Posted By: Matt Bull
Following a successful IPO, Elanco IT is in a unique position to rebuild IT from ground up. As a technologist, this is a once in a lifetime opportunity, where the weight of legacy architecture and technical debt is lifted, presenting a clean start to build a modern IT ecosystem.
For more information and additional framing, please refer to the article: The Elanco Modern IT Ecosystem.
Within this article, I will highlight our proposed Device-as-a-Service (endpoint) architecture, describing our philosophy, key technology decisions, and positioning.
Introduction
We are building towards a Zero Trust security model, which assumes that internal and external threats always exist and that all networks are inherently hostile.
This model also extends to the endpoints (e.g., desktops, laptops, tablets, smartphones), which we will treat as a commodity (untrusted). To enable this outcome, our security controls will be layered throughout our end-to-end ecosystem, with solutions being secure by design (secured at the source), whilst complemented by a robust Identity Access Management architecture and a clear “least privilege access” strategy.
As a result, our endpoint architecture can prioritise productivity, delivering a “consumer-like” experience.
For example, it is very common for enterprise endpoints to be laboured with third-party security software, likely running multiple agents. These agents continuously consume system resources (processor and memory), as well as often require kernel-level access, which (ironically) opens a high-risk attack vector.
As an alternative, we plan to leverage the native capabilities of the specific device (no third-party agents), looking to embrace the inbuilt security mechanisms and controls. Not only does this dramatically simplify the architecture, but it also improves the end-user experience, making it comparable to a consumer purchase.
This approach supports our goal of making our ecosystem device-agnostic, where any endpoint (e.g., Windows, macOS, Linux, ChromeOS, iOS, Android) can be consumed with minimum effort. We feel this is an important architecture tenant, enabling the rapid growth of connected devices (e.g., Sensors) and new forms of Human-Computer Interaction (e.g., Mixed Reality Headsets).
Considering our security model and device-agnostic strategy, you might assume that we would be targeting “Bring Your Own Device (BYOD)”. Over the past decade, BYOD has become a popular trend, however, the true value is often reduced/lost due to the inherent complexities regarding security, privacy, and local regulation. As a result, many respected analysts have rebranded BYOD as “Bring Your Own Disaster”.
Therefore, we have decided to target a “Choose Your Own Device (CYOD)” strategy, where the enterprise retains ownership of the device itself (clear separation between personal and business), but still provides flexibility for employees to personalise their experience.
Device-as-a-Service
As previously stated, we see the endpoint as a commodity. As a result, we plan to treat the processes (e.g., provisioning, lifecycle, break-fix) supporting the endpoint “as-a-Service”. The “as-a-Service” paradigm is well established within software (e.g., SaaS, Public Cloud), but is more complex when physical hardware is involved.
The major personal computer providers all offer Device-as-a-Service and/or PC-as-a-Service capabilities, where they aim to combine hardware, software, lifecycle, break-fix, and financing in one all-encompassing service.
In this scenario, we simply provide our required specification (e.g., hardware, software) and configuration (e.g., settings, policies), with all other logistics being managed by the personal computer provider. The high-level diagram below outlines the process.
A key enabler of this process is the ability to configure the builds at the point of use. Historically, enterprise businesses would have to create and maintain a build (image), which would include a specific version of the operating system, as well as all base drivers, configuration, and software. The provisioning and maintenance of this build (or builds) could be frustratingly complex, as well as resource-intensive and time-consuming.
With Windows 10, Microsoft introduced a new capability known as Windows AutoPilot, which removes the need to manage a traditional build, allowing devices to be automatically configured upon delivery.
Windows AutoPilot
Windows Autopilot is a capability that can be used to pre-configure, provision, repurpose and recover devices. It was designed to simplify the end-to-end device lifecycle management process and can be leveraged by certified personal computer providers.
Windows Autopilot uses an OEM-optimised version of Windows 10, which comes pre-installed on the device. This removes the need for the enterprise to create and maintain a custom build (image).
At the point of deployment, instead of re-imaging the device, the OEM-optimised version of Windows 10 is transformed into a “business-ready” state. This includes the required configuration (e.g., settings, policies) and software (e.g., Office 365, Chrome).
Post-deployment, Windows Autopilot can be used to re-purpose the device by leveraging “Windows Autopilot Reset” or to support break-fix events.
As the name suggests, Windows AutoPilot is a Windows-only feature (targeting Windows 10). Recognising our Greenfield opportunity, we anticipate that 98% of our endpoints will be running Windows 10, with the remaining devices using a combination of macOS (1%) and Linux (1%).
Microsoft Intune, SCCM and JAMF
Microsoft Intune is a unified endpoint management solution, covering Windows, macOS, iOS and Android. Intune will be our primary endpoint management solution, used to automate provisioning, policy management, application delivery, and updates.
Unfortunately, Intune is not yet feature-complete, especially when targeting legacy operating systems, as well as macOS and Linux. To ensure end-to-end compatibility, Microsoft System Center Configuration Manager (SCCM) will be utilised to compliment Intune.
Across our ecosystem, the use of SCCM should be very limited (less than 5%). As Intune matures, we hope to reduce our reliance on SCCM.
Minimum Hardware Requirements
All enterprise owned laptops/desktops will target a minimum 1920x1080 resolution display, 16GB RAM, NVMe SSD, as well as Trusted Platform Module (TPM) 2.0 and biometric authentication (or equivalent Apple Mac hardware).
This minimum hardware specification provides a very strong foundation, delivering performance, sustainability, and security across the entire range.
Specific high-performance devices will also include ISV certified graphics, providing support for specialist workloads, such as video/effects editing, computer-aided design, machine learning, etc.
Finally, regarding mobility, we have positioned the Apple iPhone and Apple iPad, managed alongside laptops/desktops via Microsoft Intune.
Conclusion
In conclusion, we are incredibly excited by the prospect of being able to deliver an endpoint architecture that prioritises productivity and user experience, whilst maintaining our high standards regarding Information Security, Privacy and Quality.
When combined with modern “self-service” processes for provisioning, lifecycle, and break-fix, we are confident this architecture will help enable our vision of a modern IT ecosystem.
