Second Life: An additional frontier to secure the enterprise?

3 april, IBM and Linden Labs (LL) made an interesting announcement. IBM will host its own private islands on Second Life. See the Reuter news.
If you acquire, or rent a land in Second Life (SL), you may define who can access it. If you expect to open a shop, then it will be open to the public. If you want it to become the headquarter of your guild of hackers, then you will grant access only to the members of the guilds. So, a company may have meeting rooms for virtual meetings ony accessible to the avatars of its employees. The access control is performed by LL servers.

In the case of IBM, the server(s) managing IBM’s islands will be behind IBM’s firewall, i.e. within IBM’s cybersphere and not anymore LL’s cybersphere. When the avatar of IBM employee navigates in public SL, then it is managed by LL. Once it enters IBM’s island, it is managed by IBM dedicated server.

Of course, this should bring greater control and security for IBM. There are some interesting problems behind that:

  • In theory, an avatar can bring a virtual asset from the public SL into the private island
  • In theory, an avatar cannot bring a virtual asset from the island to the public SL.

For that to be true, it would mean that there is a total isolation between the two worlds. Ideally, the avatar in the island should be different from the avatar in public SL. The public avatar could pass his/her clothes and belongings to the island one. But the island one could not pass anything to the public one. This means also that there would be no retrofit from what happened on the island to the public SL. Every transfer from island to public domain may become a potential leakage (through scripting, …)

In any case, the fact to allow an avatar to bring a virtual asset into the island is a potential breach of security. A forged virtual asset could contain a virus or a Trojan. Of course, we may expect that the servers are inside a firewalled domain within IBM infrastructure. By the way, even while in the public domain, SL may already have a foot inside IBM firewall through the computer of the owner of the avatar.

Would it not have been safer to create its own IBM meeting virtual world totally independent from SL (even if using LL software)? But it would be probably less glamorous.

Leave a Reply

Your email address will not be published. Required fields are marked *