DRAFT for discussion

pogonotomyeyrarΔίκτυα και Επικοινωνίες

26 Οκτ 2013 (πριν από 3 χρόνια και 7 μήνες)

94 εμφανίσεις

EXECUTIVE OFFICE FOR ADMINISTRATION AND FINANCE






Information Technology Division


ITD

Enterprise Technology Office




Enterprise
Mobile Application

Strategy

Version DRAFT 0.4

January, 2013










DRAFT

for
discussion



Page
2

of
10

Medium Sensitivity


Section 1: Introduction

The Enterprise Mobile Strategy for the Commonwealth of Massachusetts
has been developed

to address
the complexity introduced into the Commonwealth’s computing environment by the growing presence of
mobile devices
(
Commonwealth issued and personally own
ed)

and
mobile access t
o Commonwealth
environments.

The long term goal of the Commonwealth
’s Mobile Strategy will be to enable and deliver:



A strategic plan that is fully integrated with IT and Business Strategy of the Commonwealth



Systems and practices
that are

proactive and flexible to evolving technologies and opportunities



Device

independence



Relevant and complete policies, standards and architecture documentation

Section 2: Executive Summary

The Commonwealth of Massachusetts is not alone in its attempts to plan for, support and implement
Mobile Application based technologies.

T
he current Commonwealth landscape and the larger industry indications show that some areas can and
should be adopted

(standards like HTML5 and frameworks such as JQuery and Dojo)
while others
(Mobile Enterprise Application Platforms) should be held off on
until market leaders can be identified.

Current efforts should be focused
on

implementing appropriate policies and infrastructure to support the
growing trend in Mobile Application development. These efforts should take into serious consideration
the inc
reased movement towards decomposing applications into components that are
exposed

as
services. According to market research, this movement will require that the Enterprise provide the
capability for supporting a broad array of technologies across disparat
e systems and previously silo
-
ed
disciplines.

Section 3: Business, Technological and Social Drivers for Mobile
Computing

The growing use of smart phones
and other mobile devices
as the prim
ary means of doing business
including
providing core communicatio
ns, require
that
the Commonwealth Technology and Security
Offices define a strategy for providing governance and oversight, policy enforcement, and management of
a comprehensive mo
bile application

plan. The goal is to provide the Commonwealth’s mobile dev
ice user
community with implementation guidance, technical support, and compliance mechanisms to achieve
their business needs
and

meet security objectives and obligations

when deploying and managing mobile
applications
. Areas requiring additional research

and review
that will fall outside of the scope of the
current strategy
include
an assessment and possible

implementation of a common mobile gateway server
and the
management

of personal devices in the workplace (Bring your own (mobile) device

BYOD).


Subsection 3.1:
Overview of Current State of
Mobility and Remote Work


At this time, the Commonwealth is seeing an increase in usage of a wide range of mobile devices. This
has resulted in updates to Enterprise Policies,

Agency Policy,

research into devic
e management tools,
and
lots of communication

from Technology Office customers across all branches of government and
external entities. Mobility initiatives have begun to play a key role in:

Business Continuity

Supporting

business continuity plan that ena
bles staff to work from home or alternate locations if
required in case of an emergency, such as extreme weather, pandemics or terrorist attacks
.
Mobile
devices

are a key
mechanism to providing off hour or emergency contact capabilities for critical
suppo
rt staff

Remote Access

VPN access for home/mobile connectivity facilitates

work

to be effectively carried out remotely.



Page
3

of
10

Medium Sensitivity


Policies and Standards

Enterprise Information Security Policy; Enterprise Access Security Policy and Standards; Enterprise
Technical
Reference Model (ETRM) and Technology Advisories have all incorporated and should
continue to incorporate guidance and requirements around use of mobile devices.

Current/Relevant initiatives

It is recognized that both Commonwealth
-
owned and personally owne
d devices need to be provided
for and that such support will require some device management tooling to be introduced into the
Enterprise Service Offering at some point in the near future.

ITD as well as other agencies have been exploring a handful of mobil
e device initiatives. Including:



Mobile Device Management RFI



Good Technologies POC



MassDOT RFQ (MobileIron & Airwatch POC’s)



Mobile Application POC

Subsection 3.2: Technical Drivers

Many of the services typically associated with enterprise mobility are b
ecoming commoditized

such

as:



Mobile Device Management Tools



Mobile Application Development Tools



Mobile Application Capabilities as part of Standard Application/COTS bundle

To support the evaluation, implementation or adoption

of technologies in these areas;

a reference
architecture
should
be developed and published.

Subsection 3.3: Social Drivers

Personal Preference

Many employees have
their own

equipment and services they personally subscribe to that are as
good as
or

better
than those issued

by their employers.
Often, e
mployees
p
refer to use their own devices for a
wide variety of reasons including convenience, familiarity and preference.
Supporting employees’ ability
to access and perform many of their duties using web
-
base
d interfaces and applications is a growing
expectation across the user community.

Social Pressures

R
emote working
can be promoted
to reduce carbon footprints and to reduce the need for expensive
facilities. When moving to flexible office environments, the
need for in
-
office mobility rises drastically. With
increased global communication, workers must "always be connected" to accomplish cross
-
border and
cross
-
time
-
zone teamwork.

However, these social pressures must be reconciled with enterprise needs for

cos
t containment and
security.

To effectively address the social drivers; policies, standards, and user agreements will
need to
be
updated

and adopted
.


Section 4: Demand

D
emand
for mobile access and device usage
originate
s from the user side. However, the M
obile
Technology Roadmap will identify
options, technologies and services
that exist or are planned for
, and
how they can be leveraged by the organization.



Page
4

of
10

Medium Sensitivity




The number of mobile devices connected through Active Synch is approximately 2,500.



The number of u
ser
s

that use VPN for remote access exceeds 7,000 today.

These numbers indicate that users will and do actively seek out mechanisms to connect to the
Commonwealth’s network resources. It is imperative that the Commonwealth have in place a flexible and
r
esponsive strategy that continues to support and grow as the business needs expand and evolve.


Section 5: Supply

In order
to satisfy the
demands

of the organization the Enterprise Mobile Strategy needs to deliver the
following mobile capabilities.

M
obile
technologies and architectures

Infrastructure

V
irtual
P
rivate
N
etwork (VPN)

Over 7,000 VPN accounts exist today. Approximately 11% of these accounts are associated with
tokens providing an enhanced level of security for mobile devices.

As the Commonwealth looks to replace the current VPN service provider, the following
capabilities
should

be
considered to enhance mobile application support in addition to the
standard security feature sets.



Persistence: Allows applications to remain
acti
ve
across sessions.



Roaming: Virtual connection remains active across wireless network boundaries.



Security: Enforcement of encryption standards and authentication of a device as well as
the user.



Acceleration: Optimization and data compression to enhan
ce performance.



Management Console: Ability to display status and segment devices.



Policy Management: Enforces access policies for connected devices.



QoS: In depth management of application/device prioritization.



Mobile Analy
tics: View of how wireless
networks and devices are being used.

Enterprise Mobile Communication Gateway (EMCG)

These platforms
are generally integrated
into large
-
platform unified communications
and
collaboration (UCC) systems. They are used to
connect to t
he local area network and

allow

VoIP
PBX system calls to pass through to the mobile network instead of a VoIP provider or landline
service.

It would be expected that as the unified communications efforts would implement a
Mobile Gateway as needed on behalf of the Enterprise.

As
the Commonwealth’s UCC implementation matures, the following capabilities should be
prioritized:



Open
-
standards and Session Initiation Protocol (SIP) support



Voice call continuity (among wireless and/or wired networks)



Telephony user interface applications



Support for at least three mobile OS platforms



Access support for WAN (cellular), WLAN (wire voice over IP [wVoIP]) and/or wired LAN

Federated Enterprise Service Bus

The federated enterprise service bus pattern already exists with regards to the
Enterprise XML
Gateway and agencies like EHS and DOR, and expected in the future possibly with DOT.

However, as the Commonwealth’s SOA foundations become more established and business


Page
5

of
10

Medium Sensitivity


users begin to fully expect the advantages
of an SOA
-
based infrastructu
re; service expectations
will evolve as we have already seen.

The best example of this scenario is the City of Boston’s citizen
-
facing application for reporting
issues (e.g. potholes, graffiti, non
-
functional street lights, etc.)


Citizens are not familiar

with city
boundaries and expect the “government” to handle the information appropriately.



Forward looking, the following capabilities will need to be supported:



R
oute incoming requests from a common, mobile
-
accessible interface to multiple back
-
end service providers, e.g. back office tools like CRM systems.





R
oute requests
from multiple systems to a specific system
.



Integrate

across organizational, physical, and g
overnment boundaries which may require
additional infrastructure to ensure appropriate interoperability with ESBs like BizTalk,
Oracle, Apache ServiceMix, etc.



Enhanced identity
authenticat
ion
,
and

specific security
enforcement across
federated
partners



I
ntegration

into an Enterprise Identity management solution or a localized federated
identity partnership using standards such as SAML or OpenID



R
eviewed
of OpenID
for possible adoption in the ETRM

IP Management

The Commonweal
th

will need to ensure that t
he IP Management Services (IP Address Range
Assignment and Domain Naming) offered today evolve in line with IPv
6 and Mobility IP adoption,
allowing
mobile device users to move from one network to another while maintaining a permanent
IP address.

Mobile Dev
ice Management

Mobile Device Management (MDM)

has become a widely
recognized

need for organizations that
allow for personally owned devices
to
connect to the Commonwealth’s information resources. As
this trend continues to grow introducing user owned devices at exponentially higher rates into the
Commonwealth’s

computing environment; the Commonwealth is scrambling to identify the right
solution.


Multiple agencies have embarked on implementing MDM solutions.

ITD


Good Technologies

Overall the POC team demonstrated that the Good environment and Mobile Computing
System could successfully execute standard email functions to the MassMail
environm
ent.

The team also however demonstrated that the Good environment and Mobile Computing
System could NOT pass standard performance testing, specifically in the metric to
perform opening attachments.

Therefore the overall POC was considered a failure and a

result the POC team does not
recommend ITD go forward with the Good Technology as the Mobile Device
Management solution.

ITD


ActiveSync

“ActiveSync” will be used as the first phase of implementing

an

MDM (though less feature
rich) with consideration for

supplementing ActiveSync’s functionality by leveraging
McAfee

where possible
.

Further research needs to be done in this area to able to
articulate a recommendation.

MASS
DOT


Airwatch, Mobileiron, and Verizon



Page
6

of
10

Medium Sensitivity


MASS
DOT evaluated many products
that resulted

in identification of

3

leaders:
Airwatch,
Mobileiron, and a Verizon SAAS solution.

MASS
DOT found that Verizon Software As A Service seems a little immature, and even
the corporate process to try to get evaluation to be a bit prohibitive. The process of

tying
the various components
together

to comprise
a

solution
is a little rough still
.

Airwatc
h and MobileIron were both highly rated

giving the
advantage to Airwatch due to
an excellent

management interface.

MASS
DOT
planned

to

begin a subset implementation of Airwatch in Dec
ember, 2012.
The Commonwealth will need to track this implementation closely in order to gain as
much benefit from MassDOT’s early adoption efforts as possible.

Technical Specifications
, Paradigms and Frame
works

(JQuery, JQuery Mobile, Dojo and Twitter
Bootstrap are technical frameworks,

not specifications.


In addition, REST is a paradigm/architectural
style

rather than a specification, much

like Service Oriented Architecture)
.

HTML5

Hypertext Mark Up

Language 5 (
HTML5
)

is a set of markup tags

that are used to describe
document content

so that it can be presented and used within a web page. As the mobile
application market continues to grow, so will the use of HMTL5. Therefore, in order to ensure
tha
t the Commonwealth’s mobile application development roadmap is consistent with the need to
support more complex we
b

applications
including standardization for video, audio an
d scriptable
2D image rendering;
HTML5

will need to be evaluated
further
and most
likely adopted as part of
the ETRM standards.

When evaluating; it will be important to explore how HTML5 introduces new capabilities
associated with features that allow users to store data locally within their browser, thus replacing
the use of cookies.

Good guidance around the use of this capability may prove highly beneficial
from both performance as well as security standpoints.

It is
also
important that an evaluation of
HTML5

takes into consideration
the impact introduced by
varied
support from brows
ers
. Some
browsers
will be more compatible tha
n others
-

http://www.html5test.com

and
http://www.findmebyip.com/

(these two links useful for compatibility
testing)
.

For
example
, IE8 does not
work

particularly well with all features of
HTML5
.


REST

Representational State Transfer (REST) is an architectural style of designing lightweight
communications between different components of a networked application.


Using RESTful

principles, it is possible to publish web services.

These implementations rely directly on the HTTP
protocol’s support of GET, POST, PUT, and DELETE methods


used for reading, creating,
updating and deleting resources, respectively.

Because of its lightw
eight nature, many mobile applications rely on RESTful web services.


There
are significant areas of governance that have not yet matured in REST, of notable interest are
standards for metadata definition and authentication.

Therefore; as the demand incre
ases the
call for support of RESTful web services; the Commonwealth will need to articulate a clear and
enforceable standard to ensure that the data and security specifications can be supported by
organizations looking to consume, produce or interact with
RESTful web services.

SOAP

Simple Object Access Protocol

(SOAP) is the technical specification currently adopted by the
Commonwealth today and is used to structure information that is exchanged during web services
transactions. It is based on the use of X
ML and is a well
-
established and mature standard. It is
expected that SOAP would remain the preferred standard for supporting web services even in
light of the possible adoption of REST.



Page
7

of
10

Medium Sensitivity


CSS3


Cascading Style Sheets 3 (CSS3)

is used to apply the look an
d feel to information that is being
presented through a web
-
based interface. The current update to CSS
introduces media queries,
which let the presentation of content be tailored to a specific range of output devices without
havi
ng to change the content i
tself
.


This feature is required in support of responsive web design.


JSON

JavaScript Object Notation

(JSON) is
a

humanly readable data interchange format, derived from
the object literal notation used in JavaScript.

Frequently, RESTful

services use JSON as a
representation format, especially if the exchanged data is processed within client
-
side JavaScript
code
. However because there is no metadata validation/description like there is for XML, the use
of J
SON

has not yet been adopted in

the ETRM. In order to support mobile application
development; the Commonwealth will need to reconsider this position.

Ajax

A
synchronous JavaScript and XML (Ajax) is a

set of techniques for accessing RESTful and
SOAP
-
based web services asynchronously fro
m a web page, without interfering with the page
display/interactivity
.
Although XML is a part of the name, it is possible and often primarily used to
exchange information formatted as JSON instead of XML
.
Given this link to JSON, the use of
Ajax has not
been adopted in the ETRM. Like with JSON; the Commonwealth
will

need to
reconsider this position.

Frameworks (JQuery, Dojo & Responsive)

All three of these frameworks are JavaScript
-
based libraries and support client
-
side (browser)
scripting of HTML.


The
y are all free (MIT and BSD/AFL licenses, respectively) and open source
libraries, supporting multiple browsers.

JQuery & JQuery Mobile

and
Dojo & Dojo Mobile

are
well established JavaScript libraries (see
comparison:
http://en.wikipedia.org/wiki/Comparison_of_JavaScript_frameworks
). In addition
b
oth support “mobile” versions with HTML5 support and built
-
in components that render well in
mobile devices (e.g. sliders, lists, f
orms, etc)

and therefore can be delivered without dependence
on a specific device or OS.

Responsive Frameworks
:
Responsive design is a term coined by Ethan Marcotte

to characterize
the web application design approach using “fluid grids, fluid images/media & media
queries.”


With responsive design, the web page resizes and rearranges the screen layout
(“fluidly”) to fit the user’s screen dimensions.

Examples of
responsive frameworks include Twitter Bootstrap, and Foundation from ZURB.

A
good list can be found in:

http://designshack.n
et/articles/css/which
-
is
-
right
-
for
-
me
-
22
-
responsive
-
css
-
frameworks
-
and
-
boilerplates
-
explained/


Note:
It is important to note that the Mass.gov
team create
d

a responsive design for the
Mass.gov web portal and it
being debuted

in
January

of 2013
. The work

done by this team will be
advantageous to any organization that has been “portalized” and will serve as a strong business
incentive for organizations that have not joined the Mass.gov portal to do so. While this may be a
minor point it should be recogniz
ed that this work will not be able to be repurposed outside of the
portal because the solution was developed in house and did not use a standardized framework
that could be easily repurposed.



P
latforms



Page
8

of
10

Medium Sensitivity


As demonstrated by the illustration from Gartner
below; the current Mobile Enterprise Application Platform
(MEAP) marketplace
is still maturing
.

According to Gartner’s William Clark
, “
Mobile AD entered the
mainstream for software development during 2011 to 2012. Yet, the technologies, vendors and busine
ss
drivers shaping it will remain in a state of flux through 2015. Platform immaturity will remain, as there is no
clear consensus yet on how a multiparadigm/multiplatform tool should work (e.g., whether the IDE model
is right, or something else is needed)
, and new technologies such as speech recognition, augmented
reality browsers, new sensors and new OS APIs will be added to the tool mix
.”

At this time, it is not recommended to select a single mobile application development platform. Rather the
Commonwealth’s focus in the next two to three years should be on building the support capabilities at the
infrastructure level. Once the MEAP market has stabilized and clear market leaders have emerged; it will
be more beneficial to standardize on a singl
e or selection of platforms.


Source: Gartner (February 2012)


Section 6:
Roadmap

In order to effectively
implement
the Commonwealth Mobile Strategy, it is imperative that the technical
target state is understood. This will be defined in terms of functio
nal capabilities rather than technical
specifications because the organization needs to be able to make decisions based on research,
outcomes and evolving market factors.
To better understand the most basic capabilities that the
Commonwealth would need to

support in the near term, the Enterprise Technology Office conducted a
small proof of concept.

Proof of Concept:

The POC

focus
ed

its efforts exclusively on “mobile w
eb

applications”, as opposed to “hybrid mobile
applications” or “native applications”.



Relied on existing web enabling infrastructure such as the Enterprise XML Gateways and on a
Windows 2008 Server VM for the deployment of a full web application stack.



Was implemented using open standards and using well
-
established, freely available open
source
frameworks, such as JQuery Mobile, Symfony2 (PHP framework) and Twitter Bootstrap.



Did

not investigate advanced mobile features such as use of the accelerometer, geo
-
location,
camera integration or use of local device storage.



Did

not
include

“hyb
rid mobile applications” or “native applications”.



Page
9

of
10

Medium Sensitivity


POC scenarios simulate
d

web publishing efforts by an agency of the Commonwealth with the following
objectives/limitations:

Publish non
-
sensitive data



Access to static or service
-
accessible content



No
requirement for personalization/login support



No integration with social media (Facebook, Twitter, etc)

Success Criteria

Prove that existing static content can be published in a mobile friendly manner.



Identify viable frameworks that work across multiple p
latforms



Validate that
HTML5

with JavaScript libraries are mature enough for adoption

Analyze different architectural paradigms being used in the Commonwealth today.



Understand how the model view controller pattern can/has been extended to support
business

goals



Understand how web services can be used to facilitate data access



Understand the use case for prioritizing native application over mobile web application
development approaches

Document case studies of three different mobile implementation approache
s.



Mass.gov (Adaptive Modeling)



City of Boston (Native Applications)



Massachusetts Legislature (Extended Model View Controller Paradigm)

Target State



Articulation of the target technical capabilities and implementation to support Mobility across the
Commonwealth and its business partners



Clear device and security controls

Migration Recommendations



ITD’s immediate focus
should

be to build support capabilities at the infrastructure level.



Implement policy that requires
mobile solution
s

to use

Web
-
based standards
when
possible over

proprietary, native software development kits (SDKs)
.



Perform further POC’s to understand impact of increasing mobile application support on
network bandwidth and storage requirements.



Implement a repository as a lay
er between application services and the underlying
infrastructure to track and manage the services and data used in the construction of
mobile apps.



Keep Mobile Application requirements in mind when evaluating related or supporting
infrastructure solutions

such as VPN, Enterprise Mobile Communications Gateway,
Federated Enterprise Service Bus, IP Management and Mobile Device Management.



ITD
should

not recommend adoption of a singular Commonwealth Enterprise Mobile Application
Platform solution until the mar
ketplace has matured further.



Once the Mobile Enterprise Application Platform market stabilizes and clear market
leaders emerge, standardization on a single or selection of platforms
should be
reevaluated.



Page
10

of
10

Medium Sensitivity




M
obile application platform
exploration at the S
ecretariat/Agency level

should
be done in
collaboration with
th
e Commonwealth Chief Technology.



Secretariats/A
gencies
will need to
conduct thorough testing of their own internal critical
systems
any potential

Mobile Application Platform approaches, includi
ng acceptance of
the risks that are introduced before considering implementing a mobile application
platform.


Section 7: Risks

Security, of course, will always be a paramount concern, and is usually governed by a separate security
policy.

F
or the purposes

of this document,
we will
discuss possible disrupting factors to
the proposed
strategy.

Potential Disruptions to the Strategy

The primary risk that looms large on the Mobile Application landscape is best stated in by
Brian Prentice

in a Gartner document e
ntitled,
From Mobile to Post
-
PC ERP
.

MEAPs promise of "write once, run
anywhere" ultimately commoditizes Apple's and Microsoft's platform efforts. They will not succeed in the
market unless the software that runs on their devices takes advantage of the unique capabilities they offer
(e.g., Si
ri voice control on iOS or the Metro look and feel on Windows RT). Additionally, given both
providers' absolute control of their public app store distribution systems and their largely opaque approval
processes, they can, at anytime, unilaterally choose to

choke off any apps at a moment's notice.”

In response to this issue; the

biggest danger that the Commonwealth faces as we traverse the mobile
application landscape is an up cropping of rogue, custom, nonstandard
-
based approaches to
implementing mobile app
lication
development
. While all in
-
one
-
solutions may introduce complexity to an
eventual cohesive fabric, use of standards
-
based specifications that expose the mobile application

by
breaking it

into

discrete

services through an API will minimize the impac
t of such issues. However, as
with any Enterprise based approach the more difficult barriers are introduced when organizations use
nonstandard technologies to support a narrowly focused business goals.

In addition to the use of nonstandard technologies;

another concern will be ensuring that the
infrastructure is well positioned to support the use of a
n eventual

MEAP.
Implementing a repository as a
layer between application services and the underlying infrastructure will help set the stage for a smooth
m
igration by allowing for tracking and management of the services and data used in the construction of
mobile apps as the assets. It will provide agencies with a context to view this new paradigm as opposed
to seeing the apps themselves as parts of the age
ncy or enterprise's application portfolio.