There are various ways of getting inside a "firewalled" intranet. All one needs are a single weak point of the defense. Technical defects or administration mistakes often comprise security infrastructures. Sometimes, the human-factor represents the weakest link. For example, an uninformed employee opening an email attachment may inadvertently make his/her desktop the launching spot of a cyber-terrorist attack. As corporations are increasingly forced to put their business on the Internet, finding such an "entrance" to the inside of a corporation's protected domain is ever easier.
Increasing competitions and reduction in margin and lifetime of high-tech products forces corporations to increase their reliance on partner-ship to focus on core competencies. In order to work together, a group of companies in partner-ships must gain access to each other's resources, including information assets, forming a virtual entity called "Extended Enterprise" or "Virtual Corporation".
The problem is that the business strategy of "Virtual Corporation" conflicts with the traditional single protection domain strategy. To solve this problem, corporations must restructure their information security infrastructure.
The forming of Virtual Private Corporations reduces the size of individual protection domain from potentially tens of thousands in a large corporation to the magnitude of tens or hundreds in a "workgroup". This effectively limits the damage a security breach in one protection domain can cause to the community as a whole. Cyber-terrorists find large corporations attractive targets because the huge monolithic infrastructures carry big "rewards" when they are broken into. When large corporations are divided into smaller Virtual Private Corporations each capable of protecting itself, it will become difficult, if not impossible, to generate a single attack that can cause a catastrophic effect.
A Virtual Private Corporation is dynamic and task-oriented. They are formed when a workgroup on a project is created and terminated when the task is completed. There is no permanent security infrastructure for a cyber-terrorist to study and explore. For a cyber-terrorist, the hundreds of thousands of Virtual Corporations are always "moving targets". As a result, the effect of a cyber-terrorist attack can be reduced to an opportunistic breach of a limited number of protection domains.
Security in a Virtual Private Corporation is resource-centric. Access to information resources are granted or denied based on the need of the task. This is different from the existing ownership and location dependent security which, again, is derived from the single protection domain strategy.
By participating in the forum discussion, the author would first test the idea with other participants and gather feedback. Furthermore, the author would like to discuss the technologies and/or researches with which Virtual Private Corporations can be built. For example, topics such as Role Based Access Control, Virtual Private Network, host protection, data classification will be of interest. Last but not least, suggestion of refinement of the Virtual Private Corporation strategy will be welcome.