Email outages are a risk to public service delivery – Neil Murray asks what the public sector can do to prepare for future failures.
What happens to critical public services when email goes down? In the business world the impact is just commercial in nature – usually lost sales and frustrated customers.
But email downtime for government departments and local authorities will have a direct impact on the delivery of vital services to the community.
Email is an important tool in our workplaces. Child protection, public safety, healthcare and housing – and a raft of other services that public servants and citizens alike rely on needs to work all of the time.
As the UK public sector increasingly adopts cloud services like Office 365, the risk from this single vendor dependency for something as important as email has to be thought about carefully.
What do you do when (and not if) it fails – can you afford to be offline? How do you guarantee the safety and availability of your critical data without an independent copy? How do you ensure the services that rely on email to operate effectively are not impacted?
Office 365 is good. I’m a fan. It takes the familiar productivity tools of Microsoft Office and integrates them into a single cloud service with Exchange Email, SharePoint collaboration and Lync for unified communications.
It is rightly popular too. Accredited on G-Cloud in 2013, a survey last year found that productivity tools like Microsoft Office 365 and Google Docs were the most widely used public sector cloud services, with 46 per cent adoption.
The appeal of cloud services to government departments makes it entirely plausible to believe that the majority of public sector services will rely on Office 365 very soon.
As each service makes its move to Office 365, risk planning is done in isolation by each department. But what we are facing is the imminent reality that the majority of public sector services will be dependent on Office 365.
This is not just about one public sector service putting its email and data eggs in one basket, but rather all public sector services putting all of their eggs into the same basket as each other.
At what point does the collective risk of this mean national or local government must apply comprehensive risk management and mitigation to this move as a whole?
Don’t get me wrong, organisations are moving to the cloud for all the right reasons. Productivity and information sharing benefits between services of course, and cost control, as creaking on-premises infrastructure can be decommissioned in the face of budget pressure.
But in the rush to move critical workloads to cloud services we must also remember to put in place appropriate risk mitigation. Particularly continuity planning.
This is not just a theoretical risk either. In July, Microsoft suffered another Office 365 outage and affected users were unable to connect to the Exchange Online service, including Outlook, Outlook Web App (OWA), Exchange ActiveSync (EAS), and Exchange Web Services (EWS). Many users also experienced delays when sending and receiving messages
This incident followed two major Microsoft outages last year - the Azure outage in November and the email outage on Exchange Online and Office 365 in June.
This is not limited to Microsoft of course. All IT systems and cloud services can fail. But when that happens in the public sector it grabs headlines and affects lives.
For years IT teams have built disaster recovery plans and systems predicated on the belief that IT fails and you always need a plan B. Nothing changes in a cloud first world.
Cloud services clearly fail and if you don’t have an independent continuity service, your email will be down until Office 365 gets it back up again.
And you can’t control when that will happen. One hour. Five hours. Days. There will be a lot of organizations ahead of you in the queue potentially.
Office 365 will continue to have service outages. Sometimes these will be very disruptive because they affect an entire region. Other occasions may only see some customers or group of employees affected. But outages do and will happen. It’s irrational to expect them not to happen.
The risks don’t stop with service continuity either. Hosting all your email and data with a single vendor raises importance questions about back-up and data assurance.
Do you have an independently verifiable additional copy of your data for when you need it? And security too. Office 365 is a big target for attack, so every customer will face a higher risk.
Many of us now live in a cloud-only world. So the question to ask ourselves is – what will happen to me when Office 365 goes offline, is hacked, corrupts or loses my data? Do we have a plan B?
Moving email and its data to Office 365 exposes public sector organisations to significant single vendor continuity, security and data integrity risks that Microsoft cannot mitigate alone. Additional third-party cloud services are the only way to mitigate these risks.
Neil Murray is chief technology officer at supplier Mimecast.
Steve Barclay urges greater reporting of attacks
Immigration minister Kevin Foster reiterates ambition to eliminate paper processes
Cabinet Office minister reveals that reform policy has now been put into effect
Union chief criticises as ‘reckless’ ministers’ intention to return Whitehall headcount to 2016 levels