Microsoft Office 365 Employee Email Investigation
Project summary
Having grown organically over the years, the University of Waterloo’s current email environment is complex. Today, three main email systems are supported: Office 365 Exchange Online (undergraduate students); Connect Exchange on-premises (graduate students, employees, retirees); and Mailservices (alumni). The presence of multiple email platforms, each requiring its own set of implementation and support standards, poses challenges to both clients and the University. Maintaining this varied environment is unnecessarily difficult and costly, and results in inefficient end-user IT support, and a suboptimal experience for both clients and IT support staff.
In November 2018, Information Systems & Technology (IST) started discussions at the University Committee on Information Systems and Technology (UCIST), and the Campus Technology Services Committee (CTSC) regarding the possibility of moving employee email to Office 365. With support from these committees to move forward with this investigation, it was announced to Executive Council June 6, and to the campus community in the June 19, 2019 Daily Bulletin. The project website was announced in the August 15, 2019 Daily Bulletin, which included an online feedback form.
Project recommendation
Between April and November 2019, the project team and technical experts within IST completed an in-depth analysis of this potential migration, which included a successful Information Risk Assessment. Coupled with feedback received from consultations held with other Canadian Universities and Waterloo faculty, staff, computing and other committees, it is the recommendation of this project team that the University move forward with a staged migration of the majority of on-premises employee email to the Microsoft Office 365 cloud environment. It is also recommended that the University retain a small on-premises Exchange service, configured as an Exchange/365 hybrid deployment, to support a relatively small number of users with special requirements.
Microsoft Office 365 provides access to a robust set of productivity and collaboration tools. Moving employee email to the O365 cloud environment would provide employees with an Exchange Online email account, allowing increased access to additional applications and functionality, further leveraging University resources to engage, develop and build our capacity and infrastructure to create a sustainable and effective institution.
Supporting resources
Analysis and consultative resources that have informed this recommendation:
- Completion of an Information Risk Assessment that was reviewed and approved, with recommendations, by a representative of the IST Security team and the Secretariat’s Privacy Officer (See full report).
- A discussion of lessons learned from other higher education organizations who have deployed O365 email for employees. These schools included: University of Toronto, Queens University, Ottawa University and Western University (See Appendix 1 – Benchmarking with other Canadian universities).
- Consultation with University faculties to uncover questions, issues and concerns (See Appendix 2).
- Consultation with University staff to uncover questions, issues and concerns (See Appendix 2)
- Commonly raised concerns and responses (See Appendix 3)
Campus consultation
Through the online feedback form announced in the Daily Bulletin August 15 and October 10, approximately 30 questions and comments were received from the campus community. Through the eight consultation sessions (see appendices 2 and 3), approximately 60 questions and comments were received from 120 attendees.
The approximately 90 questions and comments fell into several broad themes, as follows:
Theme |
Questions & comments |
Project team comments |
---|---|---|
Ease of use, compatibility with existing tools, completeness of functionality compared to current |
31 |
This was the largest single group of types of questions. Our Exchange/365 hybrid deployment, implemented in 2017, provides interoperability between on-premises Exchange and Office 365, and ease of migration. In all cases, apart from uncertainty in support for Thunderbird email client, these questions have been addressed satisfactorily. Thunderbird is covered further in “Recommendations for Implementation” below. |
Security and Privacy |
16 |
The project website has been significantly expanded to answer questions around security and privacy. See the “Privacy and the Cloud”, additional questions in the FAQ, and Appendix 3. |
Supportive comments for moving to Office 365 |
8 |
These were supportive comments, about half and half from faculty and staff. |
Opposed to moving to Office 365 |
5 |
Comments were a mix regarding Microsoft, cloud concerns, or loss of innovation. |
Cost savings, benefits, motivation |
6 |
A benefits of Office 365 section has been added to the project website, and additional information is below. |
Other general interest questions not related to above |
24 |
These questions were general about how things worked, and did not indicate a concern, and were answered. |
Benefits of migrating to Office 365
Moving employee email to the Office 365 cloud environment offers many benefits to both clients and the University as a whole. These benefits include:
Benefit |
Description |
||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Improved service |
Moving to the cloud will result in an improved email service with features frequently requested by the campus community. Improvements include:
|
||||||||||||||
Environmental sustainability |
By moving applications to cloud services, the University can take advantage of highly efficient cloud infrastructure, which will aid in a significant reduction of our carbon footprint. Several key factors enable cloud computing to lower energy use and carbon emissions from IT:
Information on Microsoft's environmental commitments, policies, and initiatives is available at: https://www.microsoft.com/en-us/corporate-responsibility/sustainability. |
||||||||||||||
Enhanced collaboration for teaching and learning |
IST has received many requests from groups across campus to enable applications that would enhance the student experience while supporting teaching and learning. Many of these applications would also be valuable for managing and interacting with student staff. To fully realize the potential of these apps and use them more effectively, employees would require an Exchange Online account and employees and students would need to be on the same tenant. Requested applications and functionality include OneNote for Teachers, Stream, Shifts, Bookings, and shared calendars and collaborative editing/file sharing. |
||||||||||||||
Enhanced security |
Microsoft has security experts monitoring Exchange Online 24/7 to safeguard our data, and the contract includes a financially backed service level agreement with a 99.9% guaranteed up-time. The University can continue to use the anti-malware and anti-spam filtering products from Proofpoint we already rely on and have the option of investigating Microsoft's Advanced Threat Protection tool in future. Other security features include:
Important note: Email, whether in the cloud or on-premises, may not be the right tool for certain types of sensitive communications. There are likely cases today where email is being used to communicate highly sensitive information when another platform, such the encrypted messaging tool Signal, would be more appropriate. IST can assist with setting up such tools, as required. |
||||||||||||||
Cost savings |
Cost savings are difficult to quantify accurately at this point in time, however, if all employee email moved to the cloud there would be cost savings to the University.
|
Recommendations for implementation
Feedback received throughout this investigation revealed concerns specific to use of certain email clients and the potential impact to University researchers. If the decision to migrate University employee email to the cloud is made, it is the recommendation of the project team that the scope of that work consider the following:
Training on O365 productivity and collaboration tools for all staff
-
The benefits of moving to email in the cloud are best achieved if employees are aware of these tools and how to use them. Feedback from other universities confirmed that the transition of employee email to the cloud was most successful when ample training and transition support was provided.
Training on privacy and risk management best practices for employees
-
The Privacy Officer recommends, “With regard to the training and support element, among other things, the campus community should be educated about the difference between the “old” and the “new”. In particular, given the increased seamlessness, collaboration, sharing, and interconnectivity of services, emphasis should be placed on things such as ensuring appropriate permissions and access (e.g., identified user groups, read-only, password protection of files, etc.), sharing information on a strictly necessary need-to-know basis, awareness of important policies (e.g., Policy 46), reminder of information and privacy practices and resources https://uwaterloo.ca/privacy/.”
Email clients and support for modern authentication
- To improve security of accounts, Microsoft announced that as of October 13, 2020, they will no longer support basic authentication (e.g. IMAP). (As IST deploys two-factor authentication (2FA) broadly across campus IT services in 2020, we’ll be faced with the same issue of IMAP on Exchange, albeit with timing of changes under our control.)
- University employees will be able to use any desktop or mobile email client that supports modern authentication.
- Support for Thunderbird is a specific concern and IST is actively tracking developments in this area. Thunderbird users can be accommodated on the on-premises Exchange server, with the understanding that 2FA will eventually need to be addressed in some manner.
Impact on University researchers
- For most research contracts, email in the cloud is acceptable because it is as much, or more, secure than the current on-premises email used today.
- The Office of Research approves the use of O365 email and OneDrive file storage for corporate research with industry partners, unless otherwise specifically stated in the contract.
- IST will continue to work with researchers to support unique data privacy needs that may arise with certain contracts. In addition, the recommended privacy and risk training for employees will ensure researchers have the requisite knowledge and tools to ensure their research data is secure.
- IST will also create a suite of proven products to support unique requirements end users may have around data security (e.g. encryption tools, data loss prevention rules).
Moving to a single tenant
- A separate but related initiative will move undergraduate student email accounts from their standalone Office 365 tenant to the University employee tenant, which is configured as a hybrid deployment with our on-premises Exchange instance (a tentative plan for this work is targeting spring 2020). This change is important as being on the same tenant will facilitate increased collaboration opportunities between students and employees, especially for applications that require an Exchange Online account (i.e. Office 365 email in the cloud). It will also:
- Provide the “@uwaterloo.ca” email domain to all user groups (i.e. “@edu.uwaterloo.ca” will no longer be used).
- Provide all users, regardless of their affiliation(s) with the University (e.g. an employee who is also a student) with a single email account.
Hybrid Exchange/365 deployment
Our on-premises Exchange, and uwaterloo.ca Office 365 tenant, were configured as an Exchange/365 hybrid deployment in 2017. This provides:
- Secure mail routing between on-premises Exchange and Office 365, with a shared domain namespace. Both on-premises Exchange and Office 365 use the @uwaterloo.ca domain.
- A unified global address list (GAL), also called a "shared address book."
- Free/busy and calendar sharing between on-premises Exchange and Office 365
- The ability to move existing on-premises Exchange mailboxes to Office 365, and back.
After undergraduate students are moved from the @edu.uwaterloo.ca to the @uwaterloo.ca tenant, we will be leveraging many of the hybrid deployment features.
If the decision to migrate University employee email to Office 365 is made, accounts can be easily migrated to Office 365 individually, or in groups of any size. Accounts can also be moved back if needed. The migration is expected to take place over a period of two years.
The current Exchange hardware reaches end of support toward the end of 2021. A full replacement of our existing Exchange environment is expected to cost approximately $200,000. However, a small system to support < 100 users with special requirements, without the same level of redundancy as today, would cost a very small fraction of that.
Project costs
There would be no costs associated with this project.
- The work to migrate employee email to the cloud would be completed using internal (IST) resources.
- Office 365 for employee email is included in the existing Microsoft Campus Agreement (i.e. no new licenses would be required; O365 would continue to be paid for, by virtue of the campus agreement, even if employee email remained on-premises).
Next steps
Upon approval of this recommendation, the project team would create a deployment plan.
Appendices
Appendix 1 – Benchmarking with other Canadian universities
Between May 27 and June 5, 2019, members of the project team consulted with Queen’s University, Western University, University of Ottawa, and University of Toronto (UofT) to learn more about the approach each institution took when migrating employee email to the cloud, and any lessons learned.
Summary of approach
University |
Approach |
---|---|
Queens University |
|
University of Ottawa
|
|
University of Toronto (UofT)
|
|
Western University
|
|
Summary of responses
Appendix 2 – Campus consultations
Faculty sessions
Consultation sessions were held with each of the Faculties. A summary of their attendance is below.
Faculty | Number of attendees |
---|---|
Environment | 10 |
Applied Health Sciences (AHS) | 1 |
Arts | 7 |
Science | 30 |
Math | 14 |
Engineering | 2 |
Staff sessions
Two staff consultation sessions were held and approximately 60 staff members attended (combined).