Chicago-based Walsh Group Construction is finding that buying into Microsoft's Office 365 and Enterprise Mobility Suite is yielding a mixed bag of benefits -- better BYOD, cost-saving, time-saving, increased productivity -- but adopting the cloud services required a dose of blind trust in their security.
The services helped reduce capital and operational costs, got more applications into the hands of more workers on more devices and allowed for tighter authentication practices, says Patrick Wirtz, innovation manager for Walsh Group.
Walsh saved $200,000 in capital costs and lops 20% off operational costs for disaster recovery by using the Office 365 rather than buying more servers to handle recovery and managing them in-house, he says.
Enterprise Mobility Suite (EMS) brought multi-factor authentication to logins as well as the ability to more effectively assign and revoke rights, and to allow users to reset their own passwords, he says.
That's all good, but he admits that buying into the cloud services in the first place meant accepting Microsoft's word about security since Microsoft doesn't reveal a lot of details about how its cloud is secured. "There is definitely a leap of faith," he says.
But Microsoft says it meets a host of security standards and regulations that can be verified through independent audit reports. And Wirtz says he's worked with Microsoft products for more than 10 years and has access to its product team, which gave him confidence.
And that leap is backed up by contract language that leaves Microsoft open to liability for breaches, he says. "Nothing prevents me from going after them. They're as much on the hook as I am."
Relying on the service gives Walsh the 24-hour coverage Microsoft provides to its cloud infrastructure, something Walsh could not afford on its own, he says.
Walsh Group is a long-time Microsoft shop that has 150 to 200 construction sites active at any given time. With headquarters in Chicago, it has 20 regional offices. All the job sites have Internet connections and VPN to headquarters via Cisco VPN gear. The regional offices have Internet connections but also connect to an MPLS VPN.
The company has followed a gradual path toward its adoption of Enterprise Mobility Suite, which consists of mobile device management service Intune, Azure Active Directory Premium and Azure Rights Management.
In January 2013, the company started looking at Microsoft cloud services by considering Office 365, the cloud version of Microsoft's Office suite - Word, Excel, PowerPoint, Outlook, Publisher, and OneNote. It also includes One Drive for Business, Microsoft's cloud storage and collaboration service.
Wirtz says at the time Walsh was particularly interested in Exchange Online for its email disaster recovery and backup features, and that was the first feature the company rolled out. As Office 365 apps were used more and more, he decided that licensing EMS could promote their use further and improve management.
One immediate impact of adopting EMS was a boost to the company's BYOD program. The company issues just a few iPhones and iPads to some employees, he says, but more want to use these devices because they are more convenient than laptops in certain settings.
With EMS, employees can use their personal phones to access email via the Mobile Outlook Web Access client. Before it was possible for employees to enroll their phones into the Exchange environment, but that meant Walsh's IT department could control the entire phone, he says. The app lets IT manage just Exchange access.
"Now we're at the point where we can only control that one application," he says, which makes users more apt to use it. And IT is happier without having to deal with whatever personal apps and data are on the phones, he says. "We didn't like that, and the end users didn't like that."
Users can also bring their iPads to work and access content stored in OneDrive for Business. Before the company enabled its use for BYOD workers, those using iPads had to bring the devices to an office, plug them into a laptop, load the PDFs they wanted via iTunes and unplug the device.
Now with OneDrive for Business, files in SharePoint sync whenever the device is connected to the Internet. Unlike the earlier method, this assures that all workers will be using the latest versions of documents when they collaborate, without having to query each other via email, he says.
Employees are told that they can enroll in the BYOD program as part of a pilot to access more applications, and that offer is enticing. "They are jumping all over it," Wirtz says.
EMS in combination with OneDrive for Business enables Cloud App Discovery, which can hunt for specific types of applications to see what is actually being used by employees. "For instance if everybody is using DropBox, and we don't support that as a corporate standard, Cloud App Discovery shows that to us, and then we can direct our users to OneDrive for Business, which is our corporate standard," he says.
From a security aspect, EMS supports multifactor authentication, which boosts security for whatever resources users access, he says. When logging in, users either receive a unique code via text message or an app on their phone generates a code that is presented for authentication, so the phone becomes a second authentication factor.
Users can reset their own passwords now, too, which can improve security by more quickly changing passwords that may have been compromised, but it also frees up help-desk staff from the chore and leaves them extra time -- two to three hours per week - to do more strategic work, he says.
Part of the EMS package is Forefront Identity Manager, which Walsh uses as a traffic cop for anything that has to do with a user's identity, Wirtz says - phone numbers, titles, job sites workers are part of, roles within the company. "It consumes all that HR data and turns it into security settings based on IT's and HR's coordination," he says.
Before, setting security settings was manual. "The user would call in and IT would assign. Now this is more about who you are within the company and the HR roles you're assigned within the company," he says.
Use of InTune, which also comes with EMS, allows pushing home-grown apps as well as Office apps directly to mobile devices. Before the apps had to be side loaded to devices one at a time via a cable.
Walsh is about to go live with use of Rights Management Server, also part of EMS. RMS enables granting individuals the right to see certain documents and to restrict what they can do with them. For example, how fast Walsh can pour concrete at a site is proprietary information, but information that is necessary for estimators bidding on a project to have. "And that's what [RMS] is going to be able to do, tying the rights to be able to see that to the user's account," Wirtz says.
To do the same thing without RMS would have been a massive manual effort. If I give a person an Excel spreadsheet, in order to prevent them from emailing it or forwarding it to somebody else I would have had to individually password-protect each file," he says. "This is just three mouse clicks, and all of a sudden it's protected. And it's not about a password being used, it's about a user's rights."
Walsh is still evaluating Cloud Application Proxy, the cloud version of Web Application Proxy available in Windows Server 2012 R2. Rather than users accessing apps directly, the proxy would act as a go-between.
"Instead of having all the DNS records point to Walsh to come to our ERP financials we would instead point the DNS to Azure, and then Azure would broker that connection between the internal ERP servers and the clients connecting to them," he says.
This added layer can replace a corporate demilitarized zone performing the same function, reducing potential capital costs and ongoing maintenance, he says.
Wirtz says EMS comes with the promise of more features that will be part of the bundle that Walsh pays for. Based on what he's seen under non-disclosure of Microsoft's roadmap for the service, he will be given more options to consider. "Whatever we're paying now we will keep paying but get more on top of it for the same price," he says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.