XplanaZine

Spring is in the air. That must mean that security will once again take center stage for university networking.

Three years ago it was the major DoS attack against major Web sites using university networks as relay stations. Two years ago Napster was the buzz, and last spring institutions began realizing the problems with wireless network deployments. This year we have seen a rise in identity theft and we are watching as universities attempt to deal with the problem.

The latest event, occurring this week at the University of Texas, involved the theft of the names, Social Security numbers and e-mail addresses of more than 55,000 students, former students and employees. It was a theft that could have been prevented with better security measures. But it was also a theft that will become increasingly common because of changes in the way universities operate. Imagine, ten years ago, when university information was stored exclusively on mainframes and optical platters. Hacking was possible, but much less common. In addition, the amount and types of information being stored were fewer.

Today, with every department and administrative office connected, hackers have a plethora of attack opportunities. More than that, there is better information to be stolen. Beyond the usual social security numbers, many universities now provide students and alumni with online credit card transactions possibilities. And, these commercial transactions are not always centralized and protected by a common protocol. Athletic departments are often handling and hosting transactions separately from Admissions etc.

The fact that courses are moving out of the classrooms and onto the Internet also means that authentication credentials are being used and often passed in an increasingly distributed manner. Last year, in fact, BlackBoard officials told me they were a bit surprised by our insistence on a VPN for the student authentication piece of their hosted solution for the University of Oklahoma. “”You are one of the only universities who has really expressed a need for this,” they told us. That was out of 200 universities whose sites were being hosted!

Add to all of that the new SEVIS repositories of international student data. This data has to be collected and updated on a daily basis. In some instances, this data is also being collected and protected by a different department than the one that sets university security policies.

What all of this means is that universities will continue struggling with security. The biggest step they can take to improve matters, however, does not involve network security. It is the simple step of placing all university servers and networks under a single security protocol and management. It’s an ugly idea in some regards, and one I’ve resisted as an IT Director.

But it is unfair to blame CIO’s and IT departments for systems that they do not control entirely. And, it is imperative that university President’s realize that one of the biggest threats they face is identity hacking. Free networks are a fine idea. But this is one instance in which, as a user, would prefer some standard and centralized control so that I can continue computing safely.