IT security is the main barrier to the adoption of flexible working practices, according to a recent survey commissioned by Microsoft.
It found that three-quarters of companies surveyed had concerns about security implications of flexi-working. Yet new government policies that allow parents greater freedom to work from home, coupled with increased demand for remote working, means that organizations simply cannot keep their heads in the sand. The question is: how do companies ensure that only authorized users have access to confidential corporate data while working away from the office?
With already overstretched budgets, the prospect of installing and maintaining systems to support staff working from home or on the move seems a massive headache. Many companies may simply choose to ignore the issue, believing themselves to be secure enough already. However, with employees working remotely, you are effectively widening the parameter in which hackers can enter. Why would a company only secure a part of that parameter? It simply does not make business sense.
So, there are two areas that a company must consider to ensure secure mobile connectivity; firstly the way in which information is delivered to employees, and secondly, the various products and technology available on the market.
Security and web-to-host technologies
Gartner estimates that around 70 percent of a company’s corporate data resides on mainframes, so a critical aspect to addressing flexible working is the need to access this information remotely, securely and easily. Web-to-host technology is one of several options available to companies for providing host access and most solutions have security at the core.
The basic concept of web-to-host technology is to provide users with access to host systems through their workstations, without having to actually visit their workstations, so it’s ideally suited to flexible working. The only installation required is on a web server and end users only require a web browser on their desktop. It therefore seems only logical to simply expand on this solution in order to secure mobile connectivity.
There are a number of factors critical to the success of web-to-host technologies:
- Flexibility – a web-to-host product must work with the existing desktop environment and fit into the existing IT infrastructure.
- Feature rich – functionality is important to new and existing users of host applications. Existing users expect a high level of functionality as they are used to the type of access available on their desktop.
- Security – Anyone with a web browser can effectively access an employee’s web portal and connect to a company’s host system. Many web-to-host products offer SSL encryption but, beyond the firewall, simply encrypting data is not enough.
Web-to-host products must address security requirements inside and outside the firewall and they must consider the four key aspects to security: confidentiality of data (i.e. username and password); authentication; authorization; and auditing.
Authentication is the biggest issue when it comes to considering whether security will remain manageable and the products on the market differentiate themselves by client authentication – i.e. who is the existing community and how it will be extended. Typically smartcards or digital certificates are used to authenticate users. However, security tokens can also supplement authentication. Tokens may by deployed to authorized users by a dedicated server. This eliminates deployment headaches while ensuring that only authorized users can connect to a company’s host systems.
Web single sign-on (SSO) is growing as a means of simplifying the administration of security. SSO technologies enable IT to have one focal point for authenticating users and authorizing access to all web-based applications and services in a company. Integrating web-to-host products with existing SSO allows IT to use existing infrastructure, save time and reduce costs.
Knowing who is connecting, where they are coming from and where they are going to, is vital in maintaining secure host access. Audit reports provide this information. Reports of usage by end users, administrative details and security breaches are critical because they help pinpoint problems and locate vulnerability.
Security and VPNs
It is also of crucial importance to consider the security of how information is delivered to the employees. Secure access to corporate data used to involve leased lines or secure dial-up connections – both of which tend to be costly and difficult to expand. Many companies have begun to switch to virtual private networks (VPNs) or other tunneling methods (such as SSH, OpenSSH, SSL or TLS) as secure alternatives. But there is a slight problem.
IBM, HP, UNIX and OpenVMS terminal applications often rely on protocols that are not compatible with the internet, which previously had made it extremely difficult for users to access these systems remotely. Although traditional VPNs can alleviate this issue to some extent, these solutions can be progressively expensive because of complexity in implementation and ongoing administration costs, and they are unable to deliver the level of flexibility needed. There are a number of solutions out in the market to consider. For example, ‘wrapping’ other protocols in SSL, enabling authorized users to access host applications securely via the internet.
Companies can no longer shy away from the increasing number of employees working on the move and from home, and web-to-host technology is a good way to increase employee mobility. Making host system data available through a web browser allows mobile employees to connect to customer and product data from any location at any time. However, security has to be the key priority and companies need to accommodate this in their IT strategy quickly, efficiently and with as little disruption as possible.
The best approach to security is thinking about the number of layers a hacker would have to deal with, including security tokens, digital certificates and smartcards. The challenge for the future is to ensure secure access remains easy to implement, manageable and cost effective.
Bob Stream is director of sales and marketing for WRQ (www.wrq.com)