CTO Interview: William Hewish, Severn Trent Water
Hewish tells Computing about virtualised desktops, mobile and flexible working, security and collaborative tools in his organisation
Warwickshire-based water authority Severn Trent Water is currently reaping the rewards of its programme of virtualising its desktop estate 18 months ago.
The organisation's CTO, William Hewish, explained that the aim was partly to drive collaboration and flexible working, but also to increase operational efficiency. The firm downsized its headquarters recently, and now provides eight desks for every 10 staff, the remainder being expected to work remotely.
The firm's virtualised desktops have helped to enable this scheme.
"As a side-effect from virtualised desktops, we're able to deliver full desktop experience to any device. We've learnt to make sure that people can work from home, the airport lounge or wherever they are on whatever device they have."
Of course, any remote working system introduces risks, as the IT team loses control of the network over which information is transmitted, and often users are working from their own, non-IT controlled devices.
Severn Trent uses security firm Entrust's SMS token product to secure remote connections to the corporate network.
"We wanted to move away from the traditional physical token that people have to remember to carry with them, to something much more user friendly and easier to use. Physical tokens can be lost, which raises an administrative burden - it can be quite an overhead for IT, and isn't friendly for users.
"The beauty of delivering token over SMS is no matter what happens people have their mobile with them - it's the most loved device in people's lives."
[Turn to next page]
CTO Interview: William Hewish, Severn Trent Water
Hewish tells Computing about virtualised desktops, mobile and flexible working, security and collaborative tools in his organisation
Core enterprise tools - available anywhere
Severn Trent has also delivered an SAP solution to all of its employees, through which various administrative tasks can be carried out - such as booking holiday - either from the office or remotely.
"You can also maintain what number you want us to contact you on," says Hewish. "The user puts that in, and that integrates to Active Directory and the Entrust solution. Employees go to an externally facing site, it then sends a token to the assigned mobile number, and they use that to log in."
While it's certainly true that secure tokens can be lost, the same applies to mobile phones. But Hewish says that this does not make the system significantly less secure.
"You have to log on to a specific site to request the SMS token, and only employees know its address. If someone finds a lost phone with a token on it, they won't know what to use it for. And it's two-factor - we still also have a username and strong passcode in place.
"And a lot of people have password on their phones as well. Company phones, for us that means BlackBerry devices, have an enforced password. Despite being an extra level of security, users love it, because it doesn't feel like you've put something in the way. It's your phone, so it still feels seamless," says Hewish.
But it's not just holiday bookings that can happen over SAP, it's also core business systems like the ERP. Severn Trent has enabled access to this system from personal devices, including the iPad.
"People can access our ERP system through the SAP portal, even via an iPad. We're working with SAP Consulting on a strategy for our mobile workforce.
"These people attend customer calls, connect new properties to the water supply, check for leaks, and similar activities. They all have Toughbooks, basically ruggedised laptops. We now need to think how can we separate the mobile SAP platform from the hardware itself. How can we make it so we can use any device, so that we're then free to choose the best device on the market at that time, but still be able to deliver apps safely and securely."
The benefits of the virtualised desktop estate and SMS token also extend to the firm's disaster recovery (DR) strategy.
"A driver behind virtualisation is to be able to deliver full desktop to any site. Say an office is taken out of operation, we could move people to another site or they could work from home. In a disaster scenario, would people remember to take token with them? But they always take their phone."
Hewish has found that the new system has resulted in an increase in productivity, with staff regularly logging on from home out of hours.
"I often get responses to emails over the weekend from my staff. Because you've allowed people to work on the devices they choose to use in their own time, they dip into their emails and it's productivity by stealth."
[Turn to next page]
CTO Interview: William Hewish, Severn Trent Water
Hewish tells Computing about virtualised desktops, mobile and flexible working, security and collaborative tools in his organisation
BYOD and Security - unhappy bedfellows
Although the scheme has enabled flexible working, with staff now able to use their own devices for work, Hewish still believes that the business case for BYOD by itself is tough to build.
"If you were to do a BYOD programme in its own right, you might struggle for a business case. But if you're doing another piece of work, like our virtualised desktop project, because you want improved efficiency, collaboration and flexible working, then BYOD is a happy side-effect. For us, it isn't any extra cost because we've already allowed it, so it doesn't need a separate business case."
The company is now trialling different brands of smartphone, with the expectation that the current policy of rolling out BlackBerrys could change.
It is also looking at Good Technology and Mobile Iron for a mobile device management (MDM) solution to help secure the next generation of mobile devices. Hewish explains that he is looking for a third party to manage the devices on his behalf.
"We like that approach because to us, to manage that feels like a BlackBerry service, which we're familiar with. We're in control of the policies, data, who can download the app and access their email and calendar.
"But the added benefit is that we don't have to worry about the complexity of the handset, we don't need to get into which version of iOS or Android we have to support, that's all taken care of by the MDM vendor. We don't need to develop every single app ourselves."
Enabling mobile and flexible working may be great for productivity, and DR planning, but it does make the job of the security professional several orders of magnitude harder. The old approach of locking down the fortress behind multiple layers of firewalls, with a few tightly controlled points of entry and exit on the network, falls apart as soon as you enable BYOD.
"More recently, we've had to start thinking about what data we really want to protect. With BYOD, the data starts to move onto removable devices whether you want it to or not. So the key is to focus on data that's important, because as consumerisation takes hold, it's much harder to block every single opportunity for data to get out," says Hewish.
He explains that there is little point in attempting to lock down a device, such as an iPad, because the data is very unlikely to be stored on it.
"Often the data sits in the cloud, or on online backup sites like Dropbox or iCloud, so you'd have to stop the data even getting to the device.
"If you're using virtual desktops, then the data doesn't go out to the device at all."
Although he accepts that his data is going to be stored in the cloud in some instances, Hewish remains wary of the concept. Severn Trent has adopted some cloud services, but for low-risk data such as expense administration, and the recruitment portal.
"We're waiting for the area to mature further. If we were to move any services out to the cloud over the next four to five years it would be things like email, and perhaps things like Office 365."
Collaboration
As you'd expect of an organisation that has embraced flexible and remote working, online collaboration tools are used extensively at Severn Trent.
"We're a Microsoft and SAP house - we use SharePoint and Lync as our collaboration tools. That allows desktop sharing,PowerPoint collaboration, and instant messaging across sites.
"Because we are virtualised, we don't need to worry about network connectivity when people are working at various sites, because it's all happening in the datacentre. The servers are all sat right next to one another, so we've taken the strain away from the network."