Customer Story: Barnet & Southgate College
Giving one of London's biggest colleges...
...IT fit for 21st century education
Fuse is committed to bringing best practice into every sector, whether business, non-profit or education. An institution such as Barnet and Southgate College faces the same challenges as any small-to-medium enterprise, namely meeting the needs of staff who need to work in multiple locations, protection confidential information about students, and providing the framework for users to work productively and efficiently on projects, all within an IT environment which has to scale up and down according to need
About Barnet and Southgate College
Barnet & Southgate College is one of the largest further education colleges in North London, delivering a broad range of courses across both academic and vocational training. It is recognised as having some of the best facilities in the UK, which includes the £50 million Wood Street campus. The college maintains excellent contacts with local employers and regional industry, has many links with the local community, and participates prolifically within the 157 Group of the 27 most successful colleges in the UK.
Barnet and Southgate College resulted from a merger of a number of colleges in North London, each of which had their own IT systems and processes. Fuse's experts worked with the College's in-house team to create solutions which brought staff and students alike into one effective and efficient IT framework that both enabled productive working in a secure online environment.
Staff accounts at the college are frequently the target of phishing attacks, which try to fool users into entering their account details into fake websites posing as legitimate ones, with action needed to be taken by IT to protect accounts several times a month. The College uses a combination of services in the cloud and on-premise, using Active Directory Federation Services (ADFS) as a single sign-on solution for the majority of services. This enables staff to login to systems easily from anywhere, but at the risk of exposing these systems to compromised credentials.
A solution was needed that prevented accounts from being compromised: The solution had to integrate with the existing services, without causing any interruption to those services. Moreover, it had to be simple for the staff to adopt and use.
The College was already using Azure Active Directory for Office 365, which includes a cloud-based multi-factor authentication service. The licensing for this service includes the ability to deploy it on-premise, where it can be extended to protect existing on-premise systems, integrating seamlessly with the authentication methods in-use.
Together with the college, Fuse deployed the components of multi-factor authentication (MFA) into their environment. This consisted of the following:
- MFA Server (in a highly available topology) Runs the administrative components, allowing users and system components to be configured
- User Portal A secure website allowing users to login and manage their MFA account, to update their registered device (phone) and preferred contact method. This include the mobile device web service, which allows a mobile app to push notifications to the user.
- ADFS integration By integrating with the college’s existing ADFS infrastructure, the MFA service is extended to protect any cloud services using ADFS – which in this case included Office 365.
- Exchange We deployed MFA components onto the college’s Exchange client access servers, so that Outlook Web Access (the main target for attacks) was protected
- VPN/VDI The next stage is to add the MFA service as a RADIUS server, so it can then be used to protect logins to the remote access and VDI systems.
- Email Integration The MFA system can send out emails to end users to guide them through the registration process. Integrating the system with the college SMTP servers allows these emails to be sent from trusted addresses, and customised with the college’s wording and materials.
All this was done within the live environment, with no interruption to services. Users will gradually be added to the MFA service, allowing IT to assist with registering devices in a manageable way, and deliver training on how and why the system is being introduced. Helpfully there are a number of prepared resources from Microsoft to assist with user adoption, including user guides and videos.
The newly-formed Barnet and Southgate College inherited a 2010 SharePoint intranet, which had gained traction across the merged college as a way to share content and documents, particularly with staff spread across many campuses.
One of the key objectives was to make the SharePoint intranet available to users outside of the College, so staff could work from home and on mobile devices, but only if documents could be secured and performance improved. The 2010 environment was using a single front-end server, connected to a single database server. It had a number of performance and configuration issues, mostly caused by its migration from one active directory environment to another.
While SharePoint was the desired platform, due to its familiarity with staff and integration with Office, it was clear the 2010 system as it stood could not deliver the required availability or scale needed for a system that was intended to be the backbone of the college’s staff collaboration efforts.
Security was also a major concern. A lot of the intranet content pertained to highly confidential student and staff records, which requires the highest levels of data protection. While SharePoint was only accessible from the tightly-controlled campus PCs, the standard SharePoint platform security, operating procedures and good IT security practice were enough to ensure document security. Opening up the intranet to logins from devices off-campus, over the internet, represented a whole new set of challenges, that required guaranteed levels of security, regardless of how the document was treated.
Fuse began our engagement by building a new high-availability SharePoint 2013 farm, splitting server roles and components across the college’s two datacenters, to ensure high performance across all locations, and resiliency in case of a datacentre outage.
The existing intranet was then migrated to this new environment over the summer holidays, to allow the developers and content editors to take advantage of the new features in 2013. As part of the new SharePoint platform, we also set up an Office web apps farm, which allows devices without Office installed (such as Macs and mobile devices) to edit documents within SharePoint using just the browser.
To guarantee document security, Fuse integrated rights management services into SharePoint 2013, using the rights management service available as part of Office 365. The students at the College had been using Office 365 for a few years, but the staff never had. Our first action was therefore to synchronise the staff accounts in the existing Office 365 subscription, using the latest version of Azure AD sync – which has the added advantage of being able to synchronise password changes, eliminating the need for a complex Active Directory Federation Services set up.
This gave all staff an account in Azure AD that matched their on-premise credential, and enabled us to activate Azure rights management for the college. All that remained then was for us to set up a rights management connector within the on-premise infrastructure and deploy the configuration to SharePoint. This same connector infrastructure can also be used for extending rights management to the on-premise file servers and Exchange.
With no additional infrastructure beyond the virtual servers required for the new SharePoint platform, Barnet and Southgate College now have a secure collaboration environment available to them 24/7 from anywhere on any device.
Furthermore, they can share secure documents with partners and external bodies (such as employers) safe in the knowledge that they control how that document can be used. The solution is highly scalable, reflecting the rapid growth of the college, and maintains the ease of use and familiarity of the existing intranet.
Going forward, all staff will be able to use the features of Office 365, and IT are all set to be able to exploit the hybrid features of Azure, with MFA in place to increase the levels of data security among staff and students alike.