MFA secures access for mobile workforce
- Bordeaux Events and More (BEAM)
- Exhibitions and events
- France
)
Bordeaux Events and More (BEAM) has been a major player in business tourism and events in Bordeaux for over 100 years. Every year, they host over 300 events, with capacities ranging from 20 to 50,000 people, at their five exceptional sites: the Parc des Expositions, the Palais des Congrès, the Palais 2 l'Atlantique, the Centre de Congrès Cité Mondiale and Hangar 14. They create and produce events in a wide variety of innovative sectors. In all, more than 100 employees are committed to an ever more responsible approach to events, thanks to their ISO 20121 certification.
"It's been smooth, simple, and worked well in a way that meets the needs of our employees."
Loïc D. - Systems and Network Manager
The Challenge
Operating across multiple city locations, the organization has a hybrid, mobile workforce. The 130 employees constantly move from site to site, connecting to the network primarily using VPNs. Some users connect to a standalone RDS terminal server via RDP to access workstation applications. Employees also use Microsoft 365 via Entra ID (formerly Azure AD), with authentication synchronized through on-premise Active Directory (AD).
The security of user credentials is an area of focus for the IT security team, which prompted the organization to start using multi-factor authentication (MFA) to protect all employee accounts in addition to those of administrators. At the same time, the organization wanted to ensure their chosen solution offered enough granularity to implement MFA without it becoming a burden for users by forcing them to constantly re-authenticate.
Loïc D., BEAM’s systems and network manager, who administers network security in conjunction with an external EDR service provider, comments:
"Our employees are mobile across 5 sites, in addition to being mobile in our offices on a daily basis. Meetings, site visits, external customer appointments and teleworking are part of our employees' daily routine: we had to make sure that even if the session was locked, we didn't have to carry out a double MFA all the time. This is not something we found with your competitors."
Loïc D. - Systems and Network Manager
The organization could have moved entirely to cloud-based Entra ID as its directory service but was put off by the cost. Instead, like many organizations, Loïc opts to keep things as simple as possible, utilizing the existing on-premise infrastructure that works well.
“We’d been working on tightening security for three years and knew MFA was important. UserLock helped us take the next big step on that road,” says Loïc.
BEAM implemented UserLock to protect its entire 130-user base with MFA, starting with admins who now authenticate on every connection using a TOTP code via the Microsoft Authenticator app. For everyone else, MFA is once a day per IP address using the Microsoft Authenticator app across desktop sessions, VPN access, and RDP sessions.
Importantly, through UserLock the organization can protect its high-risk RDS terminal servers which give workstation users remote access to a suite of centrally managed, shared applications. It does this while supporting hybrid access from both on-premise applications as well as Microsoft 365 and Entra ID.
Separately, they use UserLock Anywhere to secure access for remote working employees, with a reverse proxy to keep UserLock Anywhere off the Internet for security reasons.
At BEAM there was a growing realization that MFA was the new normal as far as credential security is concerned, especially in an organization that makes extensive use of remote access. No longer just for admins, best practice dictated that MFA should be deployed for the entire workforce.
However, this represented a major change in authentication for a user base that had previously used only traditional password credentials. That’s why BEAM wanted to implement MFA flexibly. High-risk users now authenticate every time they connect, while the threshold is set at a lower level for everyone else. The organization does all of this without increasing costs or complexity, even integrating the organization’s use of Microsoft 365 via Entra ID.
In this demanding environment, UserLock copes with every problem thrown at it.
"In the year we’ve been using UserLock, we’ve suffered no friction."
Loïc D. - Systems and Network Manager