About Etty Hillesum Lyceum
Etty Hillesum Lyceum is a grouping of six private secondary schools–Het Vlier, De Boerhaave, Het Stormink, Het Slatink, De Keurkamp and Arkelstein. The schools are all located in the city of Deventer, in the east of the Netherlands.
Both teachers and non-teaching staff at Etty Hillesum Lyceum used to access school computer systems using a standard set of login credentials–username and password–on the internal network. The school wanted to enable secure access to its systems for staff working outside its campuses, in order to increase working flexibility and efficiency. It also set out to enable single sign-on to all resources through a portal, rather than requiring users to continually re-key their credentials for each system.
Simultaneously, there was a requirement to improve security. An incident involving the unauthorised use of employee login credentials had highlighted the inherent limitations of a single-factor authentication system. The school aimed to introduce electronic tokens that would generate a unique code number for each attempted login. By adding a further authentication factor, this would make unauthorised access to an employee's account extremely difficult to achieve.
The Institute wanted to simplify access for employees, reduce the helpdesk workload and ensure tighter security for sensitive data.
Etty Hillesum Lyceum approached NetCB, a Novell Platinum PartnerSM, for assistance in selecting and implementing a token-based authentication system. NetCB proposed installing Novell Access Manager™ to extend the school's authentication systems beyond the internal network. Novell integrated this software with FreeRadius, an open source solution supporting the school's chosen token solution. The tokens themselves–from Vasco–are devices approximately the size of a packet of chewing gum, with an LCD screen that displays the one-time passcodes they generate.
"Our long-term use of Novell server and clustering technologies gave us the confidence to choose a Novell solution to solve our security and access challenges," said Peter Liet, Team Leader: Server, Network and Application at Etty Hillesum Lyceum. "Another appealing element was that we would be building on our Novell eDirectory™ environment, which we consider much more stable than alternative solutions."
Rather than needing to be on the school network, employees of Etty Hillesum Lyceum can now log in to any internal systems through a Web-based portal powered by Novell Access Manager. The solution checks their credentials against the details in the employee directory, and then grants access to the appropriate resources. Beyond the username and password, a third field in the Novell Access Manager login screen requests a session-specific code number. To get this number, the employee simply presses a button on their personal token.
Novell Access Manager enabled the Institute to introduce password self-service. Users who forget their master password can set a new one by correctly answering one of a series of secret questions. In combination with other initiatives to free up skilled IT staff, the move to single sign-on and introduction of password self-service have contributed to a significant fall in the number of calls to the helpdesk.
"Novell took responsibility for installing the FreeRadius software and integrating it with Novell Access Manager–a task which might otherwise have cost us a considerable amount in integration fees," said Liet. "There were some initial difficulties in creating this first-of-a-kind solution, but Novell responded excellently to the emerging challenges, which was very reassuring. The work completed by NetCB is also of very high quality, and it's certainly helpful that they have extensive experience both of Novell technology and of creating solutions for the educational sector."
Etty Hillesum Lyceum continues to roll out the token-based authentication solution, and is already seeing benefits for the first groups of users. Employees are free to log in and access school systems securely from home, enabling them to work more effectively out of normal office hours and giving them greater flexibility.
"In the past, it was always necessary to be physically located on one of the campuses if you wanted to log in–so if there was a small task that you had forgotten to complete, you might need to travel all the way back to work," said Liet. "With Novell Access Manager, teachers and administrators can access not only the school's own systems but also various national school administration systems. Misuse of passwords is now almost impossible"
The use of Novell Access Manager as a single point of authentication also improves working efficiency by minimising the number of times employees need to re-key their credentials to gain access to different applications. In combination with the one-time passcode generated by the tokens, the solution offers much higher security for little additional effort on the part of the users.
"The one-time passcode is valid for 30 seconds, so even if someone looks over your shoulder and notes down everything you enter, there is practically zero chance that they will be able to gain access to your account," said Liet. "Together with Novell Access Manager, this solution has made misuse of passwords almost impossible."