The following questions about the proposed project on faculty and staff e-communications were gathered from the tri-campus town hall meetings, departmental consultations, multiple committee meetings and feedback received via the proposed project website.
Additional questions that may be of interest to the community have been included.
What is Office 365?
Office 365 (O365) is a comprehensive online e-communication and collaboration service provided by Microsoft. The service provides access virtually anywhere to familiar Office tools (e.g., online versions of Word, Excel, Powerpoint), email, calendars, instant messaging, audio/video conferencing and cloud storage services. Please note that the online Office applications do not replace PC/Mac-based software. They are adjuncts to the software you may already have.
Has the decision been made to move faculty and staff email to O365?
A decision has not been made yet on Office 365. The consultation with faculty and staff continues, and the committee is still considering an array of feedback, questions and other issues raised during the process. No recommendations have been made to the Provost and senior administration yet, as each item must be addressed in detail before making any such reports.
What would be replaced by O365?
O365 service is intended to replace the current UTORexchange and UTORmail services, if institutional go-ahead is provided.
How much is this going to cost?
Microsoft would provide the O365 service at no charge to the University.
Why is O365 provided at no charge to the University?
For at least a decade, Microsoft and Google have provided hosted communication and collaboration services to the education community at no charge. Two reasons have been provided:
- Brand exposure: By providing services for free, vendors hope to expose potential future customers to their software by building brand recognition and expertise. Microsoft offers programs that provide a wide range of programming development software and educational resources to students so that they may experience a development environment that they are likely to encounter in their future careers. Similar thoughts apply to providing the O365 suite, exposure to software, developing expertise all of which are useful in their future endeavours.
- User feedback: The educational sector provides a large and critical user base to Microsoft. Feedback from the sector provides valuable insight into how their products are used and exposes shortcomings in software and user interface design.
How difficult will it be to use O365?
If a decision is made to implement O365, Information Technology Services will initiate a University-wide education campaign for the available cloud services. Most of the services such as email and calendaring will remain the same if the user is taking advantage of popular desktop clients such as Outlook, MacMail and other desktop email clients.
Will my email address change if O365 is implanted?
No. Email addresses will not change from the current @utoronto.ca. Accounts will be migrated into Office 365.
What features will I have that I don’t currently have available?
The following new features will be available if O365 is implemented:
- 50GB mailbox (larger email quota)
- Option to use online Office web apps (useful when your device is unavailable, but you have access to the internet)
- SkyDrive Pro cloud storage (for file transfer and storage)
- Lync services for instant messaging, audio and video conferencing from desktop and mobile devices
- 99.9% service uptime guarantee
- Enhanced malware and spam protection in addition to those provided by the University
Are Office applications going to be stored offsite requiring us to only use Office web apps in the cloud?
No. There is no requirement to use the online suite of Office products. Local networks will continue to operate, as will the capacity to save documents to local machines. Online Office is not intended to replace desktop Office. The University’s Microsoft Campus Agreement licenses all faculty and staff to obtain the Office ProPlus suite at no local charge for University-owned equipment. For $11, the Home Use program allows employees to buy Office ProPlus for two personally-owned machines. On Dec. 1, Microsoft’s Student Advantage program commenced. This allows current students to obtain Office ProPlus for free — and to use for as long as they remain active students. The Office Online applications are not replacing machine-based applications. So, laptops in the field, and any University or personally owned machines can have up-to-date Office for free, or nominal charge for personal machines.
What does the Privacy Commissioner of Ontario have to say about outsourcing e-communications services?
The Office of the Chief Information Officer has actively consulted with the Office of the Privacy Commissioner of Ontario. The following document provides useful guidance in regards to outsourcing e-communications services.
Has the University explored onsite solutions and in-country storage solutions?
Yes. We have explored multiple options for hosting Exchange and alternatives in country. Costs are significant and will be summarized with the committee’s report. We note too, as does the Privacy Commissioner, that data are not easily confined by geographic borders. Further, an analysis of email traffic flow demonstrates that a very high proportion of incoming and outgoing mail resides outside the University’s network and travels across the public internet –where we cannot control the routing paths of messages and data may traverse borders. We also note the revelations of in-country data snooping and the multinational agreements for intelligence data gathering and sharing.
Will I be able to opt-out of this services?
The advisory committee recognizes that there are those who may not wish to use Office 365. Should approval to proceed be granted, there will be an opt-out option for faculty.
If I choose to opt-out, what kind of alternative services will be available?
An email service comparable to existing UTORmail services will be made available to faculty who choose to opt-out of Office 365. In addition, we are investigating other services for large-file transfer – something that is difficult today due to email attachment limitations.
Are other universities in Canada considering outsourcing?
Yes. The following universities in Canada that have already outsourced faculty, staff and student email:
- University of Alberta
- Dalhousie University
- Ryerson University
Many other schools in Canada, the United States and abroad have outsourced their email to Microsoft’s Office 365 or Google’s Apps for Education. Some have only outsourced student mail, and many are working through the processes of including faculty and staff in the offering.
If a decision is made to implement O365, how will the service be rolled out?
Should the University make a decision to roll-out O365 service to faculty and staff, Information Technology Services will begin an implementation consultation with divisional IT leaders and create a carefully scheduled implementation plan that does not interfere with the business of University and its community.
Will the University be subjected to Microsoft’s upgrade schedule?
Microsoft offers a fairly lengthy upgrade period – the most recent example is 24+ months. If on rare occasion an upgrade requires an outage, the University will have adequate time to negotiate an appropriate outage period in consultation with the community. We anticipate, from experience, that most upgrades to the system will not require an outage and will not affect concurrent use of service.
Is there an expectation that faculty and staff will use O365 for cloud-based file storage?
No. Departmental networks and servers, as well as the central data centres will continue to operate. Community members will be under no obligation to use cloud storage available through O365 SkyDrive. Should community members decide to use O365 SkyDrive, they should consult the use-case guidelines that will be provided by the University. Facilities and processes employed by Microsoft to secure, protect and preserve data are at least as strong and likely better than anything we can provide internally. It is still important to consider where cloud storage is appropriate before use.
Will there be guidelines on what type of documents can be stored in O365?
Yes. When placing documents in electronic media, you must always be considerate of the risks associated with loss or misdirection. For example, it would be unwise to send credit card numbers or passport information via unencrypted email because of the risk of exposing personal and sensitive information. The University recognizes that there are varying degrees of confidentiality and sensitivity in information handled by faculty and staff. The University will provide guidance and use cases to assist community members in appropriately using the variety of available tools and services for e-communication and collaboration. Additionally, the University will work with the community to identify and develop alternative tools for the delivery of sensitive and confidential information that may not be appropriate for cloud services such as O365.
Are O365 communication tools exposed to surveillance?
In our digital world, most forms of communication are potentially exposed to electronic surveillance regardless of where they are hosted. Microsoft has stated that they do not provide back doors to their servers to government agencies.
Do we give Microsoft our login credentials?
No. Users gain access to O365 by logging on to our standard University weblogin screens. When a user wants to access email, O365 sends a request to the University’s authentication system (weblogin) asking for UTORid credentials. This takes the user to the University’s weblogin screen on equipment hosted by the University. When login is successful, a token is sent back to O365 that verifies the user’s identity. This is part of the separation of duties designed to better protect the privacy and confidentiality of community members.
How is O365 security controlled?
Office 365 physical and logical security is managed by Microsoft and their service and data centre staff. U of T manages the authentication and login credentials. Microsoft does not get user IDs and passwords. We have administrator access to our instance of Office365. The University is the service provider to the community. Microsoft is hosting the service. We control our data.
How is the University assessing the risk of outsourced data hosting?
The University has undertaken the process of assessing the proposed O365 service using privacy by design principles as outlined by the Privacy Commissioner of Ontario. Our staff have created an Information Risk and Risk Management (IRRM) document which provides an in-depth assessment of privacy and security for the proposed service from a technical perspective. This is a living-document which is updated as new information becomes available.
Where is the service hosted?
The O365 service is hosted in the United States in Microsoft’s data centres.
Will Microsoft give our data to the NSA?
No… not without a fight. Microsoft has asserted that it has not provided security agencies with backdoors to customer data and metadata and that unless prohibited by law or regulation, it will alert customers to government orders to provide information. See: http://blogs.technet.com/b/microsoft_blog/archive/2013/12/04/protecting-customer-data-from-government-snooping.aspx and http://reformgovernmentsurveillance.com/
Additionally, the University’s O365 plan includes a proposal to allow users to encrypt their content and retain those encryption keys locally, eliminating Microsoft’s agency. We recognize the risk of surveillance activities by intelligence agencies such as the NSA, CSEC and others, and the possibility that encryption can be compromised to weaken these risk mitigation approaches. At the end of the day, the University encourages all users to recognize that email is not a secure communication channel and to communicate in a manner consistent with the sensitivity of their information.
Will Blackberry devices be supported?
Yes. The institutional BES server will continue to operate. There is an offering in Office 365 to host the BES server, but we are not pursuing at present. Office 365 is intended to replace UTORmail and UTORexchange.