Talk about the so-called “Metaverse” at an all-time high. On October 28th, 2021, they were rebranding as Meta and chasing their version of the Metaverse: Facebook announced “The next platform will be even more immersive — an embodied internet where you’re in the experience, not just looking at it. We call this the metaverse, and it will touch every product we build” Other organizations have taken steps to explore how they fit into the Metaverse, including Nasdaq which . created a virtual world to ring the opening bell in the Metaverse When thinking about the Metaverse, many run to the blockchain, virtual reality, or augmented reality technologies, however, I think Matthew Ball defined it best in his essay, : Framework for the Metaverse “The Metaverse is a and which can be and by an with an , and with , such as identity, history, entitlements, objects, communications, and payments.” massively scaled interoperable network of real-time rendered 3D virtual worlds experienced synchronously persistently effectively unlimited number of users individual sense of presence continuity of data While the emergence of the Metaverse presents exciting opportunities to revolutionize the way we interact with the digital world, it will require a fundamental shift in our approach to cybersecurity. Securing Identity in the Metaverse Identity and access management (IAM) is a well-established subset of cybersecurity that addresses human and machine authentication, authorization, and accounting, also known as the AAA model. While technologies such as single sign-on (SSO) and Zero Trust architecture are currently at the forefront of the shifting identity landscape, the emergence of the metaverse will likely push for new user identity models. In order for digital experiences to be interoperable with each other, a universal and decentralized identity and access management framework will need to be adopted. Currently, identities are created and managed within a platform context. Facebook accounts, for example, allow users to authenticate to Facebook.com and the associated experiences on the platform, from user posts to games like the classic Farmville. Moving closer to the decentralized identity model of the Metaverse, single sign-on allows applications to utilize another identity provider to authenticate the user on its behalf. Applications can present the user with the ability to “Sign in with Facebook”, leveraging the identity already managed by Facebook for user authorization. For true interoperability between platforms on the Metaverse, identities will need to be portable, however, it is unlikely that a single governing organization, such as Meta (formally Facebook), will own identities. Instead, I predict it will be decentralized and owned by the individual. Many Web3 startups are already chasing the decentralized identity, such as , which describes the project as a universal digital identity and leverages non-fungible tokens (NFTs) to store identities on a blockchain. PhotoChromic As our digital and physical lives begin to merge, securing decentralized identities will become increasingly important. Imagine having your digital identity compromised in the Metaverse, and a malicious actor entering a digital bank to speak with the teller as you, digital avatar and all. Securing the Metaverse Attack Surface Lateral movement is a term used in the security industry to describe the activity of a malicious actor extending their access to other devices and “moving” through the network. While security professionals are used to defending computer networks, these same concepts will need to be extrapolated to the network of digital experiences on the Metaverse. In the Metaverse future, the attack surface, which defines as “the number of all possible points, or attack vectors, where an unauthorized user can access a system and extract data” encompasses not just the digital experience, but all other experiences connecting to it. Fortinet You may hear the malicious actors of tomorrow moving laterally from a digital art museum to gain access to a private conference, free of charge. Securing Smart Contracts I believe that blockchain technology will be a key piece of the Metaverse puzzle, enabling decentralization and individual ownership over data. Smart contracts are enabling ownership and interaction with the blockchain. defines smart contracts as: Ethereum.org “simply a program that runs on the Ethereum blockchain. It’s a collection of code (its functions) and data (its state) that resides at a specific address on the Ethereum blockchain.” The rise in smart contracts presents several challenges for security professionals. First, smart contracts are written in one of several new programming languages, one of the most common being , which is designed specifically for developing smart contracts on the Ethereum blockchain. Solidity Traditional application security (AppSec) professionals will need to dedicate time to learning these languages and how they function. This can be a daunting task currently as the current state of blockchain development is highly fragmented and future market share winners are not clear. maintained by , a researcher at , lists 61 active blockchain programming languages at the time of writing. This Github Sergei Tikhomirov Chaincode Labs New tools also need to be developed to support the auditing of these smart contracts. Existing application development security programs leverage Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools to automate part of this process. While some developers are taking a stab at developing these tools for smart contracts, the landscape is still undeveloped and maturing. lists some of the more mature tools, such as Slither. Chainlink also has an amazing showcasing the current state of security auditing for smart contracts. Pentestwiki.org webinar Governance, Risk, and Compliance in the Metaverse Governance, risk, and compliance (GRC) is a subset of the security industry focusing on managing security risk, organizational strategy, and compliance with external and internal requirements for an organization. Activities such as compliance auditing, security program leadership, policy and procedure development, and legal fall into this category. As the Metaverse future begins to emerge, I predict new security and data privacy laws and regulations will start to form. Organizations will have to invest heavily in keeping up to date with the current and future regulatory landscape, something many organizations are already struggling with due to the emergence of data protection laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These regulations will become even more important over time as the Metaverse interconnects the digital and human identity in ways we haven’t before experienced. In addition, I predict the organizational structure of some entities will shift to a distributed, contribution-focused model, introducing new challenges in accountability. Decentralized Autonomous Organizations (DAOs) are an emerging concept built on blockchain technology, which defines as: Investopedia an emerging form of legal structure. With no central governing body, every member within a DAO typically shares a common goal and attempt to act in the best interest of the entity. Popularized through cryptocurrency enthusiasts and blockchain technology, DAOs are used to make decisions in a bottoms-up management approach. Organizations operating as DAO will introduce new challenges in enforcing security and data protection regulations, such as security breach notification requirements since there is no central authority. Instead, authority is distributed among members (token holders) who collectively determine the organization’s actions. Conclusion The Metaverse presents exciting and innovative opportunities for our understanding of the digital world to evolve. However, it is important for the cybersecurity industry to match the staggering pace of innovation. Security professionals will require tailored training to address these emerging security challenges and technologies will need to be developed with security in mind. Cybersecurity is in for a wild and exciting ride.

Chainlink

Ball

Securing the Metaverse: How Digitally Immersive Experiences will Change the Future of Cybersecurity

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

108 Stories To Learn About Cybersecurity Tips

10 Ways to Mitigate Cybersecurity Risks and Prevent Data Theft

10 Tips For Securing Zoom Meetings

10 Things I Did To Increase CloudTrail Logs Security

10 Steps to Ensuring Cyber Security for a Small Business

10 Common Java Vulnerabilities Every Security Engineer Should Know

108 Stories To Learn About Cybersecurity Tips

10 Ways to Mitigate Cybersecurity Risks and Prevent Data Theft

10 Tips For Securing Zoom Meetings

10 Things I Did To Increase CloudTrail Logs Security

10 Steps to Ensuring Cyber Security for a Small Business

10 Common Java Vulnerabilities Every Security Engineer Should Know

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps