David Mahdi, chief strategy officer and CISO advisor at Sectigo, discusses what organisations operating the metaverse must consider when it comes to its security
Every day there is news regarding the metaverse. Some firms are raising millions to bring luxury fashion to the metaverse, while celebrities are buying plots of premium land, and the rest wonder what their actual role will be in the sphere. In time, the potential of the metaverse is limitless.
But at the same time, questions, confusion, and a sense of unease abound in these stories. Mark Zuckerberg claims humans will ‘live in the metaverse’; perhaps, but there will be many barriers to adoption. One such area is security. For any valuable transaction to occur in the metaverse, users will want trust, security, and privacy.
How the C-Suite can set the organisation up for metaverse success
Lessons from cloud adoption
If we look back at another significant development in the digital world, the adoption of cloud computing provides many lessons. Around ten years ago, many IT visionaries pointed out all the benefits of cloud; but naturally, it took some time to get to where we are now. Specifically, like cloud, the metaverse will have to contend with barriers to adoption which, for cloud, took the better part of the last decade.
Cloud service providers, such as Microsoft (with Azure) and Amazon (with AWS) recognised that to alleviate customer and market concerns, they had to invest significantly in cloud security. To this day, they are still making massive investments to alleviate trust, security, and privacy concerns of customers. The metaverse will follow a similar path, as it pertains to trust and security. So, then we need to ask a critical question: how do we ensure the metaverse is secure and trustworthy?
Securing the metaverse
To secure any digital environment, cyber security is needed. More importantly, cyber security is not a do once and done activity; it requires ongoing attention, investment, and management.
Cyber security is indeed a complex and fast-moving area, but one where we have proven best practices that can help bring some sanity. Chief among them is the practice of identity security, specifically, securing and managing human and machine identities connecting and acting in the all-encompassing virtual environment.
The metaverse aside, cyber security in general must be based on a strong notion of digital trust, which requires strong digital identities, for both humans and machines (i.e. software, bots, and devices). Without adequate identity-security controls, bad actors will focus on compromising identities or accounts, all with the goal to gain access and steal valuable digital assets (i.e., currency, valuable NFTs, and so on). Much like the internet today, this will put users and businesses at risk.
In part, it will depend on the metaverse ecosystem itself and whether the underlining security foundations are built-in (or to borrow from cloud vernacular – “native-solutions”). This means that security and privacy will be in the hands of metaverse operators. So, we must ask ourselves, how can the builders of the metaverse ensure that it remains a secure space for both users and companies?
Q&A: Hubb COO on shifting towards a metaverse infrastructure in insurance
Certifying digital identities in the metaverse
One would hope, that behind the scenes, metaverse operators leverage the best practices for security and for privacy. When it comes to ensuring a solid foundation of security, it must be rooted in strong digital identities. One such method for that solid foundation is with rooting all human and machine identities with PKI-based digital certificates, a de facto standard for defence, government, and financial institutions. But what is PKI, or rather Public Key Infrastructure?
PKI, initially conceived by British Intelligence services over 60 years ago, has become the globally recognised method to verify a multitude of identities across a range of cases. This same technology will aid to secure the influx of digital identities using its servers, by issuing and maintaining digital certificates that authenticate them. There will be a huge rise in the number of both smart devices, apps, software, bots (or machines), and human identities that need to be accurately verified as applications of the metaverse grow and enter the mainstream.
In the metaverse, digital certificates will continue to play a critical role in the creation and protection of all digital identities. Without them, metaverse infrastructure will be fragile. In the case of cyber attacks, weak digital identities, such as usernames and passwords, will be exposed to theft or subject to other fraudulent activity. Building the metaverse on fragile digital identity methods will hinder adoption, and therefore, severely limit its potential.
Managing security for the metaverse
The challenge is in managing the vast volume of digital identities, and therefore digital certificates needed for the metaverse to function. The metaverse aside, the enterprise security market still has a lot of work to do in this area.
Many organisations struggle with the issuance, management, and orchestration of digital certificates, using manual management techniques (i.e. using spreadsheets for tracking). This has led to huge risks, such as service outages, and/or other cyber attacks.
This is an early warning to metaverse operators; they should learn from history, anticipate issues with digital identities and certificates. Metaverse operators must build a solid foundation of security that includes identity-first security principles, as we discussed above.
Again, contrasting metaverse security to cloud security, while the cloud service providers have invested significantly in native offerings to protect their cloud, consumers of these cloud environments still require many third-party security add-ons to account for risks and cyber attacks. The trend will be similar for the metaverse; that is the metaverse will need third-party tools and solutions to bolster and augment cyber security. This is especially true since there will be multiple metaverses; much like we have a world of multi-cloud environments.
How businesses can mitigate Log4Shell and the vulnerabilities of tomorrow
Look back to move forward
As we forge ahead into the metaverse, the fear is that we are destined to repeat history. That is, if we press on, without security and privacy by design, we will see serious issues, thus causing barriers to adoption or worse.
Many parameters, including security, of the metaverse have not yet been defined, due to its early and emerging state. Yet, the emerging nature is also what makes it so exciting; an entirely new and immersive way we consume commonplace technologies with amazing potential. But this will only happen if cyber security including identity-first security is placed at the heart of it, right from the start.