Universities and Security

I have spent a lot of time working with frustrated IT security folks at public Universities in the US. In my experience there is usually one guy responsible for security within the IT department and he usually can quote the President of the University saying something like

"We are an academic center for research and learning. We must preserve Academic Freedom by allowing free and easy access to the Internet. We cannot use firewalls to restrict that access".

On careful re-reading of the Constitution and the Bill of Rights recently I found no mention whatsoever of this "Academic Freedom". The Wikipedia entry on academic Freedom is, as usual, enlightening. But, I still have a real problem with US Public Universities’ refusal to acknowledge that not only could they be jeopardizing students privacy but they may be acting as irresponsible netizens by failing to take proper precautions against cyber threats. (BTW, I am singling out American public Universities on purpose. I generally find that security practices at every other school in Europe, Canada, and US Private schools are taken much more seriously.)

A case in point in the news this week (one of many so far this year) of an exposed flaw in the way an online application tool was coded at the University of Southern California.

Web application programming has to be reviewed very carefully. *Every* form field must be checked for input length and unexpected characters. The Session ID that appears in the URL must be obfuscated in some way. This is web application security 101 stuff. The fact that MANY organizations still cannot do this well gives hope to the emerging market for web application firewalls.

Universities are slowly waking up to reality. Too bad it is data loss that is the wake up call.