Delivering Cloud-based Services in a Bring-Your-Own ... - Intel

IT@Intel White PaperIntel ITIT Best PracticesCloud Computing and IT ConsumerizationJune 2012Delivering Cloud-based Services in aBring-Your-Own EnvironmentExecutive OverviewBy taking advantage of theunique strengths associatedwith client devices and the cloud,we are systematically buildinga private enterprise cloud thatcan determine device attributesand user preferences, and tailorservices accordingly.Dave BuchholzPrincipal Engineer, Intel ITAs Intel IT builds cloud infrastructure and enables cloud services, one of the goalsis to make those services available to as broad a range of devices as possible.Therefore, we are integrating our cloud computing efforts with our bring-your-owndevice initiatives, enabling Intel to obtain the maximum business value from both.Several years ago, we determined thataddressing the consumerization of IT head-onby formalizing implementation could actuallyimprove enterprise security by eliminatingunsecured, unmanaged use of personaldevices. With that realization in mind, weare actively integrating employee-owneddevices—including smartphones, tablets, andPCs—into our enterprise environment.We have also been building Intel’s enterpriseprivate cloud, and now deliver 80 percent ofour enterprise services through that cloud. Weplan to increasingly use a mix of private andpublic cloud-based services, called hybrid cloud.Today, we are implementing foundationalcapabilities that will eventually create atwo-way awareness between cloud andclient. We are adapting our communicationsinfrastructure, service delivery model, andapplication development processes to supporta client-aware cloud and cloud-aware clients.• To manage, protect, and deliver cloudbasedservices to a broad range ofdevices, we have significantly revised ourinformation security model, mobile devicemanagement practices, and personalworkspace portability capabilities.• We provide information about devicefeatures and services to employees, whichhelps guide them in selecting a device thatwill help them be as productive as possibleand have an optimal user experience.• We are implementing a data and applicationvirtualization framework that enables usto assemble existing enterprise data andapplication capabilities and quickly integratethem with new capabilities.By taking advantage of the unique strengthsassociated with client devices and the cloud, weare systematically building a private enterprisecloud that can determine device attributes anduser preferences, and tailor services accordingly.Ed GoldmanIT Chief Technology Officer, Intel ITDennis MorganSenior Security Strategist, Intel ITChris PetersIndustry Engagement Manager, Intel IT

IT@Intel White PaperDelivering Cloud-based Services in a Bring-Your-Own EnvironmentContentsExecutive Overview.............................. 1Background............................................. 2Solution.................................................... 2Communications InfrastructureChanges............................................... 3Service Delivery Changes................. 4Application DevelopmentChanges............................................... 7Conclusion............................................... 7For More Information .......................... 7Acronyms................................................. 8IT@IntelThe IT@Intel program connects ITprofessionals around the world with theirpeers inside our organization – sharinglessons learned, methods and strategies.Our goal is simple: Share Intel IT bestpractices that create business value andmake IT a competitive advantage. Visitus today at www.intel.com/IT or contactyour local Intel representative if you’dlike to learn more.BackgroundIntel employees want to be ableto use a broad range of companiondevices, including personally ownedsmartphones and tablets, with theirIntel-supplied mobile business PCs.They also want to be able to usetheir personally owned Macs* andPCs. We determined that addressingthe consumerization of IT head-onby formalizing implementation couldactually improve enterprise security,helping to eliminate unsecuredand unmanaged use of personaldevices. Intel IT is actively integratingemployee-owned devices into ourenterprise environment.In early 2010, about 3,000 Intel employeeswere using personally owned smartphones;by the end of June 2012, this number hadincreased to 19 ,000. Also in 2011 someemployees began using their personal Apple*computers, and this year we are expandingour bring-your-own-device (BYOD) initiativeto include PCs. We are transitioning from thetraditional client computing model of a limitednumber of device types under tight and directIT control to a future compute continuummodel that focuses on a seamless, consistentexperience across devices. We see greatbusiness value in allowing employees morechoice in the devices they can use at work. Atthe same time, we realized we need to protectIntel information security by maintaining controlof the underlying communication infrastructurethat supports those devices.There are parallels and interdependenciesbetween IT consumerization, which providesemployees with a wider range of choices forcompute capability, and the advent of cloudcomputing, which offers businesses additionaloptions for IT services. At Intel, we have builtan extensive private enterprise cloud, andwe now deliver 80 percent of our enterpriseservices through that cloud. We plan tocontinue moving toward a mix of private andpublic cloud services, called a hybrid cloud.As we continue to build cloud infrastructureand enable cloud services and applications,it is important that we consider our BYODinitiatives at the same time. This integratedapproach will enable Intel to obtain themaximum business value from both BYODand cloud computing.SolutionWe have found that the key todelivering cloud-based services toa wide variety of devices, includingBYO devices, is to create a two-wayawareness between the cloud and theclient. Not all client devices have thesame capabilities, and the cloud is notalways available to a client device.Therefore, a one-size-fits-all servicedelivery model is not appropriate. Amisalignment between the deliverymodel and the device could negativelyaffect employee productivity andbusiness functionality, introducesecurity risk, and invalidate theinvestment made in developing cloudbasedservices and applications.By taking advantage of the unique strengthsassociated with the device and the cloud, weare systematically building a private enterprisecloud that can determine device attributes anduser preferences, and tailor services accordingly.Although it will take several years to completeour efforts, we are already working to establishthe necessary foundational capabilities over thenext few months.2 www.intel.com/IT

Delivering Cloud-based Services in a Bring-Your-Own EnvironmentIT@Intel White PaperAs illustrated in Figure 1, our intelligent,client-aware cloud will be able to determinethe following:• Whether an application provides thebest user experience if executed locallyor remotely• Which native features, such as a locationbasedservice provided by the GlobalPositioning System or accelerometer, areavailable on a device• How to use predefined user and deviceprofiles to customize services to userpreferences and the device’s securityaccess levelConversely, we are also establishingfoundational capabilities to enable cloudawareclient devices. For example, a clientdevice will be able to determine the following:• Whether the cloud is available• What services are available to the clientdevice at the time• Its security level and available bandwidthFor example, if the cloud is available, the devicestores a document in a cloud-based documentrepository. But, if the cloud isn’t available,the device stores the document locally andpossibly automatically uploads the documentto the cloud when it becomes possible.Cloud-aware devices can also offloadwork from the cloud that might be moreefficiently done on the device, helping toenhance the quality of service for end users.This type of work might include image andvideo processing, data compression, and 2Dand 3D graphics. The 3rd generation Intel®Core processor family with Intel® TurboBoost Technology 2.0 and next-generationgraphics facilitate local execution on thedevice. Taking advantage of local resourcesin this manner helps reduce both the datacenter workload and the associated networktraffic. We are currently conducting severalproofs of concept to evaluate these typesof technologies and to establish enterpriseusage models.Implementing a client-aware cloud andcloud-aware devices requires changes to thecommunications infrastructure, service deliverymodel, and application development processes.CommunicationsInfrastructure ChangesProviding cloud-based services to multipledevices and OSs requires several modificationsto our communications infrastructure,such as additional firewall controls. Theseadjustments are necessary because eachOS has different security features, andsome are more secure than others. Tosupport a broad range of personally owneddevices, we are building a communicationsinfrastructure that uses a flexible combinationof delivery methods, including workspace andapplication containers, application and desktopvirtualization, remote display technology,HTML5, and web portals, to deliver services toa wide variety of form factors, including PCs,Macs, tablets, and smartphones.To manage, protect, and deliver this flexibilitywe have made significant enhancements andadjustments to our information securitymodel, mobile device management practices,and personal workspace portability capabilities.Current Status:BandwidthProcessing PowerGraphics CapabilitiesSecurityCurrent Status:BandwidthProcessing PowerGraphics CapabilitiesSecurityCompute remotelyPlay high-definition (HD) videoMedium-security accessCurrent Status:BandwidthProcessing PowerGraphics CapabilitiesSecurityCompute remotelyPlay non-HD videoLow-security accessCloudCompute locallyPlay HD videoSecure accessCloud-aware ClientClient-aware CloudFigure 1. We are laying the foundation for a bidirectional awareness between the cloud and a client device that will enhance service delivery, userexperience, and productivity.www.intel.com/IT 3

IT@Intel White PaperDelivering Cloud-based Services in a Bring-Your-Own EnvironmentInformation security modelWe have found that security is of paramountimportance in being able to fully embracecloud computing and BYOD, and to seamlesslydeliver services to a broad range of devices.We have radically redesigned our securityarchitecture to enable different degrees ofaccess. Our new security model is based onfour pillars.• Identity and access management. IntelIT has created a unique integrated trustcalculation technology that enables us tosupport devices with differing levels ofsecurity. The system dynamically adjustsusers’ access privileges as their level of riskchanges. For example, employees have lessaccess to corporate information from personalsmartphones than from corporate laptops.• Security business intelligence. As weallow access to enterprise services frommore devices, we need improved detection,monitoring, and analysis capabilities. Wedeployed a dashboard that provides detailedinformation about infected clients andservers, boosting our ability to intervenequickly and accurately. We also plan to add apredictive engine that will help improve ourability to respond to threats.• Data protection. We are implementingtechnologies that protect data when it iscreated, stored, and in transit. We expandedthe deployment of enterprise rightsmanagement software to nearly 20,000employees, and we implemented dataloss prevention technology to better tracksensitive data as it moves through Intel.• Infrastructure. We implemented securetrust zones within our enterprise privatecloud that enable us to virtualize internallyand externally facing applications withhigher security requirements. As a result, wereduced malware incidents by 30 percent,despite a 50-percent increase in the numberof malware detections in 2011.Device ManagementA mobile device management (MDM) solutionprovides several important benefits with regardto BYOD. By controlling and protecting the dataand configuration settings for all mobile devicesin the network, MDM helps reduce support costsand business risks, helping to enable the securedelivery of at least a limited set of services.The main functions of an MDM solutionare deploying software, including patchdeployment and configuration management,enabling remote troubleshooting, and providingthe ability to remotely lock and wipe a device.MDM solutions also provide a cost-effectiveand efficient method for system maintenance,such as the ability to replace a corruptedor failed image with a working image. Forexample, at the beginning of a training session,an instructor can verify that all the classroomdevices are functional and, if necessary,can quickly re-install the image on any nonfunctioningdevices.However, because our current MDM solutionworks only for devices that run mobile OSs andwe must use a separate corporate managementsystem for PCs, MDM does not resolve all ofIntel’s remote device management problems.For example, our MDM remote wipe capabilitydoesn’t work on larger form factors such as PCs.For this reason, we currently consider personallyowned PCs to be at a lower trust level thansome mobile devices, such as tablets andsmartphones, unless the device’s owner decidesto opt in to corporate management capabilities.Workspace MobilitySupporting BYOD devices raises challengesabout how to make data available regardlessof the user’s location—whether at work, athome, or traveling—and how to deliver aconsistent workspace across a user’s manydevices, whether accessing cloud services orlocally installed applications.To support a more portable workspace, weare moving away from our traditional modelof locally installed applications to exploringhow we can deliver more modular servicesto many different devices. One approach wehave investigated is to separate the layersof the traditional tightly coupled solutionsstack, a technique IT architects refer to asabstraction. By using virtualization to dividethe platform, OS, application, user data, anduser profile layers into separate services, wecan set rules individually on each abstractedlayer of the service.Using abstraction we can determine whether,based on the type of device, user location,or other criteria, it’s appropriate to deliveran optimal service to a particular device. Forexample, smartphones can access contactlists, calendars, and email services only; fortablets, we are investigating the feasibilityof delivering an expanded set of businessto-businesscollaboration tools, such asnote-taking and archiving services, instantvideo collaboration, and instant meetings.Workspace mobility also raises the issue ofhow to synchronize cloud-based and localdata. We are currently exploring how contentsynchronization may affect backup-andrestoreprocesses.Service Delivery ChangesBecause our goal is to enable cloud-basedservices that take advantage of featureson employees’ devices, we need to actas a trusted advisor, providing employeesinformation about a device, whether it’s asmartphone, tablet, or PC. We encourageemployees to consider how they want towork and where they want to work with eachdevice. We then help them choose the deviceand OS that is best suited for their situation,helping them to be as productive as possibleand to have an optimal user experience.4 www.intel.com/IT

Delivering Cloud-based Services in a Bring-Your-Own EnvironmentIT@Intel White PaperEmployees can choose among many differentdevices with varying levels of capabilities.The availability of a diversity of userinterfaces and screen sizes affects deviceand application interaction. Some devices donot have the features necessary to meet theminimum security configuration for even thelowest level of confidential data classification.Other devices can access certain data andservices, but not others. A small subsetof devices can access corporate data andservices, with restriction.With those factors in mind, it isn’t possibleto deliver a one-size-fits-all service deliverymodel that delivers the same set of servicesto every personally owned device. Nor is itpractical to support every possible computemodel and OS. For example, we limit ourmobile device support to five mobile OSs; forBYOD computers, we currently support Macs*and plan to support Microsoft Windows*-based systems in 2012, but we do not planto support Linux*-based systems.To educate employees about which devicescan access which enterprise services andwhich devices and OSs are best for certainwork scenarios, we have created a web portalthat provides a wide variety of information toemployees enrolling in our BYOD programs.Bring Your Own PhoneTable 1 shows a part of our web site thatcompares smartphone features, helpingemployees choose the best device for theirsituation. For example, if an employee’s jobrequires good access to cloud-based businessand Internet applications, as well as Wi-Fi*access and access to the Intel intranet, thechart indicates that a smartphone with OS#5 is the best choice. On the other hand,if an employee needs only calendar andcontact information, any of the supportedsmartphones is adequate.Table 1. Intel Employees Can Use the Information on Our Handheld Services Web Portal to Compare Smartphone FeaturesFeature OS 1 OS 2 OS 3 OS 4 OS 5Email a a aAdditional security softwaremay be required, dependingon the supported deviceCalendar a a a a aContacts a a a a aGlobal Positioning System (GPS) a a a aWi-Fi*Allows you to connect to your home network or public Wi-Fiin airport or coffeeshop, and other areasVaries Varies Varies a aInternet Usability Good Varies Varies Best BestInternet ApplicationsExamples: mapping applications, currency converters,and so onGood Good Good Better BestIntel Intranet Availability Some Available r r r Some AvailableBusiness Application AvailabilityExamples: Instant messaging, bridge speed dialer, and so onBattery LifeStandby or talkGlobal Roaming CapabilityMore Available Some Available Some Available Less Available Some AvailableBest Good Good Good GoodVaries by Rate PlanTetheringConnect your phone to your laptop and use the phone as a modemto connect to the Internet (like a wireless data card). Performancevaries by phone model and service provider network speedaavailable; r unavailableaVaries by Country or Service Providerwww.intel.com/IT 5

AcronymsBYOD bring your own deviceMDM mobile device managementThis paper is for informational purposes only. THIS DOCUMENT IS PROVIDED “AS IS” WITH NO WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTYOF MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANYPROPOSAL, SPECIFICATION OR SAMPLE. Intel disclaims all liability, including liability for infringement of any proprietary rights, relating to use of information inthis specification. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted herein.Intel, the Intel logo, and Intel Core are trademarks of Intel Corporation in the U.S. and other countries.* Other names and brands may be claimed as the property of others.Copyright © 2013 Intel Corporation. All rights reserved. Printed in USA Please Recycle 0612/JGLU/KC/PDF 327462-001US