How welsh public sector organisations migrated email from the psn to the internet

Case study HOW WELSH PUBLIC SECTOR ORGANISATIONS MIGRATED EMAIL FROM THE PSN TO THE INTERNET Find out how Welsh public sector organisations migrated its email away from the PSN to the

internet. This case study is part of guidance on moving away from legacy networks. OBJECTIVE Welsh local authorities and public sector organisations wanted to follow government secure email

guidance and migrate Public Service Network (PSN) connected email to the internet. BACKGROUND Welsh local authorities used gcsx.gov.uk as their primary email domain - referring to the

Government Connect Secure Extranet (GCSX). Users were commonly using more than one inbox because they had a .gcsx and .gov.uk email address. The .gcsx address was for the PSN and .gov.uk was

internet facing. There were multiple local authorities and public sector organisations involved in the migration project. These included: * all 22 Welsh local authorities * the Welsh

Government and the National Assembly for Wales * all 4 police forces * all 3 fire and rescue services * 2 national parks * several other public services including NHS Wales HOW WELSH

AUTHORITIES PLANNED THE MIGRATION All organisations started by discussing the PSN migration plan over several WARP (Warning, Advice and Reporting Point) meetings and agreed timescales for

everyone to implement TLS. Andrew Horner-Seddon, principal IT consultant at Cardiff City Council and Vice Chair of the Cymru WARP was the informal lead of the migration. He helped provide

organisations with information about TLS, and any necessary additional information and support. The general approach was to get agreement on the migration process via the WARP and then set a

date for organisations to declare themselves ‘TLS ready’. This was followed by another date set to apply mandatory TLS. The Vice Chair took on the role of engaging with organisations to

make sure that they would meet the deadline. There was no need to use third party suppliers for this migration. In-house IT teams made the necessary configuration changes, which were not too

complicated or time consuming. HOW ORGANISATIONS CONFIGURED EMAIL SERVICES TO WORK OVER THE INTERNET The organisations followed the guidance on securing government email. This guidance

includes information on: * how to secure email * encrypting and authenticating email in transit * using extra encryption if data needs more protection * ensuring the data sent is

appropriately protected by the recipient * making email security invisible to end users * further email security guidance All organisations started by implementing TLS, which was reasonably

easy to do. Most people already had TLS anyway and it was invisible to users, so it offered a quick way to provide the security and assurance that was required. The Vice Chair highlighted

the usefulness of the secure email guidance, which: * helped the WARP to agree the approach between the authorities and understand what they needed to do * encouraged organisations to follow

good security practices such as the Minimum Cyber Security Standard There were some technical issues when implementing TLS. Some organisations wanted to use self-signed certificates for

TLS. This was not ideal but as the alternative was to use an unencrypted connection, organisations were allowed to use self-signed certificates. Not all organisations involved in the project

were able to support TLS from the start and so they took different approaches to resolve this. In some cases organisations just updated their existing email servers, but in others they

migrated their email to cloud-based services like Microsoft Office 365 or Google G Suite. Organisations are working on implementing the DKIM, DMARC and Secure Policy Framework

recommendations from the secure email guidance. TOOLS USED FOR THE MIGRATION The migration to the internet did not need any specific tools outside of Google G Suite and Microsoft Exchange

Online admin tools. Organisations did not need a new process for undelivered email. Mandatory TLS emails send a non-delivery report back to users, who then contact their internal service

desk for help. Each organisation in the Cymru WARP has also signed up to NCSC’s Mail Check service so that they can check their DMARC reports, as recommended in the secure email guidance.

OUTCOME OF THE MIGRATION It took 6 months for all the relevant government organisations to support TLS. All the organisations involved now have a rule to require TLS for email sent between

them. Email is either sent using TLS, or not at all. Organisations still support opportunistic TLS for everyone else. For example, Cardiff City Council now sends around 95% of outbound email

to organisations not on the list with opportunistic TLS. HOW ORGANISATIONS SEND EMAILS TO THIRD PARTIES End users in Welsh authorities regularly send business critical and urgent emails to

external organisations like third-party housing associations and solicitors. Currently, organisations make their own risk-based decisions when deciding who to send email to. COMMUNICATING

MIGRATION CHANGES TO STAFF Every organisation supporting TLS is now listed in a poster so people in each organisation can see who they can email securely. A group on the Cyber Security

Information Sharing Partnership (CiSP) forum, sends out email updates to help keep the list up-to-date. Each organisation is responsible for updating their list. BENEFITS OF MOVING TO THE

CLOUD The Welsh authorities and public sector organisations have implemented TLS between each other on their standard gov.wales and llyw.cymru email addresses. By migrating away from

PSN-connected email to the internet Welsh authorities can now: * use the internet to send email securely, share information and collaborate better * start removing PSN-related

infrastructure, which will reduce data centre costs (capital and operational costs) and IT admin effort * provide users with a single inbox to manage email * provide users with a simple and

consistent message about email security within the Welsh public sector LESSONS LEARNED FROM THE MIGRATION When carrying out a similar migration Welsh authorities found that it helped to: *

tackle the migration in small, achievable steps * engage stakeholders as early as possible to build business cases and relationships * bring information governance professionals on the

journey so that they understood the technology and felt comfortable with it UPDATES TO THIS PAGE Published 15 April 2019