This case study is part of guidance on moving away from legacy networks.
Welsh local authorities and public sector organisations wanted to follow government secure email guidance and migrate Public Service Network (PSN) connected email to the internet.
Welsh local authorities used gcsx.gov.uk as their primary email domain - referring to the Government Connect Secure Extranet (GCSX). Users were commonly using more than one inbox because they had a .gcsx and .gov.uk email address. The .gcsx address was for the PSN and .gov.uk was internet facing.
There were multiple local authorities and public sector organisations involved in the migration project. These included:
all 22 Welsh local authorities
the Welsh Government and the National Assembly for Wales
all 4 police forces
all 3 fire and rescue services
2 national parks
several other public services including NHS Wales
How Welsh authorities planned the migration
All organisations started by discussing the PSN migration plan over several WARP (Warning, Advice and Reporting Point) meetings and agreed timescales for everyone to implement TLS.
Andrew Horner-Seddon, principal IT consultant at Cardiff City Council and Vice Chair of the Cymru WARP was the informal lead of the migration. He helped provide organisations with information about TLS, and any necessary additional information and support.
The general approach was to get agreement on the migration process via the WARP and then set a date for organisations to declare themselves ‘TLS ready’. This was followed by another date set to apply mandatory TLS.
The Vice Chair took on the role of engaging with organisations to make sure that they would meet the deadline.
There was no need to use third party suppliers for this migration. In-house IT teams made the necessary configuration changes, which were not too complicated or time consuming.
How organisations configured email services to work over the internet
The organisations followed the guidance on securing government email. This guidance includes information on:
how to secure email
encrypting and authenticating email in transit
using extra encryption if data needs more protection
ensuring the data sent is appropriately protected by the recipient
making email security invisible to end users
further email security guidance
All organisations started by implementing TLS, which was reasonably easy to do. Most people already had TLS anyway and it was invisible to users, so it offered a quick way to provide the security and assurance that was required. The Vice Chair highlighted the usefulness of the secure email guidance, which:
helped the WARP to agree the approach between the authorities and understand what they needed to do
encouraged organisations to follow good security practices such as the Minimum Cyber Security Standard
There were some technical issues when implementing TLS. Some organisations wanted to use self-signed certificates for TLS. This was not ideal but as the alternative was to use an unencrypted connection, organisations were allowed to use self-signed certificates.
Not all organisations involved in the project were able to support TLS from the start and so they took different approaches to resolve this. In some cases organisations just updated their existing email servers, but in others they migrated their email to cloud-based services like Microsoft Office 365 or Google G Suite.
Organisations are working on implementing the DKIM, DMARC and Secure Policy Framework recommendations from the secure email guidance.
The migration to the internet did not need any specific tools outside of Google G Suite and Microsoft Exchange Online admin tools.
Organisations did not need a new process for undelivered email. Mandatory TLS emails send a non-delivery report back to users, who then contact their internal service desk for help.
Each organisation in the Cymru WARP has also signed up to NCSC’s Mail Check service so that they can check their DMARC reports, as recommended in the secure email guidance.
Outcome of the migration
It took 6 months for all the relevant government organisations to support TLS. All the organisations involved now have a rule to require TLS for email sent between them. Email is either sent using TLS, or not at all.
Organisations still support opportunistic TLS for everyone else. For example, Cardiff City Council now sends around 95% of outbound email to organisations not on the list with opportunistic TLS.
How organisations send emails to third parties
End users in Welsh authorities regularly send business critical and urgent emails to external organisations like third-party housing associations and solicitors. Currently, organisations make their own risk-based decisions when deciding who to send email to.
Communicating migration changes to staff
Every organisation supporting TLS is now listed in a poster so people in each organisation can see who they can email securely. A group on the Cyber Security Information Sharing Partnership (CiSP) forum, sends out email updates to help keep the list up-to-date. Each organisation is responsible for updating their list.
Benefits of moving to the cloud
The Welsh authorities and public sector organisations have implemented TLS between each other on their standard gov.wales and llyw.cymru email addresses.
By migrating away from PSN-connected email to the internet Welsh authorities can now:
use the internet to send email securely, share information and collaborate better
start removing PSN-related infrastructure, which will reduce data centre costs (capital and operational costs) and IT admin effort
provide users with a single inbox to manage email
provide users with a simple and consistent message about email security within the Welsh public sector
Lessons learned from the migration
When carrying out a similar migration Welsh authorities found that it helped to:
tackle the migration in small, achievable steps
engage stakeholders as early as possible to build business cases and relationships
bring information governance professionals on the journey so that they understood the technology and felt comfortable with it