs and notebooks remain critical tools for knowledge workers; however, as these devices commoditize, choosing specific devices no longer provides organizations with a strategic or competitive edge. Security and manageability remain critical concerns, but the growing maturity of network access controls (NACs) and PC virtualization technology help to improve security while reducing the dependence on specific hardware. More technologically aggressive companies familiar with these technologies are seeing a way to reduce their PC management overhead. Less technologically aggressive companies are just looking for ways to cut capital spending, even if the savings are only short term. The price of consumer PCs and notebooks has dropped at approximately 10% per year over the past five years, with an even steeper price decline for notebooks in 2009 due to the introduction of netbooks (low-cost, Internet-focused mini-notebooks). This means that more users can afford to buy their own personal technology for home use. They are finding that their own technology, in many cases, is faster, sleeker and more effective than what their employers issue. Recent college graduates equipped with highly desirable skills such as Internet programming, social networking software and cloudcomputing skills are accustomed to having complete control over their personal computing technology. Many have used the level of PC and client computing technology of their prospective employers as a decision criterion. According to a 2009 Gartner survey of 528 IT managers in organizations located in the U.S., Germany and the U.K. and that had more than 500 employees, U.S. companies expect a 60% growth in the number of employee-owned PCs from 2009 to yearend German companies are expecting a 40% increase, while U.K. companies are anticipating a more modest 15% growth in the same period. All start from a reported baseline of 10% to 12% of their users. Before embarking on an employee-owned notebook program, organizations need to conduct a realistic self-assessment to ensure they are prepared to address each of the following checklist items: Provide robust, scalable and secure access to corporate data. Isolate enterprise digital assets. Determine PC hardware, software and bandwidth requirements. Clarify software license terms and conditions. Establish a third-party maintenance and support option. Define the scope of IT support responsibilities. Determine financial ramifications. Ensure there are no counter-indicators. Identify workers who will support and benefit from the program. Develop appropriate policies. Develop a communications plan. 2.0 Provide Robust, Scalable and Secure Remote Access When employee-owned notebooks attach to the enterprise network, the assumption has to be that the device is hostile until proved otherwise. The response must be a series of NACs that include strong authentication, and scan and block functionality, as well as network behavior analysis. A variety of methods can be used to identify specific devices, their physical and virtual locations, and their usage history. Such device fingerprinting can help organizations determine whether a user is connecting from a managed company device, from a personal device that has been registered with the organization s technical support group, or from a completely unknown system such as a kiosk in a coffee shop. Further tests can also determine the security posture of the device, and whether it has been recently scanned for malicious software (malware). 2.1 Designing a Remote-Access Strategy To design a robust, scalable and secure remote-access strategy, first define an organization s higher-level policies for employeeowned devices that connect to the enterprise network. If the device does not conform to the policy, then it is quarantined to a protected part of the network for remediation, such as a link to download patches or a link where an on-demand security protection agent can be installed for the duration of the session. Postconnection, the system must continue to be monitored for evidence of malicious behavior (by the user or the software on the device). The result is that trusted users on trusted systems get full access to the enterprise network Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner s research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

3 What if a trusted user (full authentication) accesses the network on a nontrusted device? 2.2 Multiple Levels of Access One level of access control may no longer be appropriate now that users can be anywhere, especially when they are not always using corporate devices. Unmanaged and uncontrolled platforms represent a high risk to the enterprise, because they are more likely to contain keystroke monitors, worms, remote-access trojans and other malware than managed platforms. Increasingly, the access decision will have to include an evaluation of the level of trust appropriate for the user s remote platform. 2.3 Application and Data Requirements To make effective remote-access strategy decisions, organizations must also establish application and data requirements. Application delivery and remote access weighed against the trust level of the target PC are the major factors that determine the level of data leakage risk (for example, enterprise data will be subjected to loss or exposure by software on the employee-owned system). 3.0 Isolate Enterprise Digital Assets 3.1 Protecting Enterprise Data and Intellectual Property After remote-access issues have been resolved, the second biggest barrier to implementing an employee-owned PC or notebook program is protecting enterprise (or customer) data and intellectual property from loss, corruption or exposure. This is a serious problem even with company-owned systems that have strong endpoint protection. The problem is exacerbated by employeeowned systems (or partner- or contractor-owned systems) where the endpoint security is uncertain. The main goal is to ensure that the enterprise digital assets (defined by the required enterprise applications and data) can be kept totally isolated from whatever other applications and data are on the employee-owned device. Ideally, there is absolutely zero data leakage between corporate- and personal-owned devices. This means that malware on the employee s system cannot get to the enterprise data and applications, and the enterprise data cannot be copied onto the user s system or an external medium. It is also critical that whatever enterprise digital information resides or runs on the employee-owned system can be totally removed without leaving any traces (such as temporary files). 3.2 Web- and Server-Based Solutions There is a spectrum of solutions at varying levels of cost, security and functionality. Web-based applications that reside outside the firewall provide full quarantine but also limit the ability of most employees to do their jobs. Server-based applications can be fully secured at the back end; however, the delivery window is vulnerable to security breaches in the underlying PC. Both solutions (Web-based and server-based) require a network connection and do not work in offline mode. 3.3 Trusted Portable Personality Devices Trusted portable personality devices (TPPDs) enable generic and dedicated USB memory devices to launch guest end-user work sessions that explicitly enable corporate security policies (including strong authentication, encryption and business processes on noncompany-owned systems). TPPDs can be provisioned and controlled by the enterprise to access corporate and other applications via virtual private networks (VPNs) and other secure portals. Controls over copying and printing can be enabled. If the applications require it, then devices can be provisioned with a full application stack for offline use or simply with authentication, a VPN client and remote procedure calls to create a secure network connection on a potentially hostile PC. The drawbacks are no guarantee of compatibility with all host PCs, and no guarantee of finding a suitable workstation when a user needs it. Also, the small devices can be easily lost. 3.4 Using PC Virtualization Options to Create a Managed Environment on an Unmanaged PC A growing number of PC virtualization options provide viable solutions for enterprises to work with employee-owned notebooks by isolating parts of the stack or the entire corporate application stack from the underlying hardware, operating system (OS) and other applications Application Virtualization Application virtualization isolates an application s resources, eliminating the risk of conflict with other applications. This works well in protecting the applications from corruption by malware. The application can stream from a server, leaving no footprint on an employee-owned PC, or it can cache locally. This solution works well when there is known bandwidth (for the streaming solution) and there are a fixed number of known applications to be used. The drawback is that each application has to be packaged, and there can be problems when applications have to interact. In addition, application virtualization is designed to isolate application configurations from that of the OS, but not to protect them from the OS. In practice, a virtualized application cannot be secured from an OS in which it runs. It may need to make demands on global system policies. Thus, the application virtualization solution only works well if the data leakage profile is low and the host device is relatively trusted Hosted Virtual Desktops Hosted virtual images deliver a near-identical result to blade-based PCs. Instead of the motherboard function being located in the data center as hardware, it is located in the data center as a virtual machine bubble. Using standard server virtualization technology, multiple virtual machines can run simultaneously on a server. When users log on, their virtual machine image is loaded from storage. In essence, the employee-owned system becomes a thin client and the image-based server is totally isolated from the user s local desktop. 3

4 4 Hosted virtual desktops (HVDs) do not work offline and do not support persistent personalization (i.e., retain user changes once the user signs off) without third-party products. The connection protocol and network latency give rise to performance issues, especially for rich media applications. Also, image management techniques are immature, although they are improving rapidly. HVD can provide benefits under the right circumstances, but it is not an optimum device for every type of user or application. Offline use is not yet a viable option for HVDs Full Virtual Machine or Virtual Work Space A full virtual machine or a virtual work space, running locally on a user s PC instead of on a server, offers a complete solution by creating a fully contained and isolated PC environment that runs its own virtual hardware and its own separate Internet Protocol (IP) stack (including OS and applications). As a result, the virtual machine can have a separate network identity from the employeeowned machine hosting it. The standard corporate image can be encapsulated within the virtual machine, creating a highly controlled, consistent environment on any PC. File transfers with a host PC can be disabled, so personal and company data can be completely separated (i.e., digitally isolated). The downside is higher hardware requirements for memory and performance, higher software costs since the separate IP stack requires a separate set of software and, in some cases, separate OS and licenses. This solution creates the greatest level of control, manageability and breadth of application usage options. PC virtualization solutions are maturing rapidly and are viable for more technologically aggressive organizations, but we do not expect to see full mainstream use before Financial institutions have been leaders in PC virtualization adoption, using it originally for security reasons. However, their growing familiarity with the technology means they have met this isolation of digital assets requirement, which has led many other financial organizations to consider early adoption of employeeowned notebook programs. 4.0 Determine PC Hardware, Software and Bandwidth Requirements Having robust, secure and scalable remote access along with strong methods to isolate enterprise digital assets will be useless if an employee-owned computer configuration cannot support employees requirements. For example, as much as 4GB of memory may be required to run an enterprise virtual machine. Organizations considering noncompany-owned platforms must ask, at a minimum, other questions: How much memory is required? Are there particular processor speeds or a number of core requirements? Are there particular graphics requirements? Will the required enterprise access methods and software run on a Mac? Will the required enterprise access methods and software run on a netbook? If a server-based software delivery model is used, how much bandwidth is required to get acceptable performance? Is there required security software that must be on the employee-owned system? Is there a required communications client that must be on the employee-owned system? While a segment of the user population that is considered full-time WAH users might opt for desktop PCs, the majority of demand is likely to be for notebooks. The desktop PCs might require different configurations from the notebooks. Don t let the lower price of desktop PCs affect the types of models that are finally chosen for the program. Most users will want the flexibility of a notebook that permits use both in the office and at home. Once the configurations and specifications are determined, they need to be made available to the plan s participants. A best practice is to create and maintain a list of approved PC models. Oversight and periodic updates of the list will be required. These specifications will determine the requirement for and level of subsidies to be provided to employees to ensure that minimum standards are met in an employee-owned PC program. 5.0 Clarify Software License Terms and Conditions Enterprises remain responsible for the licensing of end-user or third-party devices they permit to be connected to their corporate systems. Corporate use may also violate the terms and conditions of end-user licensing agreements and result in further corporate liability. For example, some applications, such as Corel WinZip, are only free for personal use. As a result, it is critical to review licensing terms and conditions for absolutely all corporate software that will run or reside on employee-owned systems. Using PC virtualization adds another layer of complexity since additional licenses for the OS and applications will be required. Microsoft s Virtual Enterprise Centralized Desktop (VECD) license is required to run Windows on HVDs or, in some cases, to license the Windows OS in a virtual machine residing on an employee-owned system. There are several options when paying for the VECD license; therefore, due diligence is required to understand which option is most appropriate for any given situation. All Microsoft licenses purchased under a volume licensing program that run on employee-owned systems can be moved to other systems as often as every 90 days. Care must be taken to synchronize any employee-owned system refresh to the OS and all application vendors license terms.

5 6.0 Establish a Third-Party Support and Maintenance Option One of the great benefits of an employee-owned PC program is relieving IT support staff from dealing with PC break/fix and nonstandard software application issues. However, one of the primary tenets of the program is the employee s responsibility to have a suitable machine available for company use at all times. If that system breaks, then the employee will need to get the support from somewhere. Requiring a hardware maintenance contract is not enough, since there will always be how to questions, as well as inquiries about OS and software problems. While many younger workers who grew up with PCs, as well as many technically astute workers, are self-sufficient, a significant percentage of knowledge workers will still require an organized, predictable form of support. A best practice is to organize suitable third-party support options for the plan s participants. The support can be provided by valueadded resellers, dedicated support organizations or PC hardware OEMs. In addition to hardware, the support plan has to cover OSs and application software, as well as home networking and printer issues. Potential options are that: During the plan pilot and in early stages, the enterprise can choose to pay part or all the support expense as an employee benefit. Employees can, of course, opt out. Enterprises can also choose to provide loaner systems loaded with the corporate image. This strategy serves to keep users productive during a personal system repair period. Note that there is a separate, in-house concierge-level support program for executives who require faster and more-personalized service. To ensure adequate funding, executives should be charged for the concierge service. 7.0 Define the Scope of IT Support Responsibilities The security perimeter established around the enterprise digital assets on employee-owned PCs should define the boundary of enterprise IT support responsibilities. If all enterprise applications are delivered through terminal services, responsibilities will be limited. Where a virtual work space or a fully sealed virtual machine is used, then the IT organization must manage and support all the software in the image. The user is then responsible for all support issues elsewhere on the system. It is critical that Tier 1 help desk agents are: Provided with a clear-cut set of criteria for determining which types of calls the IT group can handle (i.e., calls that pertain to corporate applications, data, networks and, where applicable, virtual images). Familiar with the alternative third-party support options to handle all technology for which users have personal responsibility. Given discretion to help on a best-effort basis, where appropriate. Familiar with concierge-level support options for senior executives who have personal technology. 8.0 Determine Financial Ramifications 8.1 PC Hardware An employee-owned PC program passes costs for PC acquisition and support traditionally borne by the enterprise to the employee. A best practice today to ensure employees buy PCs that meet minimum requirements is to provide a stipend to the buyer. However, paying out stipends requires the approval and cooperation of the enterprise s CFO. Money that was once allocated to the capital budget must now be accounted for differently on financial statements. In many geographies, stipends are considered taxable employee benefits, and many regions have their own set of laws. In the U.S., for example, each of the 50 states taxes the benefits at a different rate. Thus, the stipend should be calculated to ensure that users receive sufficient funds to buy suitable PCs (that meet minimum specifications) after taxes are deducted. Also important are that: The final amount of the stipend must include the PC hardware cost (including maintenance and support programs) plus the amount of the local income tax. A table needs to be created that takes into account local tax laws and rates for each geography where the program will be instituted. In some cases, where the employee-owned program is only being introduced to bring the population of nonsanctioned PCs and notebooks within the enterprise security domain, then the amount paid out can be less. These employees will use their own systems regardless, and will welcome the additional funds. Either way, a stipend is essential. If there is no payment, then there is no leverage to define a service-level agreement that ensures keeping a suitable system available for company use. 8.2 Broadband In addition to providing stipends for PC hardware purchases, companies need to decide how broadband support will be handled. Since more than 60% of U.S. households now have broadband, many companies no longer feel the need to pay this expense. In some cases, companies will pay for a third-generation (3G) wireless WAN (WWAN) on an employee notebook or broadband in the home (with the assumption that the employee can use the 3G card for enterprise access from home). In other cases, if the work the employee is doing from home and/or while traveling is critical to the enterprise, either or both expenses will be paid. Another general rule is that the enterprise will pay broadband or WWAN expenses if the employee works from home or while traveling for the convenience of the company. Paying for the service ensures employee commitment to meet enterprise service-level agreements. 5

6 6 8.3 Support While maintaining the full operating capability of a personally owned system is the employee s responsibility, there are practical reasons why an enterprise might choose to partially subsidize a third-party support option and to provide loaner systems. During the pilot and early stages of an employee-owned notebook or PC program, having an affordable alternative to the free (as perceived by users) IT help desk will help reduce inappropriate trouble calls. This could ultimately lead to as much as a 40% reduction in IT operations costs. However, the main consideration is to ensure that users have a viable source of support and maintenance to sustain productivity. 8.4 Total Cost of Ownership Considerations Because system stipends and support subsidies are likely to be required for a successful employee-owned notebook program, it is unrealistic to expect large savings from the plan. Costs tend to be moved rather than eliminated. Most savings are from indirect costs, while the direct and visible costs are likely to be higher. Financial planners need to be aware of where the changes in costs are likely to occur. The key benefits are that, longer term, responsibilities for maintaining and supporting computing systems are shifted to users to be handled on their own time. This frees IT staff to focus on critical issues and reduces IT s exposure to unplanned operational costs. 9.0 Ensure There Are No Counter-Indicators Employee-owned PC programs may not be appropriate or desirable under all circumstances. Before deciding to support the use of employee-owned PCs, an enterprise should consider all the ramifications in terms of its legal obligation to conduct business safely and with full compliance for its shareholders, maintain productivity and meet all service-level agreements. In many cases, suitability needs to be decided on a case-by-case basis. The program may not be suitable for all classes of workers. However, identifying a population of unsuitable users does not preclude offering the plan to other, more-suitable groups of users. Situations where employee-owned PC programs might not be appropriate include: High-security environments such as military installations, research facilities with costly intellectual property to protect. Employee-ownership could cause a public relations fiasco where the perception of a potential security breach is as important as the actual security profile, such as an assistant in a political department that handles sensitive information. Employee computer-literacy skill gaps where lack of computer self-sufficiency could lead to productivity loss and/or higher unintended support costs. Chaotic environments where audit and control enterprise software assets and data backups are not fully under control. No employee demand and/or employee resistance some employees may regard the program as a cost and not a benefit Identify Workers Who Will Support and Benefit From the Program According to a Gartner survey from late-2008, a significant percentage of U.S. knowledge worker respondents in U.S.-based companies of virtually every size reported using noncompanyowned devices on company systems and networks (see Figure 1 and Economic Factors Accelerate Employees Use of Personally Owned Equipment ). Table 1. Survey Data: Percentage of Knowledge-Worker Respondents Reporting Use of Noncompany-Owned Devices on Company Systems and Networks Company Size (Employees) Home PC Notebook PC 500 to % 21% 109 1,000 to 4,999 33% 28% 112 5,000 to 9,999 39% 33% ,000 or More 24% 15% 115 Grand Total 31% 24% 442 Number of Respondents in Grand Total Source: Gartner (March 2010) Number of Respondents Contrast the findings of our end-user survey (published in January 2009) with those of another Gartner survey composed of 528 IT managers in organizations with more than 500 employees in the U.S., Germany and the U.K. in 2009 (published in February 2010). While more than 40% of the organizations surveyed have a policy regarding the use of employee-owned systems, these companies also reported that employee-owned notebooks represented 10% of the notebook installed base in Clearly, there is a large underground of unsanctioned employee-owned systems of which the responding organizations were totally unaware or chose to ignore. In general, IT professionals and workers in technical roles, such as software and hardware developers, are most able to support personal technology. There is also a tendency of youngergeneration workers to prefer using personal technology over company-provided systems.

7 Many Gartner clients report that software and hardware developers constitute the highest concentration of rogue or nonsanctioned, noncompany-owned systems attaching to the enterprise network. Apparently, these workers feel their personal technology exceeds that provided by the company and enables them to do their jobs more effectively. Technically astute IT workers and users who are already using their own (in many cases unsanctioned) PCs and notebooks would be the ideal population for a pilot and early phase rollouts of an employee-owned program. Keep in mind that senior executives may also want to be part of such a plan, not because they are technically savvy, but because they want to be seen carrying the latest and greatest notebook technology. As noted previously, plans for concierge-level support will have to be in place for these executives Develop Appropriate Policies Policies that define the use of enterprise PCs and notebooks need to be revised and extended to include employee-owned systems. These new policies must be developed jointly by IT and business units along with HR, finance and the legal department to ensure that all enterprise HR, legal, compliance and financial requirements are met. The major areas the policies have to cover include: Language to explain the employee s responsibility to have a suitable machine available for company use at all times Minimum specifications for hardware and OS Who will pay and how much for hardware, software and third-party support What is and isn t supported by IT organization Remote-access policies Security policies Levels of permissible data access Safe storage of company data What to do if the system is lost or stolen What to do at termination of employment Financial liabilities of enterprise and user Data cleansing from notebook hard drive 12.0 Develop a Communications Plan Just having policies is not enough. Participants in any employeeowned notebook program must be familiar with the policies and know where to go for more information. These users must fully appreciate their responsibilities in providing a working system, meeting service-level agreements and observing all security requirements. In addition to creating a detailed policies document, it is often helpful to publish a shorter, user-oriented version that covers the main points that apply directly to the program s participants. Internal routing for help desk calls is not relevant, but the logistics of the hardware purchase and user responsibilities certainly are. This information should be available on a corporate website, and must be circulated to all interested users and program participants on a regular basis. Consider having users sign an annual letter of understanding and compliance regarding the employee-owned notebook program. 7