This case study is part of guidance on moving away from legacy networks.
The Department for International Development (DFID) needed to move email services to the cloud and stop routing via the Public Services Network (PSN). DFID also needed to simplify email addresses in line with government policy - dropping the .gsx or .gsi in the domain name.
DFID needed to do this without disrupting:
a migration to Microsoft Office 365
an international infrastructure update
an end user device roll out
DFID used dfid.gsx.gov.uk as the primary email domain for over a decade. A small number of users had dfid.gsi.gov.uk addresses because some other government organisations were more comfortable sharing information with those email domains.
Time frame and resources for the migration
DFID wanted to remove its dependency on the PSN for email by the March 2019 deadline.
It took the department around 6 months to carry out the migration including implementing the guidance on securing government email.
DFID had enough resources to carry out all the migration work internally with an in-house IT team of 175 people. The majority of the work was carried out by 2 to 3 people. The team had some ‘chalk and talk’ consultancy days with Microsoft and a couple of visits from Microsoft Premier Field Engineers to discuss specific issues like mail flow rules and routing.
How DFID configured the new network
The team changed email routing to direct dfid.gov.uk email via Office 365 instead of Symantec Email Security (MessageLabs). The IT team then updated users’ primary email addresses to dfid.gov.uk.
DFID no longer uses the PSN connection for sending email. Users can still receive emails on their old addresses via the PSN connection. DFID expect to remove this route during 2019, potentially routing inbound email to those addresses directly to Office 365. How soon DFID can do this depends on how quickly they can remove the need to access other services over the PSN connection.
Technical issues and how DFID solved them
DFID found a few places where it was tricky to remove dependency on the old email addresses. Internal services like the legacy HR system and travel booking system required a bulk update.
The department’s service desk software is more difficult to change as it uses the legacy email addresses as a unique identifier. As a result it’s likely DFID will need to be able to route the old addresses internally for the foreseeable future.
The old addresses exist in address books of other organisations, with users or in mailing lists, which is beyond DFID’s control.
Their users have also used their old address to sign up for external services like Civil Service Learning, Trello, or Basecamp. DFID issued internal guidance to staff asking users to update these themselves.
The IT team also had to update around 50 mail flow rules to move email routing away from the PSN. The team reduced the number of rules they use. Big changes made included no longer preventing DFID users from sending email marked ‘sensitive’:
The IT team reviewed these policies with the security team and agreed they were outdated.
The current mail flow rules for sending email securely are as follows. When users send an email to:
a trusted public sector domain, the system uses an enforced TLS connector
somewhere that might not support TLS, the system uses an opportunistic TLS connector
Criminal Justice Secure eMail (CJSM), the system uses a CJSM connector
At the moment 95% of email sent to somewhere that might not support TLS is encrypted in transit. This is in-line with how email is generally sent over the internet.
DFID noticed that users who now have a new primary email address are still being shown their old gsx.gov.uk address in their Outlook desktop client. The team can update this to show the new dfid.gov.uk email address if they recreate user profiles but that’s a lot of effort. Some users are still confused about why the old email is being displayed and have generated a small number of service desk tickets but email is still sent from the correct address.
Communicating the changes to DFID staff
Departments like HM Land Registry and the Foreign and Commonwealth Office have published notices that they are stopping their gsi domains. DFID decided to communicate directly with senders by publishing internal guidance on its intranet through a campaign called ‘We’re clearing our decks of GSX’.
The team provided a checklist for users to follow:
- Check they are sending internal emails to .dfid.gov.uk addresses.
- Update email signatures to remove the .gsi address and remove any references to ‘OFFICIAL-SENSITIVE’.
- Tell contacts in other departments, non-government organisations, local authorities and delivery partners about their new email address.
- Update email address on social media and networks.
- Change usernames on the internal room booking service, Civil Service Learning, Civil Service Jobs and other relevant websites.
- Use the dfid.gov.uk email in SurveyMonkey when asking for feedback.
DFID used a mail flow rule to add a header to inbound email sent to an old address asking users to tell people to switch to the new one. The department also added a footer on outbound email from dfid.gov.uk addresses saying the same thing.
DFID has not had any push back regarding the use or security of dfid.gov.uk from other organisations it communicates with. The guidance for users emphasises that the dfid.gov.uk domain is still as secure as before. The IT team did find some users had added a footer to their email to direct people to the old ‘secure’ domain. Staff are being asked not to do this as the new address and routing is just as secure, and the footer causes some problems with data loss prevention (DLP) rules.
The IT team were not sure if there would be an automatic and centralised bounce-back message when shutting down old domains. The PSN team confirmed there will not be, so DFID will put their own message in any emails sent before the domain is removed entirely.
All 4,500 DFID users have a dfid.gov.uk email address. Around 700 have it as their primary address. Everyone else still sends from dfid.gsx.gov.uk or dfid.gsi.gov.uk. At DFID they rewrite the address before it leaves the DFID environment so recipients only see dfid.gov.uk. New users only get dfid.gov.uk addresses.
Email sent from dfid.gov.uk comes from Office 365 - or from DFID’s own MessageLabs tenant - separate from the one used by the PSN. Email sent to dfid.gov.uk all goes to Office 365.
As a temporary arrangement while users are transitioned over email sent from dfid.gsx.gov.uk or dfid.gsi.gov.uk gets the headers rewritten to dfid.gov.uk and routed via the same MessageLabs tenant. External recipients should no longer receive anything from the legacy addresses.
The only remaining email dependency on the PSN is receiving email sent to dfid.gsx.gov.uk and dfid.gsi.gov.uk. DFID will continue to accept this for the time being, but any inbound email gets a banner added to the top telling recipients to tell the sender to use their new email address.
Once DFID knows the exact end date for their connection they will start to reject email completely or change the inbound routing to go directly to Office 365.
Benefits of moving to the cloud
DFID’s IT department is now reduce infrastructure and moving users onto more modern cloud services post-migration.
DFID has also identified a number of other benefits including:
improved reliability and reduced maintenance compared to their legacy infrastructure - and better reporting capabilities
removing on-premises email infrastructure in 2019 - the team will create an email server in Microsoft Azure so some legacy on-premises services can still send email
authenticating and securing email sent over the internet with TLS
giving users a simpler, more consistent email address - this helps simplify logging in to some services as well
improved email filtering in Exchange Online works better - it gets the email directly, rather than routed through a hybrid environment
simplifying email spoofing rules as DFID has fewer domains to manage and better control over them
simplifying email rules and routing to make troubleshooting easier
email and Skype addresses are now the same - users have had dfid.gov.uk Skype address for a while but gsx email addresses, so external users had problems finding them
DFID also plans to stop paying for a PSN connection in around 6 months to give them time to remove any other PSN dependencies and run down the old email addresses.
One disadvantage of the migration is that some users are confused about who they can email without their gsi email address to rely on. DFID has provided guidance to help address this issue.
The IT team suggests that staff should send email as normal and make sure they:
This combined with the new mail flow rules makes sure that email is always sent by the most secure route available.
Lessons learned from the migration
DFID used email addresses as the unique identifier in a few places which the team now have to unpick. Many systems like DFID’s service desk software are not set up to change this, or depend on the User-Principal-Name (UPN) in Active Directory. Updating the UPN made it easier for users to follow ‘login with your email address’ prompts, and gave DFID consistency between the email address and the Session Initiation Protocol (SIP) address used by Skype for Business.
DFID found it’s important to find out about all your email sending services early. Some legacy services might have the old address baked in, so you need to update the service or provide a workaround. To check what dependencies you have in your organisation DFID found it’s useful to:
DFID used mail flow rules in a number of places to work around problems or hide complexity from end users.
They also found that users would often explore and test changes more than they expected, so it is important to keep reinforcing communications and provide headers and banners on messages where possible.