How Cafcass migrated off the PSN
Find out how Cafcass migrated its email services to the cloud and the challenges they had to overcome.
This case study is part of guidance on moving away from legacy networks.
Objective
The Children and Family Court Advisory and Support Service (Cafcass) wanted to move off the Public Services Network (PSN) because a shared service contract was ending and they needed to move their email.
Background
Cafcass is a non-departmental government body that represents children in family court cases in England and helps to make sure that decisions are made in a child’s best interests. There are around 2,000 Cafcass staff including board members and self-employed contractors. The body is sponsored by the Ministry of Justice.
At the end of 2016 Cafcass was the last customer on a shared IT service. Cafcass extended the contract for itself for 18 months to June 2018. This included using a PSN line for email connectivity as well as the existing GCF Multiprotocol Label Switching WAN links.
In 2014, while the shared service contract was running, Cafcass identified the need to replace the infrastructure supporting its Microsoft Exchange environment and chose to replace it with Microsoft Office 365.
With the extended contract ending in 2018, Cafcass planned a migration which followed the ‘Cloud first’ principle. This approach proved so successful they were able to adopt a full ‘cloud only’ strategy, starting with Microsoft Office 365. Littlefish is the main supplier providing core services like end user devices, service desk, and operations.
A key part of the migration strategy was a disaggregated IT approach, using different suppliers for different business applications and services like case management, finance, HR, and recruitment.
Accessing the Home Office Police National Computer
Cafcass removed its PSN connection provided under the GSi Convergence Framework (GCF). However, staff still needed to use the Police National Computer (PNC), which was previously accessed via an interconnect between the PSN and the police network. Cafcass decided to set up a third-party supplier to provide a gateway service to enable Cafcass to use the PNC over the internet.
System assurance
As part of its managed services contract, Littlefish uses the Nessus Vulnerability Scanner to provide monthly scans of devices and applications. Instead of providing a PSN CoCo (Code of Connection) as part of the accreditation pack for the Home Office (to access the PNC), Cafcass provides details of their technical controls. These include details of monthly vulnerability scans, which the Home Office can audit if they wish.
Littlefish also provides assurance information on its own systems to the Home Office.
Cafcass also uses an external penetration tester on a monthly basis working to a rolling programme to fix any issues that arise.
Cafcass follows the Minimum Cyber Security Standard and aims to start using the Public Sector DNS later in 2019. The organisation also has a Cyber Essentials certificate and will work towards passing Cyber Essentials Plus.
Challenges of migrating email
One of the biggest challenges was educating other public bodies to accept cafcass.gov.uk as a secure domain. Many public bodies had an incorrect perception that only a gsi.gov.uk domain was secure.
Cafcass found a lack of trust in non .gsi domains threatened the organisation’s ability to effectively protect children’s interests because information wasn’t being exchanged quickly enough.
In one example, an organisation refused to email information to Cafcass and insisted on printing out documentation for physical collection. Cafcass overcame these blockers by working with key staff contacts in other organisations. It was important to encourage a change in business processes so that crucial, time-sensitive information could be exchanged quickly and securely by email.
Cafcass still uses the Criminal Justice System eMail (CJSM) using a connector in Office 365. In order to securely connect to CJSM, Cafcass completed a security questionnaire based on the National Cyber Security Centre’s (NCSC) Ten Steps to Cyber Security.
Managing email in the cloud
The Cafcass IT team manages email securely and makes sure that staff are not burdened with making decisions on email security. Cafcass splits staff into 2 groups (corporate staff and front line staff) who handle sensitive information about users of the service. The IT team created different mail flow rules for each group.
The IT team uses an auto-check in the background to see if they are happy with recipient domains and then takes an extract of domains in use (local authorities and police) overnight. They use the CheckTLS API to see if these domains support TLS and the right ciphers which can then be used to populate a mail flow rule in Exchange (if the domain passes). They use the confidence score in CheckTLS, which must be 100%.
If a user sends sensitive information to a domain that does not pass the check, the email is routed via Egress Switch using an Egress add-on for Microsoft Outlook. This is the Cafcass default set up for frontline staff sending sensitive data to local authorities, the police and other public sector organisations.
Outcomes of the migration
Cafcass switched to gov.uk as its primary email in March 2018, about 18 months after it moved to Office 365, but left the .gsi domain running for inbound email. The PSN link was cut when Cafcass performed the final cutover from the data centre to Microsoft Azure in June 2018.
Cafcass is now completely cloud-based with business services provided by a range of suppliers to minimise risk and Littlefish managing core services. Moving to the cloud has reduced the Cafcass dependency on on-premise infrastructure.
Benefits of the migration
Cafcass has benefited by migrating off the PSN and moving to a cloud-only infrastructure by:
-
reducing IT costs by 20% between 2015 and 2018
-
no longer needing to allocate resources to complete the PSN compliance process
Some other small agencies have also expressed an interest in partnering with Cafcass to use their IT service, which could bring additional cost savings.
Cafcass recommendations when migrating
When moving away from PSN to the cloud, Cafcass found it was important to:
-
understand that using cloud would change the way IT budgets are managed
-
have early engagement with security accreditors to make sure they could provide security assurance for other organisations like the Home Office
-
communicate the benefits of moving to the cloud directly to staff
Cafcass found the way costs are incurred in a cloud-only model is very different to that of on-premises, especially when it comes to licensing and consumption-based charging. It’s important that both technical and commercial IT teams work together to understand and optimise the licensing model, including regular reviews, to ensure costs are controlled.
For IT staff the shift to the cloud is a major change in how the service is managed, although for end users it can mean very little other than disruption during the transition of services. Cafcass recommends taking time to identify improvements and promote benefits like increased mailbox sizes to end users.