Deploying an Enterprise-Ready Content Sync-and-Share Solution

(1)

Deploying an Enterprise-Ready Content

Sync-and-Share Solution

Content Sync-and-Share Solutions September 2013

Intel IT is deploying an

enterprise-ready content

sync-and-share solution that

provides the productivity and

collaboration benefits that our

employees want as well as

the security and manageability

controls that we require.

Preeta Banerji Client Engineering – Content Sync Project Manager, Intel IT Roy Ubry Staff Engineer, Intel IT Julian Braham Product Engineer, Intel IT Terry Yoshii Storage Architect, Intel IT

Executive Overview

Intel IT is deploying an enterprise-ready content sync-and-share solution that provides the productivity and collaboration benefits that our employees want as well as the security and manageability controls that we require. With the increased popularity of consumer-based content sync-and-share solutions and the growing number of devices each employee uses, we recognized the need to enable access to content from multiple devices.

We want an enterprise-ready content sync-and-share solution that provides benefits to productivity, multi-device access, and collaboration. We also need to simplify PC backup and replacement—on standard refresh cycles and when PCs need repairing—as well as keep business content separate from the employees’ personal content. We examined off-premises, on-premises, and hybrid solutions to see which would work best for our current needs while allowing us to scale to up to 100,000 users.

Based on this examination, we approached third-party suppliers that could support an off-premises software-as-a-service (SaaS) solution as well as on-premises storage in a hybrid or on-premises solution. We compiled an extensive list of requirements

(2)

2 www.intel.com/IT

IT@Intel White Paper Deploying an Enterprise-Ready Content Sync-and-Share Solution

IT@InTEl

The IT@Intel program connects IT professionals around the world with their peers inside our organization – sharing lessons learned, methods and strategies. Our goal is simple: Share Intel IT best practices that create business value and make IT a competitive advantage. Visit us today at www.intel.com/IT or contact your local Intel representative if you’d like to learn more.

BusInEss ChallEngE

The consumerization of IT and the popularity of our bring-your-own-device (BYOD) program allow Intel employees to work from multiple devices. Regardless of what type of device they use, they want to be able to access work content from anywhere, at anytime and be able to share that content with internal and external colleagues.

We have found that when employees have access to the content they need on their devices of choice, productivity increases. From 2010 to 2012, Intel employees gained more than 7 million hours of productivity because of their ability to use BYO devices.1 At the same time, this trend brings with it increased expectations and new risks. For example, some employees who rely on consumer-based content sync-and-share solutions for synchronizing and sharing their personal files expect a similar solution to be available for work files.

In researching current usage of content sync-and-share solutions, we discovered that many employees had already opened accounts with consumer solutions, introducing security, regulatory, and content leakage risks to the enterprise. Employees were inadvertently putting the enterprise at risk in their efforts to improve productivity and collaboration. Additionally, when employees who have such accounts leave the company, they—and any others who have the links—can still access the business content stored there, posing an indefinite legal and security risk to the enterprise. Even when employees simply abandon their accounts, we have no way to remove the business content.

1 _{2012-2013 Intel IT Performance Report}

For these reasons, Intel IT made users aware that unapproved solutions must not be used for Intel content and implemented a content sync-and-share solution managed by Intel that enables us to do the following: • Keep company content secure

• Enhance collaboration between internal and external colleagues

• Increase employee productivity and satisfaction

• Make the most recent content available, regardless of which device last altered it

sOluTIOn

Establishing a solution to synchronize and share content across devices is a major component of a program that Intel IT started in 2012 called “any Device, anywhere Computing.” This program’s primary goal is to give employees the freedom to securely communicate, compute, and collaborate from multiple devices whenever they want, wherever they want.

(3)

By enabling the content sync-and-share component of the employee workspace, we could accommodate the following four use cases:

• Multi-device access. Employees can use any managed device, whether Intel-owned or personally Intel-owned. Eventually, we want to deliver secure containers to enable the use of any device.

• Collaboration. Enable content sharing between internal and external team members to make them more efficient. • Full PC backup, refresh, and replacement.

By synchronizing user content to the cloud, we are effectively creating a backup. When an employee gets a new system, the most recent versions of all content will synchronize over to that system. • Separate business content from

personal content. Allow business content to synchronize to the enterprise cloud while personal content could be synced to a public cloud of the employee’s choice, per the established BYOD program we support. We determined that if our content sync-and-share solution could accommodate all four of these use cases, it would offer more combined benefits to Intel employees and Intel IT than are currently possible with a consumer-based solution.

Implementation

Considerations

We considered three solution types when implementing our enterprise-ready content sync-and-share solution: off-premises, on-premises, and hybrid. We knew that we would need more than one approach to meet our current and future needs. Whichever approach we chose, we needed to be able to back out if necessary. We started with an off-premises software-as-a-service (SaaS) solution so we could deploy quickly. We limited our supplier search to those that would also be able to provide support for on-premises storage either through a hybrid solution or an on-premises solution. While SaaS allowed us to replace the use of consumer content sync-and-share solutions faster, it also meant we had to expose encryption keys and Intel content to a third-party supplier. Other implementation considerations included the following:

• Security. The level of encryption key management available in the hybrid solution we chose would determine whether we would place restrictions on the sensitive content that could be uploaded and, if we placed restrictions, what those would be. • Total cost of ownership/return on

investment (TCO/ROI). Including support costs and future expansion, this would

factor into the decision making process to determine the solution’s levels of security, performance and scalability, and overall usability.

• Performance and scalability. Within the parameters defined by security and TCO/ ROI considerations, the solution needed to meet the minimum required performance needs and had to be able to scale to meet future needs (that is, achieving our strategic vision in three years and accommodating 100,000 users). • User experience. Also within the

parameters defined by security and TCO/ ROI considerations, the solution had to accommodate employee usability needs in the workspace. Product functionality, the user interface, training, and more were factors in the overall user experience that would determine whether employees would actually use the solution.

searching For a

Third-Party supplier

To identify the right supplier to help us implement our enterprise-ready content sync-and-share solution, we first had to define enterprise requirements. After we developed the requirements, we went through an RFP process and compared the suppliers’ responses to our requirements.

Email Applications

Any Device, Anywhere Computing

EMPLOYEE WORKSPACE

Desktop, Laptop, Tablet, Cell Phone Enterprise-Ready

Content Sync-and-Share Personalization ofUser Experience

(4)

4 www.intel.com/IT

We selected a supplier based on which one scored highest in our RFP. We then conducted a PoC with our chosen supplier with about 200 employees.

DEFInIng REquIREmEnTs

When considering the requirements for our enterprise-ready content sync-and-share solution, we examined numerous factors related to content management, content sharing, content synchronization, de-duplication, security, service manageability, usability, and storage. We prioritized each requirement according to need: must-have (high priority), significant value (medium priority), or nice-to-have (low priority). The following list contains a selection of the high priority requirements we defined. Content management

Our highest priorities were to support Linux*, Microsoft Windows*, Apple iOS*, Google Android*, and Apple Mac* OS operating systems across different device types, enable the ability to recover deleted files or revert to earlier versions, and provide support for common object types such as folder, document, policy, and relationship. We also needed the ability to globally exclude specific files and file types. Content sharing

For our content sharing requirement, we focused on controlling access. We wanted to enable both internal and external file sharing. By enforcing security requirements such as needing a valid account before allowing access to content and setting an expiration date for shared links, we could track and audit access to content. Content synchronization

Among the top priorities for content synchronization features were real-time file synchronization triggered by file changes, conserving network resources, and the ability to sync content through the corporate firewall to devices not connected to the corporate LAN or WLAN. We also had to be able to support large file sizes.

De-duplication

This feature was essential to minimizing total storage space required for user data. By preventing duplicate files from being

uploaded and stored in the content sync repository, we would maximize overall storage efficiency and reduce the amount of network traffic generated. At this scale, saving even 20 percent would result in substantial cost savings for the content sync-and-share solution.

security

Security was critical since we were relying on a third party to host the content and infrastructure. We divided security into four categories: encryption, authentication, administration, and policy.

We required encryption of all content in transit between devices and between a device and the cloud storage repository, on all content at rest, and on content stored in public clouds. Encryption keys had to be physically separated from the content. For sensitive content, we needed to be able to manage the encryption keys.

We wanted a strong authentication method using single sign-on (SSO) from Intel-managed devices only. We used SSO to accomplish two goals: to establish trust between the devices and the content, and to simplify the user experience. With SSO’s certificate-based authentication we were able to distribute the necessary certificates to Intel-managed devices and ensure that the devices met minimum security specifications. This eliminated the need to establish a separate password for login to the content sync service, which created a better user experience.

We had several administration requirements because we needed effective control of data, services, processes, and policies in the SaaS environment. We mandated the ability to do the following:

• Recover enterprise content for employees that had been terminated.

• Selectively wipe content from devices: In case of theft we would wipe the entire device; if we had to delete content from a BYO device, we would need to remove only selected content and not wipe the entire device. • View security event logs so we could

identify who accessed content.

We also needed granular controls to ensure that specific content could be synced to only a specific set of devices.

For security policy requirements, we needed capabilities to ensure that only Intel-managed devices could access our solution and that highly sensitive content was not stored externally. service manageability

To simplify administration of the solution, we wanted to make sure administrators could define IT policies on versioning and data retention, conflict resolution, and security from a central console. The supplier should also be able to provide an API that allows us to automate and integrate our internal processes such as onboarding, disabling, deletion, group management, and so on. We also needed electronic discovery (eDiscovery) access in the event of a legal matter, and administrators needed to be able to define file type exclusions.

usability

We needed to try to match the level of usability that our employees had grown accustomed to in consumer-based solutions. High user experience priorities included the ability to use content sync inside and outside the firewall without the need to reconfigure, the ability to suspend and resume synchronization where the user left off, and content that was visible, consumable, and updatable from any application on the device without requiring a separate, vertical content application or graphical user interface (GUI). storage

(5)

www.intel.com/IT 5

A Comparison of Off-Premises, On-Premises, and Hybrid Content Syncing

We examined off-premises, on-premises, and multiple hybrid solutions as options for our enterprise-ready content sync-and-share solution. In our proof of concept (PoC) we used an off-premises software-as-a-service (SaaS) solution, enabling us to get started quickly without having to set up storage. Ultimately, we plan to move toward either a hybrid or an on-premises solution with on-premises storage.

Table 1 describes some of the benefits and challenges of off-premises, on-premises, and hybrid solutions.

Table 1. Enterprise-Ready Content Sync-and-Share Solution Options and Their Benefits and Challenges

Benefits Challenges

Off-Premises

Classic SaaS solution. All services are hosted externally. Virtual cloud architecture.

Off-Premise

Classic software-as-a-service (SaaS) All services are hosted externally.

Virtual cloud architecture.

External Cloud • Key Management • Web User Interface • Administrative Services • Orchestration Services

• Storage _EMPLOYEE Data access and services through Intel

Internal Network

EMPLOYEE Data access and services through Intel

Internal Network

On-Premise

Services hosted internally All services are hosted from within Intel.

Resident cloud architecture.

Hybrid

Services hosted internally and externally. Multiple variations to consider, depending on service host.

Co-dependent cloud architecture. External Cloud

• Key Management • Web User Interface • Administrative Services • Orchestration Services Internal Cloud • Administrative Services • Storage EMPLOYEE Data access and

Internal Network Internal Cloud

• Key Management • Web User Interface • Administrative Services • Orchestration Services • Storage HTTPS HTTPS HTTPS HTTPS

• Support and maintenance expenses are included in service cost • Quick implementation

• Management of encryption keys is usually offsite and not controlled by Intel

• Storing all content and employee account data offsite introduced security and eDiscovery implications • Multinational performance varies with the location of the

hosting data center

• Enterprise rights management and data loss protection are required to address document security concerns since supplier holds encryption keys and can access Intel content

On-Premises

Services hosted internally. All services are hosted from within Intel. Resident cloud architecture.

Off-Premise

Classic software-as-a-service (SaaS) All services are hosted externally.

Virtual cloud architecture.

Internal Network

On-Premise

Hybrid

• Key Management • Web User Interface • Administrative Services • Orchestration Services Internal Cloud • Administrative Services • Storage EMPLOYEE Data access and services through Intel

• Management of encryption keys is onsite and controlled by Intel • Security and eDiscovery issues

are fewer than with the off-premises model

• Multinational performance demands are met by distributing the service across Intel sites

• Implementation costs (for example, hardware, service, support, or multinational implementation) must be fully understood to avoid hidden expenses

• Enterprise rights management and data loss protection may be required to address document security concerns • Content sharing with external colleagues and content

access by employees through VPN are enabled • Storage costs can escalate quickly when implementing in

multiple countries

Hybrid

Services hosted internally and externally. Multiple variations depending on service host. Co-dependent cloud architecture.

Internal Network

On-Premise

Hybrid

• Key Management • Web User Interface • Administrative Services • Orchestration Services Internal Cloud • Administrative Services • Storage EMPLOYEE Data access and services through Intel

• Performance can be faster than an off-premises model

• Storage can be onsite and controlled by Intel

• Management of encryption keys is mostly offsite and not controlled by Intel

• Additional controls, such as a second level of encryption at the storage level, are needed to meet security and eDiscovery requirements

• Data loss protection may be required to address document security concerns

• Storage may be encrypted, which would limit Intel’s access for eDiscovery, indexing, search, and other internal services • Handshaking has to go through the firewall

(6)

6 www.intel.com/IT

ValIDaTIng ThE sOluTIOn

WITh a PROOF OF COnCEPT

To validate the usage model and overall user experience of our enterprise saas content sync-and-share solution, we conducted a 10-week PoC with about 200 employees from multiple countries. Participants used devices running linux, Windows, mac Os, iOs, and android operating systems. Windows users downloaded the client from our internal software repository, which allowed us to customize the installation. Participants using other operating systems downloaded the client from their respective application stores. We allowed only Intel-managed devices to be used by authenticating users through SSO (see Figure 2) and by using certificates. We used the Intel® VPN certificate to prevent generation and distribution of new certificates. This blocked users from installing the client on their PCs and accessing their business content from non-managed devices. Other security precautions included:

• Sharing files only with users enrolled in the PoC

• Remotely wiping of a device by the user or administrator if the device was stolen

• Remotely wiping shared folders when folder access is removed

• Running the Windows desktop client only on systems joined to our Microsoft Active Directory* primary domains • Storing data in an encrypted cache on

Android-based devices

We asked employees to take a survey to evaluate functionality, cross-device access, onboarding, and performance at the end of the 10-week PoC.

One network challenge we encountered during the PoC is that SaaS solutions use WAN and proxy services to upload or download content when the employee is on the corporate network. To prevent a performance impact on other real-time applications running on the WAN, we marked packets created by the supplier with a high differentiated-services-code-point value. This approach ensured low prioritization on the network.

Key learnings

During our PoC, we discovered several issues that helped shape our strategies for future deployment of the sync-and-share solution. Some of our more significant discoveries included the following: • The SaaS model was reliable with

no service outages.

• There were no security incidents during our PoC.

• Network upload and download transfer rates were 500 KB to 6 MB per second. • Large file uploads and downloads had

higher transfer rates (file sizes up to 15 GB were tested).

• Connection failures sometimes caused higher network utilization rates due to reattempts to transfer the files.

• At times, our internal VPN bandwidth limited network performance when working offsite. • Average storage consumption per user was

approximately 12 GB (after de-duplication). • Client GUI and controls were slightly more

complex than some consumer content sync-and-share solutions.

• Balancing security requirements with ease of use (user experience) is a challenge. • Monitoring system capacity and network

utilization was useful in detecting unreported issues.

Overall, employees were more accustomed to their favorite consumer-based content sync-and-share solutions and they expected our enterprise content sync solution to function exactly the same way. We plan to provide training, which will help them adapt to this new usage model.

Authentication request

IDP discovery

Send query via xHTML form SERVICE PROVIDER _CLIENT Must be in the intranet IDP In the intranet 1

Agent posts response to service provider

5 2

Service provider validates the response and sends user to resource

6

Request SSO authentication

User identiﬁcation using client CERT

Respond to xHTML form

3

4

(7)

REsulTs

In our continuing efforts to help employees increase productivity by providing access to enterprise content from multiple devices, we successfully implemented an enterprise-ready content sync-and-share solution. after we completed the PoC, we conducted a survey with the 200 employees who participated. While we work toward an acceptable balance between usability and security, our solution received management approval for deployment to 4,000 more employees, most of whom were using a consumer-based content sync-and-share solution. In collaboration with our supplier, we continue to make improvements, including a new HTML5 web browser with drag-and-drop functionality, silent installers, a new Windows client, simplified login, and more.

We are promoting the solution in internal newsletters and social media to educate employees about the availability of the new content sync-and-share solution and to inform them of the risks of using a consumer-based option.

In the PoC, employees responded positively to how well the solution worked across different devices. They were pleased with the flexibility and productivity benefits, and they indicated a perceived increase in the quality of their work/life balance.

COnClusIOn

Employees rely on cloud-based content sync-and-share solutions to improve their productivity, their ability to collaborate, and their overall work/life balance. The enterprise-ready content sync-and-share solutions that we are exploring are intended to deliver those benefits and more while also protecting corporate assets.

Intel IT is working toward deployment of a hybrid content sync-and-share solution that will provide improved security and employee satisfaction. This hybrid solution is designed to retain all user content on-premises, while the orchestration service would continue to reside with the vendor. We are investigating if a second level of encryption at the storage layer can secure the content and prevent vendor access to Intel content, mitigating the risk of having the vendor host the orchestration layer. Essentially, the content would be encrypted twice, once by the vendor at the orchestration layer with the vendor holding the keys, and again at the storage layer with Intel controlling the keys. This approach should allow us to meet our security requirements without the overhead of maintaining orchestration services in-house. The addition of more security features will enable users to synchronize and share more sensitive Intel content. We expect this hybrid content sync-and-share

solution to be available and deployed to all Intel employees in 2014. In parallel, we are researching on-premises content sync-and- share solutions to determine the value and feasibility of an internally hosted service. As we prepare to accommodate thousands of more users, we anticipate more benefits, including the following:

• Improved user experience, based on the close monitoring of rapidly evolving trends in consumer-based solutions and close collaboration with our supplier

• Simplified content migration during PC backup or when deploying content to new devices

• Market growth for tablets and other devices as employees gain confidence in working with multiple devices to access content in the cloud

We are confident that our enterprise-ready sync-and-share solution will continue to keep enterprise content secure while providing employees with a satisfying user experience.

COnTRIBuTORs

Jim Waters

Staff Client Enterprise Architect Arijit Bandyopadhyay Enterprise Architect

aCROnYms

BYOD bring your own device GUI graphical user interface PoC proof of concept RFP request for proposal ROI return on investment SaaS software as a service SSO single sign-on TCO total cost of ownership

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others.

Deploying an Enterprise-Ready Content Sync-and-Share Solution