Virtual Private Corporation:
Information Security Infrastructure Restructuring
Strategy for Countering Cyber-Terrorism

Lebin Cheng
Hewlett-Packard Company
lebin_cheng@hp.com

Problem Statement

According to many studies, insiders - employees or contracted workers working within the premises of corporations, directly or indirectly caused a large portion of security incidences. Most corporations today rely on the firewall strategy, drawing arbitrary boundaries between the "dangerous" open Internet and the enclosed corporate "intranet". While this "firewalling" strategy might be considered "enough" to prevent external attacks from the inside render this strategy useless. As a result, when cyber-terrorists strike, it is very likely that they choose to strike corporations from the inside.

There are various ways of getting inside a "firewalled" intranet. All one needs are a single weak point of the defense. Technical defects or administration mistakes often comprise security infrastructures. Sometimes, the human-factor represents the weakest link. For example, an uninformed employee opening an email attachment may inadvertently make his/her desktop the launching spot of a cyber-terrorist attack. As corporations are increasingly forced to put their business on the Internet, finding such an "entrance" to the inside of a corporation's protected domain is ever easier.

Increasing competitions and reduction in margin and lifetime of high-tech products forces corporations to increase their reliance on partner-ship to focus on core competencies. In order to work together, a group of companies in partner-ships must gain access to each other's resources, including information assets, forming a virtual entity called "Extended Enterprise" or "Virtual Corporation".

The problem is that the business strategy of "Virtual Corporation" conflicts with the traditional single protection domain strategy. To solve this problem, corporations must restructure their information security infrastructure.

Proposed Strategy for Information Security Infrastructure Restructuring

We proposed the strategy of Virtual Private Corporation to eliminate the single protection domains as targets of cyber-terrorist attacks. As Virtual Private Networks (VPNs) protects privacy of data transmission in open, potentially hostile network environments, Virtual Private Corporations are built without the assumption of preset boundaries nor network-layer protections. A Virtual Private Corporation is one protection domain involving members that share a common interest or task, having its own membership management and security policies. An employee of a corporation in the "physical" world can simultaneously involve in multiple Virtual Corporations depending on the role of the employee.

The forming of Virtual Private Corporations reduces the size of individual protection domain from potentially tens of thousands in a large corporation to the magnitude of tens or hundreds in a "workgroup". This effectively limits the damage a security breach in one protection domain can cause to the community as a whole. Cyber-terrorists find large corporations attractive targets because the huge monolithic infrastructures carry big "rewards" when they are broken into. When large corporations are divided into smaller Virtual Private Corporations each capable of protecting itself, it will become difficult, if not impossible, to generate a single attack that can cause a catastrophic effect.

A Virtual Private Corporation is dynamic and task-oriented. They are formed when a workgroup on a project is created and terminated when the task is completed. There is no permanent security infrastructure for a cyber-terrorist to study and explore. For a cyber-terrorist, the hundreds of thousands of Virtual Corporations are always "moving targets". As a result, the effect of a cyber-terrorist attack can be reduced to an opportunistic breach of a limited number of protection domains.

Security in a Virtual Private Corporation is resource-centric. Access to information resources are granted or denied based on the need of the task. This is different from the existing ownership and location dependent security which, again, is derived from the single protection domain strategy.

Discussion Proposal

The author would bring to the discussion the study conducted in a large corporation with >100,000 employee based, the issues and challenges discovered, and the ideas generated based on the study. In addition, the author will fill in the details of the Virtual Private Corporation strategy and present examples of implementations.

By participating in the forum discussion, the author would first test the idea with other participants and gather feedback. Furthermore, the author would like to discuss the technologies and/or researches with which Virtual Private Corporations can be built. For example, topics such as Role Based Access Control, Virtual Private Network, host protection, data classification will be of interest. Last but not least, suggestion of refinement of the Virtual Private Corporation strategy will be welcome.