Virtual Worlds Rife with Enterprise Threats

Use of virtual worlds like Second Life could pose risks to enterprise security and reputations, Gartner warns.

Corporate use of virtual worlds such as Second Life needs careful evaluation for security risks, according to technology research and advisory company Gartner.

Gartner warned that media hype and general enthusiasm for virtual worlds has overshadowed a realistic assessment of the security and risk-management issues they can expose enterprises to. If a company is especially sensitive to branding issues and social and ethical positioning, it should consider exercising particular caution in free-for-all worlds such as Second Life.

"The risks enterprises face as a result of their involvement in virtual worlds are real and can be significant. They shouldnt be ignored—but neither should the potential opportunities and benefits that arise from using these new environments for corporate collaboration and communications," Steve Prentice, a Gartner analyst, said Aug. 9.

Prentice listed five major categories of enterprise risk relating to virtual worlds, the first being IT-related security risks. Because these virtual worlds primarily involve unverified applications being downloaded to managed desktop systems, firewall permeability should be a great concern.

Although there were no indications that these applications posed any higher risk than other similar applications, he said, the high frequency of their updates can make control of the large application difficult.


Click here to read about a security breach in a Second Life database.

Gartners second concern about virtual worlds involved identity authentication and access management. Because it is so easy to open new account and create new avatars, many people have more than one, and it is difficult to ensure that the avatar of an individual actually represents that individual.

"This lack of verifiable identity control or access management is a major deficiency in public virtual worlds and is having a significant impact on the potential use of virtual worlds for internal collaboration purposes," Prentice said. Gartner strongly recommended that companies look into "private" virtual-world environments that exist entirely inside the enterprise firewall.

Confidentiality was also a concern voiced by Gartner, which warned against having any discussions in these worlds involving confidential or commercially sensitive information. This information can be demanded by worldwide legal systems. Furthermore, organizations based outside the United States might particularly wish to avoid virtual worlds that are subject to U.S. jurisdiction, as stored information could be subject to legal scrutiny.

Gartner also suggested that uncontrolled virtual worlds were rife with risks to brand and reputation management, and urged enterprises to exercise extreme caution in their virtual-world activities, minimizing their potential exposure to brand damage.

The fifth issue Gartner raised was possible productivity loss. As long as skepticism exists regarding the practical benefits of enterprise activity in virtual worlds, senior executives will be rightly concerned about productivity loss within them, Gartner said, as they may lead to significant wasted time as well as diminished bandwidth resources.

Still, many are re-evaluating restrictions on the basis that networking and collaboration are important parts of worker productivity and morale.

"Whilst unconstrained use of virtual worlds for all staff is probably inappropriate and unnecessary, enterprises should keep an open mind and evaluate trials carefully to avoid premature and inappropriate decisions regarding access and value," Prentice said.

IBM has already taken the initiative and created formal guidelines for behavior in virtual worlds.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.