Security Policy Considerations for Virtual Worlds
by Jeff Surratt - Thursday, 24 July 2008.
Virtual worlds increasingly offer significant outreach and business development opportunities to companies, governments, and the world at large. These virtual worlds – such as Second Life, World of Warcraft, Entropia Universe, EVE On-Line and others – allow people to interact through digital personas or avatars. As these worlds evolve and grow in popularity and acceptance, and become more integrated into many aspects of business and society, they offer new and uncharted terrain for security practitioners to embrace, explore and apply corporate governance and information security policy.

As security practitioners, there are many things to consider before advising our business leaders on how to make the leap into virtual realms. In many cases, the old rules apply, but some things we simply have not had to think about before. Walk into the uncharted terrain, but go with trepidation.

Terms of Service - Many third-party companies now provide virtual services to individuals and businesses. Most require a monthly fee but some are free of charge. All of them require participants to agree to the company’s terms of service. These terms of service are an attempt to protect the virtual world service provider’s control over all aspects of the service, content and data generated in that virtual world. Thus, ability to remain a member of a virtual world or to have or use a space within that world is behavior dependent and not always guaranteed.

Each virtual world provider has its own unique characteristics and terms of service. In signing up to participate, businesses should fully understand the terms and conditions to which they are agreeing as members of that community. Users who sign up for service should also recognize that, unless specifically directed by their management, they are signing those terms and conditions as an individual. Therefore, the individual and not the business are responsible for all aspects of participation in a virtual world. If an account is for business purposes, ensure that it is not paid for with personal funds and review the terms of service with appropriate legal counsel.

Public Forum - It is also important to remember that virtual worlds are public, software-based, open societies in which having a dialogue is similar to having a discussion or meeting in a public place such as a hotel lobby or an airport. Individuals acting for themselves or as part of a directed business venture should operate on the assumption that all actions, communications and data can be seen, heard and recorded by anyone, including the service provider – which may not, and often does not, have any obligation to protect your communications or information.

In the conduct of personal or employer business, many rules of the physical world apply to the virtual world(s):

1. Do not run the client on an account with Administrative privilege.
2. Do not disclose proprietary information or talk about company business in a non-company forum.
3. Do not use the same password to access the virtual world as you do for internal company or personal business.
4. Never give out your password.
5. Follow the company dress code.

Now you may be asking yourself “Follow the dress code?” Yes! If your avatar is conducting company business then follow the company dress code. In many virtual worlds, there are many clothing types. Do you want users to conduct business as (or with) a ring-tailed lemur in bunny slippers or would you rather work with an avatar in business casual attire? If your business does not enforce dress codes, then insist people use good judgment.

Be mindful that all actions will be public and may be visible for a long time. Many software tools exist to screen capture. If you or your users can see other avatar, they can see you. Every user within sight of an avatar has the ability to immortalize a single poor choice for the entire Web to see.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th