Talk about the so-called “Metaverse” at an all-time high. On October 28th, 2021, Facebook announced they were rebranding as Meta and chasing their version of the Metaverse:
“The next platform will be even more immersive — an embodied internet where you’re in the experience, not just looking at it. We call this the metaverse, and it will touch every product we build”
Other organizations have taken steps to explore how they fit into the Metaverse, including Nasdaq which created a virtual world to ring the opening bell in the Metaverse.
When thinking about the Metaverse, many run to the blockchain, virtual reality, or augmented reality technologies, however, I think Matthew Ball defined it best in his essay, Framework for the Metaverse:
“The Metaverse is a massively scaled and interoperable network of real-time rendered 3D virtual worlds which can be experienced synchronously and persistently by an effectively unlimited number of users with an individual sense of presence, and with continuity of data, such as identity, history, entitlements, objects, communications, and payments.”
While the emergence of the Metaverse presents exciting opportunities to revolutionize the way we interact with the digital world, it will require a fundamental shift in our approach to cybersecurity.
Identity and access management (IAM) is a well-established subset of cybersecurity that addresses human and machine authentication, authorization, and accounting, also known as the AAA model.
While technologies such as single sign-on (SSO) and Zero Trust architecture are currently at the forefront of the shifting identity landscape, the emergence of the metaverse will likely push for new user identity models.
In order for digital experiences to be interoperable with each other, a universal and decentralized identity and access management framework will need to be adopted. Currently, identities are created and managed within a platform context.
Facebook accounts, for example, allow users to authenticate to Facebook.com and the associated experiences on the platform, from user posts to games like the classic Farmville.
Moving closer to the decentralized identity model of the Metaverse, single sign-on allows applications to utilize another identity provider to authenticate the user on its behalf.
Applications can present the user with the ability to “Sign in with Facebook”, leveraging the identity already managed by Facebook for user authorization.
For true interoperability between platforms on the Metaverse, identities will need to be portable, however, it is unlikely that a single governing organization, such as Meta (formally Facebook), will own identities. Instead, I predict it will be decentralized and owned by the individual.
Many Web3 startups are already chasing the decentralized identity, such as PhotoChromic, which describes the project as a universal digital identity and leverages non-fungible tokens (NFTs) to store identities on a blockchain.
As our digital and physical lives begin to merge, securing decentralized identities will become increasingly important. Imagine having your digital identity compromised in the Metaverse, and a malicious actor entering a digital bank to speak with the teller as you, digital avatar and all.
Lateral movement is a term used in the security industry to describe the activity of a malicious actor extending their access to other devices and “moving” through the network.
While security professionals are used to defending computer networks, these same concepts will need to be extrapolated to the network of digital experiences on the Metaverse.
In the Metaverse future, the attack surface, which Fortinet defines as “the number of all possible points, or attack vectors, where an unauthorized user can access a system and extract data” encompasses not just the digital experience, but all other experiences connecting to it.
You may hear the malicious actors of tomorrow moving laterally from a digital art museum to gain access to a private conference, free of charge.
I believe that blockchain technology will be a key piece of the Metaverse puzzle, enabling decentralization and individual ownership over data. Smart contracts are enabling ownership and interaction with the blockchain. Ethereum.org defines smart contracts as:
“simply a program that runs on the Ethereum blockchain. It’s a collection of code (its functions) and data (its state) that resides at a specific address on the Ethereum blockchain.”
The rise in smart contracts presents several challenges for security professionals. First, smart contracts are written in one of several new programming languages, one of the most common being Solidity, which is designed specifically for developing smart contracts on the Ethereum blockchain.
Traditional application security (AppSec) professionals will need to dedicate time to learning these languages and how they function. This can be a daunting task currently as the current state of blockchain development is highly fragmented and future market share winners are not clear. This Github maintained by Sergei Tikhomirov, a researcher at Chaincode Labs, lists 61 active blockchain programming languages at the time of writing.
New tools also need to be developed to support the auditing of these smart contracts. Existing application development security programs leverage Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools to automate part of this process.
While some developers are taking a stab at developing these tools for smart contracts, the landscape is still undeveloped and maturing. Pentestwiki.org lists some of the more mature tools, such as Slither. Chainlink also has an amazing webinar showcasing the current state of security auditing for smart contracts.
Governance, risk, and compliance (GRC) is a subset of the security industry focusing on managing security risk, organizational strategy, and compliance with external and internal requirements for an organization. Activities such as compliance auditing, security program leadership, policy and procedure development, and legal fall into this category.
As the Metaverse future begins to emerge, I predict new security and data privacy laws and regulations will start to form. Organizations will have to invest heavily in keeping up to date with the current and future regulatory landscape, something many organizations are already struggling with due to the emergence of data protection laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
These regulations will become even more important over time as the Metaverse interconnects the digital and human identity in ways we haven’t before experienced.
In addition, I predict the organizational structure of some entities will shift to a distributed, contribution-focused model, introducing new challenges in accountability. Decentralized Autonomous Organizations (DAOs) are an emerging concept built on blockchain technology, which Investopedia defines as:
an emerging form of legal structure. With no central governing body, every member within a DAO typically shares a common goal and attempt to act in the best interest of the entity. Popularized through cryptocurrency enthusiasts and blockchain technology, DAOs are used to make decisions in a bottoms-up management approach.
Organizations operating as DAO will introduce new challenges in enforcing security and data protection regulations, such as security breach notification requirements since there is no central authority. Instead, authority is distributed among members (token holders) who collectively determine the organization’s actions.
The Metaverse presents exciting and innovative opportunities for our understanding of the digital world to evolve. However, it is important for the cybersecurity industry to match the staggering pace of innovation.
Security professionals will require tailored training to address these emerging security challenges and technologies will need to be developed with security in mind. Cybersecurity is in for a wild and exciting ride.