Securing the metaverse: 3 critical concepts

The physical and virtual worlds are already smoothly and ubiquitously interwoven. The metaverse will deepen this overlap and in very experiential ways that will create abundant space for business innovation.

The metaverse is an unstoppable phenomenon that will take the digital user experience to new highs. There is already is a sprawling metaverse ecosystem comprising hundreds of companies, from Fortnite and Roblox to Microsoft and Meta (the renamed Facebook).

For companies, the metaverse presents attractive opportunities. For example, a leading pharmaceutical company used the Infosys XR platform to create a digital twin of their vaccine lab, enabling quality engineers to access critical vaccine culture data to help make predictions and decisions.

Similarly, an engineering consulting company took advantage of Infosys’ metaverse to prototype an immersive mixed reality workbench that inspects prospective engineering construction sites rendered as rich 3D assets. The capability was evolved and scaled for global use on Azure’s high-performance cloud, with ready support from Microsoft, a long-standing Infosys partner.

But security and privacy concerns take on heightened importance in the metaverse. Currently, there is little to no regulation in this space. Governing bodies will be looking to put in stringent controls as the metaverse becomes more mainstream. For instance, one of the metaverse’s central features – the use of avatars – creates opportunities for fraud. It is common knowledge that for the concept of identity is crucial in the metaverse. People can retain a particular avatar and individuality and traverse across geographies or worlds.

The metaverse will require people to claim an identity by sharing their PII and permitting businesses, organizations, and other virtual citizens to authenticate who they are. If a breach were to happen in this state, it could render serious damage to stakeholders. Rogue sellers can mimic the profile of established companies, leading to fraudulent transactions and the unauthorized collection of personal data. The metaverse will have to overcome its own unique challenges regarding identity and authentication, meaning that verification systems will also have to evolve.

Also, given that the metaverse runs on blockchain technology, there are no opportunities to recover stolen assets, since blockchain is unregulated and has no centralized authority or administration. And there is no uniform approach to identifying and isolating cyber thieves.

In addition, accessing the metaverse ultimately depends on software and other tools that can be manipulated for nefarious purposes, which further emphasizes the importance of maintaining robust security protocols that are being updated regularly. But companies will also need to design security and privacy strategies that are specifically tailored to the metaverse.

What should corporate CISOs do to address these security challenges? It will be essential to secure the devices that are fundamental to the metaverse, such as VR/AR headsets, while also deploying VPNs and related tools. But that is just a starting point.

Focus on the following three areas will be necessary:

1. Collaboration

Today, it is nearly impossible to have a single pane of glass from which to manage end-to-end security. Almost every vendor has its own console, with numerous closed ecosystems and frequent functional duplication. Standards and greater use of APIs will allow clients to choose security management consoles that best meet their needs. But
there is limited availability of APIs and many of them are slow, unreliable and don’t scale well.

Over time, more sophisticated security engineering will mean that ‘zero trust’ will evolve into ‘zero touch’ with AI-based automation and control. There also needs to be a realization that legacy and on-prem systems will become increasingly risky over time, as almost all security innovation occurs in the cloud.

2. Democratization

Cybersecurity is not something that can be delegated to a CISO with limited budget and authority, who is often forgotten about. It needs to be a responsibility shared by everyone and led by a CISO that has the backing of the board. Skills, too, remain a challenge. In time, automation will help solve the skills gap, but in the interim managed service security providers will play a critical role. In addition to specialist skills, basic security skills will need to be pervasive. Everyone in an organization, from reception to the board room, must understand the metaverse, including recognizing its unique security features and being able to raise the alarm when needed.

3. Embedded security for the metaverse

While security is increasingly being built into all products, services, and procedures, organizations also need to ensure that security is embedded in every process. For business operations to be effective, security needs to be viewed not just as a technology prerogative but as a business imperative. It should be baked in right from the start,
covering people, processes and technology. With organizations looking to jump on the metaverse bandwagon to offer an ‘out of the world’ experience, secure-by-design needs to extend beyond the gates of the enterprise. With most corporations acting as key nodes in the metaverse, security needs to be embedded into contracts with hosting entities.

Business leaders also need to speak the same language as their security counterparts, because their sponsorship will be instrumental in making sure employees and partners become more cognizant of the matter That, in turn, can emerge as a brand differentiator to customers.

The metaverse has the potential to unlock vast new opportunities for enterprises in virtually every sector of the economy. But realizing this opportunity will depend on enterprises investing in the creation of robust security and privacy protocols that build confidence in the space.

That process can’t start soon enough.

Vishal Salvi is the chief information security officer and head of cybersecurity at Infosys.