​​With Barnet & Southgate College

Barnet & Southgate College is one of the largest further education colleges in North London, delivering a broad range of courses across both academic and vocational training. It is recognised as having some of the best facilities in the UK, which includes the £50 million Wood Street campus. The college maintains excellent contacts with local employers and regional industry, has many links with the local community, and participates prolifically within the 157 Group of the 27 most successful colleges in the UK. Everything that the College does revolves around the needs of employers and the employment prospects of students.

Barnet & Southgate College Logo
  • Sector: Further Education
  • Students: 21,000+
  • Alumni: 45,000+
  • Staff: 2,600
    •

Challenges Faced

Staff accounts at the college are frequently the target of phishing attacks, with action needed to be taken by IT to protect accounts several times a month. The College use a combination of services in the cloud and on-premise, using Active Directory Federation Services (ADFS) as a single sign-on solution for the majority of services. This enables staff to login to systems easily from anywhere, but at the risk of exposing these systems to compromised credentials. ​​​​​

Phishing attacks aim to fool users into entering their account details into fake websites posing as legitimate ones, capturing the usernames and passwords so they can then be used to steal data. In any academic environment, the data at risk is particularly sensitive.

A solution was needed​ that prevented accounts from being compromised: The solution had to integrate with the existing services, without causing any interruption to those services. Moreover, it had to be simple for the staff to adopt and use.

The college were already using Azure Active Directory for Office 365, which includes a cloud-based multi-factor authentication service. The licensing* for this service includes the ability to deploy it on-premise, where it can be extended to protect existing on-premise systems, integrating seamlessly with the authentication methods in-use.

​​

​*Licensing Microsoft Azure MFA

​Standalone​
Just the Azure MFA Service (good option if no other cloud services used)​​
Azure Active Directory Premium
which includes MFA
Enterprise Mobility and Security
which includes AAD Premium
Microsoft 365
​​which includes EMS ​​
​ ​ ​​

The Solution

Together with the college, Fuse deployed the components of MFA into their environment. This consisted of the following:

  • MFA Server (in a highly available topology): Runs the administrative components, allowing users and system components to be configured
  • User Portal: A secure website allowing users to login and manage their MFA account, to update their registered device (phone) and preferred contact method. This include the mobile device web service, which allows a mobile app to push notifications to the user.
  • ADFS integration: By integrating with the college’s existing ADFS infrastructure, the MFA service is extended to protect any cloud services using ADFS – which in this case included Office 365.
  • Exchange: We deployed MFA components onto the college’s Exchange client access servers, so that Outlook Web Access (the main target for attacks) was protected
  • VPN/VDI: The next stage is to add the MFA service as a RADIUS server, so it can then be used to protect logins to the remote access and VDI systems.
  • Email Integration: The MFA system can send out emails to end users to guide them through the registration process. Integrating the system with the college SMTP servers allows these emails to be sent from trusted addresses, and customised with the college’s wording and materials.

All this was done within the live environment, with no interruption to services. Users will gradually be added to the MFA service, allowing IT to assist with registering devices in a manageable way, and deliver training on how and why the system is being introduced. Helpfully there are a number of prepared resources from Microsoft to assist with user adoption, including user guides and videos.

​​

About ​Multi-Factor Authentication

Usernames and passwords are an example of single-factor authentication – a password is something a user knows. Once the password is known to an attacker, it’s very easy for them to exploit the account. Multi-factor authentication combines something the user knows, with something they have, or are (i.e. biometric data).

Microsoft’s MFA service utilises the concept of the user having a registered phone, through which they can receive a call, text or notification for a second authentication step after entering their username and password. If an attacker attempts to login with a stolen password, they won’t be able to login without the user being notified – which they can then report as a fraudulent login direct to IT.​ ​

Azure Multi-Factor Authentication ​Overview

Watch this video to see how the service works and how it is enabled for both on-premises applications and directories as well as cloud applications that use Windows Azure Active Directory.

​​​