[ISN] Virtual worlds pose business risks says Gartner

From: InfoSec News (alerts@private)
Date: Tue Aug 14 2007 - 01:03:24 PDT


http://www.techworld.com/security/news/index.cfm?newsID=9765

By Matthew Broersma
Techworld
10 August 2007

Virtual worlds such as Second Life can be useful to businesses if they 
evaluate the risks involved, according to a research note from Gartner.

Gartner analyst Steve Prentice, who recently published an in-depth study 
on virtual worlds, said virtual worlds can pose problems to security and 
corporate image, but shouldn't be automatically written off as 
time-wasting games.

Large companies are beginning to take virtual worlds seriously, with 
enterprises such as Intel, IBM and Sun setting up virtual offices in 
Second Life, and using it to hold press conferences and even internal 
meetings.

Dell uses Second Life to allow customers to build custom PCs and then 
order the real thing, while US retailer Best Buy uses its Second Life 
facility to give customers access to troubleshooting experts, and Cisco 
hosts virtual user-group meetings at its Second Life HQ.

Prentice agreed that companies can get real communications and 
productivity benefits out of virtual environments, and said companies 
should keep an open mind when evaluating whether they kill productivity. 
Such programs can drain staff time during the initial learning curve but 
there may be benefits further down the line, Prentice said.

Nevertheless, there are serious risks associated with IT security, 
access management, confidentiality, and corporate reputation, he said.

IT security - Like any internet-connected application, virtual worlds 
can open up risks of unverified applications making their way onto the 
network and allowing unwanted code through the firewall, Prentice said.

There's no evidence that virtual worlds pose any more such risk than 
comparable client applications, but Prentice pointed out that at the 
moment they're on the receiving end of frequent updates, which can make 
them difficult to control.

Access management - Virtual environments can be useful for internal 
collaboration, but open applications such as Second Life are probably 
inappropriate for this, for the simple reason that it's difficult or 
impossible to verify whether the avatar showing up for the meeting is 
actually the person it claims to be, Prentice said.

Instead, Gartner recommended companies look into "private" virtual 
environments, which can be hosted internally and need not penetrate the 
firewall.

Confidentiality - Employees might want to use a virtual environment for 
a discussion about business matters, but there are several reasons why 
this could be a problem, especially in open, internet-supported social 
networking sites or virtual worlds, Gartner said.

Besides the fact that such environments aren't secure, there's the issue 
that legal systems, especially in the US, are becoming mroe aggressive 
about demanding access to any electronically stored records, including 
online conversations.

"Non-US organisations may wish to avoid virtual worlds that are subject 
to US jurisdiction because this may result in stored information being 
subject to legal scrutiny," Gartner said in the note.

Alternatives could be private virtual worlds built using tools such as 
the Torque Game Engine from GarageGames or SUn's Java-based Project 
Wonderland, or applications such as Forterra Systems' Olive, Prentice 
said.

Corporate image - Finally, companies with sensitive brand and reputation 
issues should be cautious about becoming involved in "uncontrolled" 
virtual environments such as Second Life that could lead to the 
corporate image becoming sullied.

A similar issue arose earlier this week when the UK government pulled 
advertising from the social networking site Facebook over concerns that 
its ads could be appearing in inappropriate places.

The move followed a decision by several companies, including the AA, 
First Direct, Virgin Media and Vodafone, to pull their advertising from 
Facebook following reports that their ads were being displayed alongside 
the official group page for the British National Party.


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Tue Aug 14 2007 - 01:07:43 PDT