Summary 

Oracle has begun targeting universities for audits to enforce its employee-based Java licensing model. Those found non-compliant face a potential 2-5x increase in costs based on the number of employees, whether they use Java or not and including part-time employees and contractors. Now institutions wondering whether to pay Oracle must decide whether unsupported OpenJDK for universities is good enough.

In this post you will learn: 

• Universities are cost-conscious 

• Many universities show a preference for unsupported Java 

• Unsupported Java puts universities at risk of data breaches, malware, and other forms of attack 

• Universities should use a Java distribution that provides Critical Patch Updates so they can fix issues forward instead of rolling them back

Depending on whether they are on quarters or semesters, universities are preparing to process final exams, grad school applications, and class registrations. They run student information systems, learning management systems, middleware, financial and HR systems, library systems, and administrative systems. 

Many of these run on Java or have Java dependencies. Most universities employ thousands of staff, faculty, maintenance workers, contractors, and more. And Oracle’s employee-based Java pricing can break their budgets and put their academic mission at risk.

Unfortunately, getting rid of Oracle Java is not that easy. 

• Many commonly used older Java technologies lack non-Oracle solutions. 

• Some applications and systems are critical for staying compliant with local and federal regulations. 

• Shadow IT introduces unauthorized apps, especially in departments that take funding to do work and research for industry and government partners. 

Oracle has begun targeting universities for audits to enforce its employee-based Java licensing model. Those found non-compliant face a potential 2-5x increase in costs based on the number of employees (whether they use Java or not, and including part-time employees and contractors).

If universities replace Oracle Java with free unsupported OpenJDK, they put themselves at risk of non-compliance with IT security regulations, which may result in forfeiting federal funding. 

CPUs vs PSUs

If a university needs to fix a vulnerability in its Java code, it can implement a Patch Set Update (PSU), which Oracle regularly issues. However, a PSU is a full update of the JVM. It is huge, and often includes regressions that must be addressed. A better option is a Critical Patch Update (CPU), which includes only security updates and can be implemented much more quickly and easily.

However, only Oracle and Azul issue CPUs. Learn more about Azul Platform Core.

What are the ramifications of IT security regulation non-compliance? 

Universities must comply with IT security regulations that include federal laws, state-level data privacy laws, and PCI-DSS if they handle credit card payments. 

For security reasons, universities shouldn’t be using unsupported OpenJDK. Here are a few examples. 

FERPA 

• What it is: FERPA requires universities that receive U.S. federal funding to implement proper security controls for systems storing confidential student data. 

• Penalty for non-compliance: Loss of funding 

• Means of compliance: Use CPUs because 25% of PSUs introduce regression issues, forcing a rollback. Organizations relying on PSUs have unpatched known vulnerabilities in production for weeks until a new patch is released. 

State-level data security requirements 

• What it is: State-level data security requirements mandate “creating and implementing strong security policies,” although security regulations vary state by state. 

• Penalty for non-compliance: Periodic non-compliance 

• Means of compliance: Use CPUs 

PCI-DSS 

• What it is: PI-DSS requires that any EOL Java technology associated with storing or processing credit cards MUST have commercial support. 

• Penalty for non-compliance: Potentially forfeiting federal funding 

• Means of compliance: Only Azul provides commercial support for older Java technologies like Java 6, Java 7, Java Web Start, and Java Applets 

Is unsupported OpenJDK good enough for universities? 

Universities run campuswide systems like student information systems, learning management systems, middleware, financial and HR systems, library systems, and administrative systems. In addition, many individual classes use Java-based systems like Cengage to access textbooks, videos, and other course materials. Cost-conscious universities show a preference for Java without commercial support. Unfortunately, the effect can be drastic.

• Federal and state regulations require strong security policies and secure implementation of systems that store and process student personally identifiable information. 

• Universities supporting Java 6 and Java 7 themselves must investigate each vulnerability and backport fixes on a quarterly basis, an expertise not commonly found in universities. 

• Regressions in PSUs cause universities to roll back patches, exposing student systems to attack. 

• U.S. universities have experienced more than 3,700 data breaches in the past 20 years, incurring cleanup costs and fines of $3.65M per breach, on average. 

How can Azul help? 

Universities are cost-sensitive out of necessity. Oracle’s employee-based pricing charges for every full-time employee, part-time employee, and contractor, and in some cases every student. Azul offers straightforward pricing that’s typically 70% less expensive than Oracle – and no audits. Manager of Enterprise Applications Andrew Yong of the University of Southern Queensland, said, “A 60% license cost increase just didn’t sit well with us. There are countless ways we could use those funds to support our students.” 

Unsupported Java sounds enticing, with no support fees. With Azul, universities get commercial support for legacy Java technologies and EOL versions of Java – and support with 100% customer satisfaction. 

25% of PSUs have regressions. Without CSUs, universities have to either fix it themselves or run vulnerable applications until the next release. Usually they roll it back instead. Azul customers receive quarterly security-focused updates and out-of-cycle updates so they can remain in compliance with federal and state regulations. 

Just one incident can cost universities their reputations, their trustworthiness, and millions of dollars.

The post Is Unsupported OpenJDK for Universities Good Enough? appeared first on Azul | Better Java Performance, Superior Java Support.

*** This is a Security Bloggers Network syndicated blog from Security Blog Posts - Azul authored by Azul. Read the original post at: https://www.azul.com/blog/is-unsupported-openjdk-for-universities-good-enough/