Web-to-Host Connectivity: Putting Security in Perspective

Nothing can be absolutely safe, no matter how much money you spend to make it so.

That’s why many Unisys site managers are sweating bullets over the security of their systems and data in the expanding world of Web-to-host connectivity. With hundreds or thousands of outside – and potentially unknown – users, how secure is secure? How do you authenticate unknown users? How do guard against unwanted intrusions into your company’s files?

The time has come when extending data and applications out to business partners and remote users has become a necessity, rather than a luxury. It’s enough to make you long for the days when data moved between your mainframe and direct-attached T27 or UTS terminals. Any security glitches in this arrangement were ironed out years ago. And when PCs came online as terminal emulators, no one sweated security, since the PCs simply mimicked dumb terminals, with access confined to the same internal users that would have been on those terminals.

Opening up host systems to browsers is a different animal, of course. The good news is that since Web-to-host configurations are based on multi-tier architectures, they tend to have inherent security advantages. And products coming on the market incorporate the latest Internet security protocols and features, such as firewalls, SSL and VPNs.

But first, let’s put things in perspective. There will never be a completely secure system, and it probably isn’t worth the time and money to try to create one, says William Malik, Vice President of GartnerGroup, who consults with numerous corporations on information security issues. "The idea that you can entirely eliminate risk is absurd," he says.

A more realistic view of security comes through risk management, which assumes that something is going to happen, and helps companies prepare appropriate measures to minimize the consequences and quickly recover. "Is your company risk averse, or does it welcome risk, taking big chances in the hope of achieving big gains?" Malik asks. Ultimately, security is a business decision, not a technology decision.

Some information may not even be worth the cost of protecting it, Malik continues. "Don’t buy a lock that’s more expensive than the data you’re protecting." The biggest expense of all is the missed opportunities and loss of competitive advantage by not extending corporate data and applications to the Web because of security concerns. It may be far more risky not to grant access to corporate systems from the Web.

So it’s up to the business to decide what information is worth protecting, and it’s up to IT managers to set up the policies and systems to carry it forward. A good place to start is in determining how much security is required for access via the intranet from internal users versus outside users.

For internal users that are migrating from terminal or "thick-client" PC host access to the Web, these requirements are probably minimal. Typically, internal users are known quantities, who are probably familiar with T27 and UTS terminal interfaces. These users may simply require an applet that sets up a terminal emulation session through their browser that directly connects to the host mainframe.

For users coming in from outside your organization, experts recommend popular standard Internet-based security measures, including the following, for authenticating access and encrypting traffic between the Web server (linked to the Unisys mainframe) and remote users across different networks.

Firewalls. The most practical approach to securing your host system is to put data to be accessed on a Windows NT server, which presents the interface to end-users. Such a server collects information and controls access to corporate services on the back-end host systems. Unisys’ Clearpath architecture takes advantage of mainframe functionality while integrating NT right into the box, providing a ready-to-run firewall. The end user does not go directly to the host, but rather, accesses a server which collects the information from the host system. This Web-to-host connectivity arrangement typically sits in a "DMZ" between firewalls. At the same time, traditional PC-based host access environments and protocols continue to be supported.

SSL. Currently, most Web-based transactions rely on SSL security – embedded in popular browsers – to encrypt transmissions of data. However, many industry analysts feel that more security technology is required beyond this basic protocol.

VPNs. VPNs add security features, such as tunneling technology, security, encryption, authentication, authorization, network privileges and management. With tunneling technology, outgoing messages are encrypted and encapsulated inside another packet, then decrypted and de-encapsulated by the receiving machine. VPNs can run over any IP network and connect trading partners, as well as telecommuters, customers, sales representatives and branch offices. VPNs rely on standard Internet-based encryption and authentication services. VPNs are currently the most effective means of securing host access between business partners.

Digital certificates. For the past few years, digital certificates – electronic ID cards that are presented to Web servers to prove a user’s identity – have been touted as the ultimate security device, but have been slow to catch on. Certificates are issued and verified by a certificate authority (CA) to a pair of electronic "keys" that encrypt and sign digital information.

About the Author: Joseph McKendrick is a research consultant and author whose firm, McKendrick & Associates (Doylestown, Pa.), specializes in surveys, research and white papers for the industry. He can be reached at joemck@aol.com.