Web-to-Host Connections: Find Your Own Comfort Level

What’s your comfort level when it comes to online security? For some companies, there is little. A couple of years ago, I helped audit the computer security awareness of more than 4,000 end users at the headquarters of a Fortune 500 insurance company. It seems like everyone was itching to get onto the Internet to exchange communications and files. However, at the time, management was keeping a tight lid on Internet usage, ever leery of the safety of its data. Unfortunately, my survey only fueled management’s paranoia, finding little or no awareness among end users of standard security measures, such as protecting important data, using encryption or procedures for business resumption planning.

If there ever was a surefire candidate for Web-to-host connectivity, this company was it. The company did employ remote dial-in access to the LAN, which many employees considered to be a joke, since it often took many attempts to log onto an unstable network. In addition, many employees complained about their outdated PCs not being able to handle new memory-hungry applications.

Web-to-host offers an appealing and logical solution to the need for fast, reliable access sought by end users, as well as the ability to provide security through centralized systems, rather than relying on end users.

However, many S/390 site managers are sweating bullets over the security of their systems and data in the expanding world of Web-to-host connectivity. It’s no accident that IBM has put its own Host-on-Demand access products under its "SecureWay" brand, presumably as a reassurance that their products will not leak valuable information into the wrong hands online. However, with hundreds or thousands of outside – and potentially unknown – users, how secure is secure? How do you authenticate unknown users of your system? How do you guard against unwanted intrusions into your company’s files?

It’s time to put things in perspective. There will never be a completely secure system, and it probably isn’t even worth the time and money to try to create one. "The idea that you can entirely eliminate risk is absurd," says William Malik, Vice President of GartnerGroup, who consults with numerous corporations on information security issues. "Having avoided it simply means you’ve been lucky, rolling the dice and coming up with sevens."

A more realistic approach is risk management, which assumes that something is going to happen, and helps companies prepare appropriate measures to minimize the consequences and quickly recover. "Is your company risk averse, or does it welcome risk, taking big chances in the hope of achieving big gains?" Malik asks. Ultimately, security is a business decision, not a technology decision. "Determining if lost, altered or disclosed data presents a risk to the company is a business process," he says. For example, there’s obviously a good case for banks having the tightest security possible with customer account data.

The bottom line: Some information may not even be worth the cost of protecting it. "Don’t buy a lock that’s more expensive than the data you’re protecting," says Malik. The biggest expense of all is the missed opportunities and loss of competitive advantage by not extending corporate data and applications to the Web because of security concerns. It may be far more risky not to grant access to corporate systems from the Web.

So it’s up to the business to decide what information is worth protecting, and it’s up to IT managers to set up the policies and systems to carry it forward. A good place to start is determining how much security is required for access via the intranet from internal users versus outside users.

The good news is that since Web-to-host configurations are based on multi-tier architectures, they tend to have inherent security advantages.

For internal users that are migrating from terminal or "thick-client" PC host access to the Web, these requirements are probably minimal.

For users coming in from outside your organization, experts recommend popular, standard Internet-based security measures, include firewalls, SSL, VPNs and digital certificates for authenticating access and encrypting traffic between the Web server (linked to the IBM mainframe) and remote users across different networks.

Firewalls. The most practical approach to securing your host system is to put data to be accessed on a Windows NT server which presents the interface to end users. Such a server collects information and controls access to corporate services on the back-end host systems.

SSL. Currently, most Web-based transactions rely on SSL security – embedded in popular browsers – to encrypt transmissions of data. However, many industry analysts feel that more security technology is required above and beyond this basic protocol.

VPNs. VPNs are currently the most effective means of securing host access between business partners. However, their applicability to host access over the public Web is limited, since clients require decryption and de-encapsulation keys. VPNs add security features, such as tunneling technology, security, encryption, authentication, authorization, network privileges and management.

Digital certificates. For the past few years, digital certificates – electronic ID cards that are presented to Web servers to prove a user’s identity – have been touted as the ultimate security device, but have been slow to catch on. Certificates are issued and verified by a certificate authority (CA) to a pair of electronic "keys" that encrypt and sign digital information.

About the Author: Joseph McKendrick is a research consultant and author, specializing in technology surveys, research and white papers. He can be reached at joemck@aol.com.