Bolstering a sixth form college's Microsoft 365 cloud tenancy against cyber-attacks

Godalming College’s IT staff implemented Microsoft 365 (M365) in 2020 to make sure students could keep their learning on track during lockdown. They said it was a steep learning curve but they completed it themselves quickly and, since then, they have moved more of the college’s essential services into the cloud.

However, security is a high priority for the college. It has been a Jisc member since 1992 and, for Joe Yeadon, the college’s director of IT and digital strategy, our security services are the ones he values the most. They have used several, including penetration testing to identify network weaknesses and protect systems from bad actors, potentially both external and internal, and cyber security threat monitoring.

Joe said:

"We asked Jisc’s cloud experts to explore our M365 set-up and recommend any actions we should take to keep our defences strong."

Security best practice

Our objective in reviewing a cloud tenancy is to help customers follow security best practice guidelines, including those issued by the UK’s National Cyber Security Centre (NCSC), the Center for Internet Security (CIS) in the US and, in Godalming College’s case, Microsoft. We also review tenancies hosted by other cloud providers, including Amazon Web Services (AWS) and Google Cloud Platform (GCP), helping customers improve resilience, protect their reputations and make sure their tenancies are set – and kept – to the latest security configurations. This is essential as cloud providers update and improve their services constantly to stay ahead of cyber-threats as they emerge.

Our first step is a kick-off call. Typically, we carry out the review over a week or two; it is a hands-off process that doesn’t disrupt the organisation’s day-to-day working. We just need read-only access to let us work remotely.

For Godalming College the review took three days and the report was ready a few days later. It contains our analysis and recommended remedial actions, explaining quick wins, any that require urgent action and those that are best practice. We followed up the report with a feedback session to answer questions, add detail and discuss next steps, including how to implement changes.

Often, the customer can do most of these for themselves. Godalming College have acted on our recommendations, which included:

Improving the structure for licensing resources
Reviewing the number and kind of admins, including who has elevated rights
Tightening up processes for dealing with privileged access

There were many more. Often, our recommendations to customers can run well into the hundreds.

Benefits

Joe said:

"Using Jisc to review our cloud tenancy means we benefit from their specialist sector knowledge. It also gives us a partner who knows our set-up inside-out and will help without landing us with a big bill. Commercial partners rarely do that. We had an urgency yesterday and Jisc helped us solve it within ten minutes, over the phone.

"It also means everyone in the sector can benefit. What Jisc learns from working with members goes into the knowledge pool to improve services and outcomes for every member in future."

The college’s first M365 security review took place in February 2024 and it had a wide-ranging brief. They plan to repeat the process, probably with a narrower focus to prepare the groundwork for a project to automate more data governance processes.

"Using Jisc to review our cloud tenancy means we benefit from their specialist sector knowledge. It also gives us a partner who knows our set-up inside-out and will help without landing us with a big bill. Commercial partners rarely do that."

Joe Yeadon, director of IT and digital strategy, Godalming College

Get in touch

Keen to find out more about security reviews? Talk to your relationship manager or contact cloud@jisc.ac.uk for a demo.