Virtual Ogranizations

The aim of this chapter is to explain the concept virtual organization (VO) in a more detailed manner (in order to realise what security challenges a VO has to cope with). Below we will present definitions of VO, give some examples of VOs, and describe main characteristics of VOs. We will also list the benefits and the security challenges associated with VOs. VO is a relatively new concept that has emerged in the beginning of1990s. There is no single clear-cut definition of what a VO is. Different sources define it somewhat differently. For example, in [1] VO is defined as a dynamic collection of individuals and institutions which are required to share resources to achieve certain goals. [2] defines VO as a temporary or permanent coalition of geographically dispersed individuals, groups, organizational units or entire organizations that pool resources, capabilities and information to achieve common objectives. Jet in [3] a concept IT infrastructure, namely network, is introduced: VO refers to both the members of a switchable interorganizational electronic network and to the network itself that delivers non-standard products. Reasons behind a VO The first two definitions speak about certain goals or common objectives while the third opens up what these goals/objectives can be, i.e. non-standard products. Indeed, the incentive behind the creation of VOs is a collaborative delivery or creation of a customer-specified product or service. The reasons why organizations cannot provide such products/services on their own and why they need virtual amalgamation are technical complexity of demanded products and constantly changing customer and market requirements [1]. In addition development, production and support of modern products is highly complex [1]. Often provision of such products would involve great risks for organizations unless they unite virtually, share resources, capabilities, and experience, utilize common facilities all to meet a specific customer demand. What does virtuality imply? It is not a novelty in the organizational history to unite in order to grab a good market opportunity. In the case of virtual organizations the virtual part of the concept cannot be ignored. As pointed out in [3] the related terms virtual, virtually and virtuality imply that something exists having a potential effect but this something is not tangible. In classical organizations the boundaries are clearly defined, while VOs are characterized by fuzzy boundaries, flexible structure and the ability to include new partners as the need arises. All this became possible with the rise of Internet, networking, distributed computing and sophisticated web services. So, according to our point of view, in the definition of VO the IT infrastructure can not be ignored. Therefore in this thesis we define a VO as follows: VO is a temporary or permanent coalition of geographically dispersed individuals, groups, organizational units or entire organizations that pool resources, capabilities and information to achieve common objectives, while decisively relying on information technology (IT).

Characteristics of a VO
VOs can be large or small, long- or short-lived. Other characteristics of VOs are (based on [2], [3] and [4]): VO exists for a specific purpose, e.g. to implement a long-term marketing strategy, to launch a new groundbreaking product or to achieve some scientific goal. Non-standard product is the end-goal of a VO. VOs quickly deliver products/services that are innovative and customized. Membership and structure of a VO evolve over time. Switching: VO members can switch from one project to another. Dynamic VOs have a capability to unite quickly. Usually members of a VO have shared responsibilities, shared control, shared leadership, shared access to computing resources and services and shared loyalty. Resources, services and people that comprise a VO can be single- or multiinstitutional, homogenous or heterogeneous. Principle of synergy (many-to-one): VO exhibits a unifying property because it is constituted from different organizational entities that create an effect of a single organization. Principle of divergence (one-to-many): a single organization can exhibit multiplication property by participating in many VOs at the same time. Virtualness is a matter of degree rather than a categorical property of an organization. Organization can choose to virtualize its different parts, like production core, front end or back end. The presence of IT infrastructure is a necessary but not sufficient condition for a VO formation. Examples of IT that can be used are email, electronic file transfer, telephone, fax, screen sharing applications, videoconferencing, groupware tools, project management applications etc. VO is dependent on electronic linking, lies on the electronic space and is characterized by loose coupling. Spatial dispersion: VOs can be formed across country borders throughout the world.

VO lifecycle
Shall I include a drawing??? Any VO lives through four stages/phases, as defined in [4] and [5]: identification, formation operation and dissolution. During identification a VO initiator, typically some organization, selects potential business partners (VO members) by using search engines and registries. Here it is important that potential VO members are capable of providing the required services, which means they need to possess an appropriate level of expertise, and are trustworthy. Trustworthiness is typically synonymous to the reputation of a potential partner. VO initiator deduces security requirements for the VO, identifies needed roles and makes sure that the partners can collectively fulfil them. In the formation phase a VO initiator distributes configuration information, i.e. security and adaptation policies to the parties. Security policies include obligations, permissions and prohibitions. Adaptation policies describe what is to be done in case of security breaches, SLA violations and other organizational changes, e.g. a new member joining the VO.

Operation is the main phase in VO lifecycle. It constitutes the execution of the VO tasks according to the pre-defined business processes. At this stage the overall performance monitoring and enforcement of policies are important. Service performance of each partner is monitored to use as evidence when constructing the reputation. Any violation is reported to all other parties and may result in contract cancellations/adaptations. All parties enforce security mechanisms at their local sites and adapt to changes and violations. Dynamical changes of the VO structure occur during this phase as well. Some partners may be replaced due to their completed mission, contract term re-negotiation or contract violations. The initiator may also find new partners. In such cases the structure of the VO is re-configured and a new partner is integrated. Dissolution takes place when the objectives of the VO have been fulfilled or the VO was a complete fiasco and partners were not able to operate successfully (as pointed out in [3]). This involves updating the reputation information of the participants, invalidating all resource sharing and resolving a common infrastructure.

Some examples
Lets look briefly at some examples of what a VO may look like. This will illustrate the usefulness of VOs. Example 1 (taken from [2]). A small software company wants to bid for a new contract, which is beyond its scope of the resources. This company forms a VO with other similar small companies and by doing that it is suddenly able to compete with larger corporations to gain the contract. Example 2 ([2]). A business traveller comes to a foreign country and wants to do something in the evening. He/she goes to a WLAN-equipped caf and requests a multi-media city guide to be shown using his personal computer and the cafs facilities. This service can only be provided if the caf, content providers, the users home service provider, and other network operators have previously formed a VO. Example 3 ([3]). EC (Electronics Company) has been producing equipment for broadband networks. EC develops 1) software control modules for broadband networks and 2) new strategic products. Control modules for broadband networks are the most critical products of EC. They are very complex too. EC found out that it is more efficient and cost-effective to entrust the programming of the machinery to external parties. So, EC has engaged itself in a VO relationship with multiple software vendors. EC runs several projects at a time and each project involves more than one vendor. External software vendors are small software shops situated either in the neighbourhood or far away. The business process goes typically in the following manner. A customer orders a network control unit from EC. EC assembles a project team responsible for this request. Project engineers design the product. A part of this product the computer-driver machinery for producing the boards- needs to be reprogrammed, and new code needs to be developed. Engineers determine the software specification. Software vendors are selected and the contracts with them signed electronically. Software specification is then sent to the vendors and after a while (typically several days) the vendor delivers the code electronically. Engineers download the code and continue developing their prototype for the customer.

To develop new strategic products EC collaborates with similar companies located at other continents. These are long-term projects that aim to move broadband network technology forward. Example 4. Shall we write TrustCom as an example here???

Benefits and Challenges of VOs

Benefits:
VOs make it possible to satisfy constantly changing customer and market requirements in a competitive manner [2]. The access to market increases [3]. It becomes possible to provide services precisely tailored to a specific customer need [2], [3] An ability to participate in VOs increases the total service range a company can offer to its customers [2] Participation in VOs increases the total number of end-customers a company can reach indirectly via its partners. [2] A particular organization can both multiply itself virtually by participating in several VOs and initiate a VO that will be constituted from different parties. This creates the possibility for coexistence of the opposites in one organization. [3] By participation in a VO the concept-to-cash time is reduced [3].

Security Risks
The most challenging part of VOs is the establishment and maintenance of trust ([1], [2], [3], [4]). As pointed out in [1], trust needs to be established at several levels: authentication, policy based management, business rules. In it is [3] claimed that trust is a cognitive phenomenon rather than an affective one, meaning that it is based on rational calculations. The main challenges related to the trust establishment are: o Each party has its own policies on access control and conditions of use. o The allocation of resources is often dynamic since the structure of VOs may change dynamically. This implies that the VO initiator may not know until part way through the job that additional resource X is required. o VO parties need to establish trust between them on a peer-to-peer basis. o Trust needs to be established on the fly, which means that some mechanism needs to negotiate conditions of use, through the delegation of trust from one party to another. o Parties may be located in different countries under different jurisdictions and, as a consequence, adhere to different legal and business requirements. o Since VOs rely on IT, exposure to fraud or misuse of technology is a major concern. o Security systems of VO partners must be mutually trusted. This brings up the challenge to come up with an effective and flexible security system. o Contract management needs to be effective in order to be able to quickly reconfigure in VOs. Services for management of electronic contracts must be trusted.

o SLA monitoring is important to ensure that parties perform according to contracts. o Confidentiality, privacy, integrity availability and accountability at a VO level have to be assured. At the same time parties have to provide access to their services and resources, as specified in agreements. o It is a challenging task to choose between different potential vendors/parties ([3]). Sometimes options are closed and only few players are available on the market. In these cases a VO initiator is to choose whoever is available. o It can be difficult to anchor an IT infrastructure in a VO ([3]). People may experience as being forced to use it rather than as having it for assistance. o It may happen that dispersed project members are incapable of communicating in a professional domain. For example, one may prefer open standard technologies, while the other proprietary ones. Trust is established by the means of digital identities, certification, access control mechanisms, authentication, secure connection, reputation and inspection of the parties.

References:

[1] Brian Matthews, Juan Bicarregui, Theo Dimitrakos, CLRC Rutherford Appleton Laboratory, Oxfordshire, OX11 0QX, UK, Building Trust on the GRID, Trust Isuues Underpinning Scalable Virtual Organizations 2 [] Theo Dimitrakos, David Golby, Paul Kearney Towards a Trust and Contract Management Framework for Dynamic Virtual Organisations, 2004 3 [] Bob Travica, Virtual Organization and Electronic Commerce, the Database for Advances in Information Systems (Vol. 36, No. 3), summer 2005 4 [] Alvaro E. Arenas, Ivan Djordjevic, Theo Dimitrakos, Leonid Titkov, Joris Claessens, Christian Geuer-Pollmann, Emil C. Lupu, Nilifer Tuptuk, Stefan Wesner, Lutz Schubert, Towards web Services Profiles for Trust and Security in Virtual Organizations. 5 [] Adomas Svirskas, Alvaro Arenas, Michael Wilson, Brian Mattheus Secure and Trusted Virtual Organization Management, ERCIM News No. 63, October 2005, http://www.ercim.org/publication/Ercim_News/enw63/wilson.html