Oxford Science Enterprises - Cloud Security Case Study
Developing Oxford Science Enterprise's cybersecurity to match their technology maturity level as the organisation grows and modernises.
Oxford Science Enterprises transform world-leading science into world-changing business, by bringing together academics and investors to create pioneering new ventures. Closely linked with Oxford University, they take a leading role in commercialising spinouts from the science department, helping to build businesses that change aspects of people’s lives including their health, the availability of food, the survival of the planet
A partnership beyond outsourced IT
Atech have a long-standing relationship with Oxford Science Enterprises and provide them with a fully managed service for their IT. Much more than a helpdesk solution, Atech provide ongoing consultancy – monitoring and reviewing all aspects of their IT stack and making recommendations as the company evolves. Pete Wilder, Head of Property at Oxford Science Enterprises, describes the value of the relationship:
“I don’t see Atech as our outsourced provider – they are my technology team. The benefit of the relationship is that we know each other really well – we know what works well and what needs to improve – and we know that together we can solve those things.”
Oxford Science Enterprises has nearly doubled in size over the last two years, and Atech have been instrumental in ensuring technology keeps up with the organisation’s operations. It was whilst developing a wider modernisation strategy for Oxford Science Enterprises – migrating their on-premises environment to the cloud – that Atech identified the opportunity to better align security protections with the rapid growth they were experiencing and vulnerabilities they would increasingly be threatened by. The deep understanding of infrastructure, people and operations that Atech possessed helped shape the implementation of a series of best practice measures.
For Oxford Science Enterprises, it’s vital that security is taken seriously. Pete Wilder explains: “We invest hundreds of millions of pounds each year so it’s important we take proper care of our data.” The challenge is twofold – both protecting confidential contractual information of the investors and safeguarding the intellectual property of the scientific solutions at the heart of the businesses they are funding. But the security technology deployed to protect this information must also not impede important parts of their operation:
Building spinouts into businesses require third party relationships – clients, investors, academics and suppliers – brought together from across the globe. Oxford Sciences Enterprises needs to be able to set strict controls around what information can be shared, who it can be shared with and who can share it – so the right people have access only to the information they need.
Unpatched or outdated devices can cause vulnerabilities if accessing systems, so being able to manage compliance to these regimes and policies is an important element of overall security.
Valuable IP sits at the heart of the businesses Oxford Science Enterprises works with, in the products and solutions they are innovating. Leaking of this IP has high consequences in itself. But it’s also important that the organisation can demonstrate to investors that IP is safeguarded.
As with any changes or modernisations, users must be on board with the new technology, processes and controls deployed. In an innovative and fast-growing organisation it’s crucial that technology helps – and doesn’t hinder – progression.
Maximising upon best-in-class technology
Atech’s process always begins with a comprehensive audit of the existing solution. From here a roadmap can be drawn up to pave the way forward. Atech had recently completed a full migration to Azure for Oxford Science Enterprise, with workspaces now delivered via Azure Virtual Desktop. This in itself provided a fully managed environment, and visibility over user within it. But with a desire to take the organisation’s security even further, Atech proposed that other Microsoft service features and technologies could be used to reach the next level.
The technologies implemented for Oxford Science Enterprises :
- Microsoft defender for endpoint in place of existing antivirus – offering better integration with the Microsoft stack following the migration to Azure
- Defender for 365 – providing protection against phishing campaigns and supporting user awareness training
- Defender for cloud – monitoring Azure resources such as file servers, domain controllers, VMs and virtual networks
- Defender for cloud apps – sanctioning applications and preventing shadow IT
- Microsoft Sentinel – a SIEM tool which collates logs from Microsoft and third parties, monitoring everything in the environment
- Device encryption technologies such as bitlocker and firevault
- DLP technology – bolstering policies to prevent unauthorised sharing of data
- Mobile Device Management – controlling which devices can access, view or download data
- Multi-factor Authentication and conditional access controls
- Automated responses to threats
The human touch – going further than technology
Advising on and implementing best-in-class technologies was just one part of Atech’s role in raising the level of security maturity for Oxford Science Enterprises. Understanding security tools is key to getting the most from them. Atech provides a fully managed service so that they can translate the features of the tools into meaningful and useful insight for their client. What’s more, Oxford Science Enterprises have direct access to security engineers to answer any questions or explain what the technologies are showing them. Pete Wilder comments on the value of Atech’s support: “Processes and technologies are important but fundamentally Atech have really good people – that’s a key part of our working relationship. The team are passionate and expert in what they’re doing.”
As part of their relationship with Atech, Oxford Science Enterprises benefits from a specialist SOC team, who are on hand 24×7 to keep watch over SIEM logs and immediately respond to potential threats. Reporting is provided every quarter, including a comprehensive overview of user accounts, devices and activity. Easy to digest, this keeps Oxford Sciences Enterprises abreast of everything that is going on in their security environment, in a way that is clear, understandable and meaningful. This way, decisions can be made about actions or adjustments that need to be implemented in the environment. Pete Wilder explains: “It’s an ongoing thing – we’re constantly tweaking the environment to make sure it’s as secure as possible.”
It was important for Oxford Science Enterprises that their users were on board with the changes being made. Firstly, they needed to understand why the technologies and processes were so important and secondly, they needed to be able to easily adhere to policies in their daily work. Atech prepared guides on secure filesharing, as well as offering workshops to users. Through Defender for 365, simulated phishing training is ongoing, and users who fall foul are automatically enrolled into additional training. These live simulations help to demonstrate to users how breaches can occur, and why they need to remain vigilant.
The threat landscape is constantly evolving, and Atech is continuing to manage and evolve the security environment for Oxford Science Enterprises to ensure they are always one step ahead. Several benefits have been realised so far:
Conditional access and multi-factor authentication prevent unauthorised sharing. Rules can be set to only allow access from a certain country such as the UK – with the flexibility to add or remove specific IP addresses as required.
Full security visibility
With regular reports from the SOC team, Oxford Science Enterprises can see any attempts that have been made to access their environment, and exactly how the technology has curtailed the threat. Being able to see the tools working in real time provides reassurance that the technology is doing its job.
Increased user awareness
Thanks to simulated phishing and user adoption support, secure behaviour has become a more integral part of day to day working practices, as users better understand and recognise their role in data protection.
Oxford Science Enterprises regularly receive easy-to-digest reports that can be presented to the management team and investors to demonstrate a high level of security compliance.
Smarter ways of working
Atech has been able to implement the new security technologies with zero negative impact on the organisation. In fact, greater confidence in secure sharing allows smarter ways of working across locations and among third parties. Data is protected whilst allowing work to go on.
Importantly for Pete Wilder and his team, the solution has provided reassurance that security is being taken care of. He expresses: “It helps me sleep better at night knowing that the system is in place. This has been a really valuable company initiative that reinforces the value of working with Atech.”