The demise of XP

Last week you may have read that Microsoft ended extended support for the Windows XP operating system.  You may be wondering why they did that and what it means for you.

XP was originally released in 2001, growing out of Windows NT.   It has had a long life for an operating system and has been superseded by things like Vista, Windows 7 and now Windows 8.x.   XP stopped shipping on desktops around 2008 and on laptops shortly thereafter.

Once a product is “end of life”, security updates are no longer released and, over time, vulnerabilities appear and the security risk of running that Operating System (OS) increases.   XP has been widely adopted around the world and it exists on millions of systems.   These systems include desktops, but also other devices such as lab equipment.  You may not even know a device that you use has a built-in copy of XP.

Here at Queen’s we started identifying Windows XP systems many months ago.   When people go through our portal, or our Active Directory we can identify their OS and ITS have been using this information to contact individuals and offer them assistance to update their systems.  At Queen’s we have a campus agreement that allows individuals to upgrade their operating system at no additional cost, and there is also a home use license.   There is a cost in the effort, and we provide that support.  This has been very successful and we have updated many systems.

We know we have not captured all of the XP systems on campus and this is something we need to address. We do have the ability to do scans of the network, at a point in time, which will identify XP systems.  This is something that we are looking at doing and then extending the offer to upgrade those systems, where possible.  In some cases the hardware will not let us do an upgrade, and that brings up a new set of questions.

As time progresses the security exposures are going to get higher and we are going to need to look at this more prudently.  We might decide to put systems behind firewalls, or we might decide to partition them from the network.  In some cases we are going to have to retire these systems.  The risk to other users on the network will become too high.

At the moment we do have the ability to partition systems from the network, based on their Operating System, but it is a time consuming, manual process.  We are exploring new services that allow us to dynamically scan and partition devices based on a set of predefined and accepted parameters.  Memorial University decided that, after April 8th, they will no longer allow XP systems on their network.

The end-of-life for Windows XP has brought these discussions to the forefront, simply because of the widespread use of that specific OS.  There are also other computers or devices running outdated versions of Linux and Mac OS that have equal or higher risks and we need to address these.  If you are still running XP, get in touch with the help center.

Responding to faculty questions on moving to the cloud

This past Friday, I attended a meeting of the Faculty of Arts and Science’s Faculty Board to discuss a direction around Queen’s collaborative tools.  This was an opportunity for me to hear what the community was thinking, and the feedback and questions were very helpful.  The issues around  collaborative tools and moving them to the cloud are complex and there has been a lot of discussion amongst my peers in CUCCIO over the last two years, and during consultation with experts in the field.    In this post I would like to elaborate on some of my responses to questions raised, to ensure I have understood the issues and that we are appropriately addressing the questions.   I hope this is of value to the larger community.

Prior to the meeting we distributed the notes listed on the Queen’s Wiki for the Faculty Advisory Committee .   These are just brief summary notes.   There have been discussions about this at the CIO Faculty Advisory Committee, and we have posted additional information resources on the Wiki listed above.

Proposition: Queen’s wants to equip faculty and staff with suite of contemporary e-collaboration services to support the teaching research and administrative activities of our University as it operates on a global stage.

Question Responses:

I have paraphrased a number of these questions to try and group them and better answer the questions in as concise a way as possible.

Q.  Why is this free and what is preventing Microsoft from changing the model?

A.  I think Microsoft sees an opportunity to capture long-term clients with their student offering.  Advancement now offers “email for life”, so once a student graduates they will be able to continue using their existing Queen’s account.   The rules change at that point, but there is some appeal to this as you get to keep your identity, correspondence, documents, and contacts.   Initially, the Faculty and Staff offering did not have the same model, but given competition it is now offered free as well.  In the interests of transparency, we have extensive dealings with Microsoft, including a campus agreement for  software including Office, Operating System upgrades, and Client Access Licenses.

In the contract it will stipulate that Queen’s will continue to own all of the information on O365, so if the model were to change down the road we could migrate to another platform.  This is similar to how  faculty and staff migrated from an older email environment to Exchange a couple of years ago.


Q.  Are there tools that allow me to encrypt my email messages?

A. The notion here is that some of an individual’s email is more sensitive and requires a higher level of protection.  I think it is important to note that existing practices do not necessarily take this into consideration.   We believe people currently use email to send some information that probably should be encrypted, and it is important that we begin to resolve this.

Under O365, all email sent between your end device and Microsoft is encrypted by default.   We are exploring options to allow individuals to encrypt specific messages.  There are tools within Outlook that allow you to do this now.   You essentially set up a trust relationship with someone else by sharing a private key.   We are exploring these options in addition to others.  Convenience, lost keys, and interacting with people at sites that do not support this are issues that will need to be addressed. This is something that we need to do, irrespective of our solution.

Currently, many pieces of software such as Word, Excel, and Adobe PDF also allow you to protect them by adding passwords.  There is an overview available on the Microsoft site.  As a reminder, this is about more than just email, and it includes storage.  We are watching what our peers are doing and considering a hybrid solution that makes use of public cloud storage, as well as private cloud storage (at Queen’s) for more sensitive information.  We will continue discussing this and looking at potential joint opportunities.  As we develop more answers to this we will provide links to online resources.


Q.  How will this decision be made?

A. We are working on establishing a sound governance structure in line with the IT@ Queen’s review.   We have put  and Administrative Systems Steering Committee in place  to oversee administrative systems.  The Student Learning Experience Task Force (SLETF) has recommended a new governance group that will oversee educational technology.   The piece still missing is the IT Oversight Committee.  In its absence we are using a series of advisory groups and meetings to get feedback.   In the absence of this IT Oversight Committee, the final decision for moving faculty and staff collaboration services to the cloud should rest with the University’s Operations Review Committee (ORC) and the Vice-Principals’ Operations Committee (VPOC).

Q.  Will I have to learn something new?

A.  The transition of email for the end user will be seamless since everyone is already in an Exchange environment.   You can continue to use Outlook if you wish.  If you use another desktop email tool, there may have to be a few be changes, but the affected community is very small. That being said, O365 is more than just email and there will be new services available for those who choose to adopt them.


Q.  I have seen situations where there have been issues with cloud services being down for extended periods of time.   There was a specific reference to blacklisting.

A. In the contract with Microsoft there are specifics around the Service Level expectations, and the uptime guarantees are significant (99.9% of time, I believe).  These cloud solutions are far more robust than what we can build and maintain in-house.   The economies of scale of large data centers like the one in Quincy, Washington are game changers in terms of reliability and uptime.
Blacklisting is a situation where a service, like Queen’s email, is identified as doing harm, possibly by sending out spam, so it is blocked by other service owners.  This happens frequently and is very challenging.  If a user responds to a ‘phishing’ attempt, their account can become comprised and is used to start sending out spam.  This happens more often than you may think.   We see fewer problems now, but we still expend resources to throttle accounts and do manual intervention with end users to try and stop it before Queen’s is put on a blacklist.  This is costly when we are working with constrained resources.  With the Student O365 we have not seen any issues with blacklisting and we believe the spam filtering is more robust than our in-house solutions and students are seeing less phishing.

Q.  In the notes, what items on page two are mitigated and what items are a real concern?

This is a very complex question.   A short answer is that outstanding issues will be addressed in the Privacy Risk Assessment and the contract.   Accountability for information on our systems can never be outsourced.  It is my role to ensure that we make an informed decision based on a clear and full understanding all of the risks.   Given that 90% of Fortune 500 companies use Lync (one of the O365 tools), adoption of O365 in the risk-averse corporate sector is quite high, which I think we can take as reassurance.

• Data ownership is lost…

We continue you to own the information and this is stipulated in the contract.

• “They” will mine our data…

Microsoft  is contractually obligated to not do this. This changes on the student side when they move to alumni Email.

• It is not free – there will be advertising that I’ll see…

The Contract stipulates that there will not be any advertising.   This changes on the student side when they move to alumni Email.

• We lose our ability to fulfil University obligations related FIPPA compliance…

We have tools available that allow us to fulfil our obligations related to FIPPA.

When looking at the next set of concerns we need to ensure that we consider the overall risks including such things as capacity, reliability, accessibility, and security beyond just privacy.  We also need to look at what the existing risks are and evaluate whether moving to O365 changes this risk profile.   My comments above about encryption highlight challenges that exist irrespective of the solution adopted.   The Privacy Risk Assessment is meant to capture and asses the whole picture.

• We lose Ontario and Canadian law protections…

The contract is written in Ontario and Canadian laws apply.

• There are less stringent privacy laws in the US…

We use the contract as a way to mitigate concerns in this area.

• Canadians are deemed foreigners and not protected by US law…

There are many issues around jurisdictional boundaries that come into question when dealing a global community.  The contract is written in Ontario and Canadian laws apply.  Given what we have seen in the media about surveillance we believe this point is moot.   In Global collaboration systems documents are at rest in a variety of jurisidctions.

• The Patriot Act is a problem…

Experts, including David Fraser (legal) and Ann Kavoukian, have commented on this and compared it to similar legislation here in Canada.   This similarity and sharing of information between Canada and the US  was commented on by a member of the Faculty Board in  meeting.   It is our conclusions that it not likely to change the risk profile from what we currently have.

• Government surveillance programs in Canada, USA, and elsewhere make this a less secure option…

Government surveillance is a broad concern.   It is the view of people like David Fraser and Ann Kavoukian that keeping our e-communications systems in-house does not improve the risk profile.   See the quotes at the end of the notes in the wiki. It is our view that O365 is more secure than our existing Exchange environment.

• Vendor complicity with NSA – surveillance, etc. – could be a problem…

It is safe to say that the last thing Microsoft wants to see is a story about them being complicit with the NSA.  The cost for them would be very high.   There is a blog post that  gives some insight into their thoughts and perspective:

• Internet hardware operated by vendors cooperating with NSA, etc. could also be a problem…

See above

• Encryption compromised by NSA, etc. could be a problem…

This would open up problems across the board, not just O365

• ITS and/or Microsoft employees will have inappropriate access to email…

Staff all sign Non-Disclosure Documents.  There are some responses to this question towards the end of this FAQ .

If I have missed any of the questions, or you have additional questions, please let me know: