A modest proposal

According to a recent Gartner Group report, the majority of businesses today are evaluating, considering and implementing VPNs as the preferred method of secure external network connectivity. In fact, according to Gartner Group, by the end of this year more than 75 percent of the Fortune 1000 will be using VPN services.

Surveys indicate, however, that the focus of these efforts is primarily on internal company use--telecommuting employees and remote office connectivity--rather than on extending their network to their value chain of partners, suppliers and customers. In essence, companies are using VPNs to securely extend the "inside" of their firewall-protected corporate networks to employees working remotely.

Outdated notions of corporate boundaries
But VPN technology isn't being used broadly to connect partners, suppliers, and customers because it generally exposes too much to them. And so these parties--important as they may be to the core business--continue to be treated as "outsiders" from a networking perspective.

Since the '95 release of James Brian Quinn and Frederick G. Hilmer's seminal paper on strategic outsourcing, we've witnessed a steady yet dramatic shift in the structure of business. The traditional vertically integrated, self-sufficient organization of the past has progressively been replaced by interdependent organizations focused on their core competencies.

As a result, the quaint notion of "corporate boundaries" no longer matches the actual structure of workgroups that now naturally span the firewall--freelancers, colleagues on different continents, contractors, and whoever else is able to get the job done quickly and efficiently.

If this is the case, how do we reconcile the existing notion of firewalls, which represent a Chinese Wall-like boundary that shouldn't be crossed? In today's business environment, how do we distinguish between "inside" and "outside"?

Is the new car design team that's scattered across the globe and comprises representatives from several different organizations inside, or outside? Is the team of lawyers, accountants and business strategists working on your next merger inside, or outside? Is the team of public relations, advertising and creative design professionals working on your next product launch inside, or outside? Is the contract manufacturer who is building your entire product in conjunction with your engineering team inside, or outside?

As with all other boundaries, tunnels have been dug to subvert the firewall. These tunnels take the form of laptops, Palm Pilots, portable memory cards, unencrypted email, and public file-sharing Web sites. Few in business complain about these "tunnels" today; we've all gotten used to working around the boundaries, in the interest of "just getting something done!" (Former CIA Director John Deutch comes to mind.)

Time to rethink the issue
Of course, all of this activity defeats the original purpose of the firewall--to protect a company's assets from unwanted intruders.

I'm not suggesting that firewalls, proxy servers and VPNs aren't necessary. Of course they are. But what is their proper place in an environment where victory is attained by nimble, agile organizations which respond effectively to opportunity by creating teams whose members know no boundaries?

Perhaps it's time for information technology professionals to revisit the notion of security as something done at the lower levels of the ISO stack. Perhaps it's time to augment these existing network-level security solutions with secure applications that allow workgroups to form quickly, work securely, and integrate intelligently with existing business systems.

Perhaps it's even time to introduce yet another acronym into our lexicon--VPNAP, or virtual private network application platform: a platform that enables applications to be extended securely yet transparently to people inside, outside, and across firewall boundaries.

If information technology professionals are to fulfill their mission of helping their organizations attain their business objectives while simultaneously protecting their intellectual property and information assets, then our notion of security must rise to another level. Systems must match the way we actually need to work, with whom we need to work, and they must be end-to-end secure. We must focus more on securely connecting groups of people, not just computers. Otherwise, our external interactions will be compromised, and we'll continue "tunneling" our way around boundaries--rationalizing our actions in the interest of "just getting something done!"

Ray Ozzie is founder and CEO of Groove Networks, a Beverly, Mass.-based company developing peer-to-peer and peer-to-Web software solutions that provide businesses secure, online working relationships with key suppliers, partners and customers.