Securing the Metaverse – Lessons Learned From Cloud Adoption

The hype around the metaverse continues with more questions than answers regarding how cybersecurity, privacy, trust and identity will play a part in enabling metaverse security. Will decentralized identity play a role? How will we secure identities for machines (software, bots, workloads and devices, etc?) What about copyright laws for NFTs? How will ownership of content be determined? How will these concerns be tackled in the metaverse? While we don’t know all the answers, the adoption of cloud computing, another major development in the digital world, provides many lessons as IT leaders prepare their enterprises for another potential sea change in the way business is done.

The Decade-Long Move to the Cloud has Lessons for Today

Around 10 years ago, many IT visionaries pointed out all the benefits of the cloud, but naturally, it took time to get to where we are now. Despite the cloud’s promise to enhance cost savings, security, flexibility, collaboration and even sustainability, plenty of business leaders were (and maybe still are) hesitant about solely relying on the cloud.

In response, the most reputable cloud service providers, such as Microsoft Azure and AWS, made sure to invest significantly in securing their cloud environments and continue to make massive investments to alleviate any lingering trust, security and privacy concerns of their customers.

Similarly, the metaverse will have to contend with barriers and hesitations to adoption which, for the cloud, took the better part of the last decade. As we look at what the metaverse means for business, there are three lessons we learned from cloud adoption that we can apply today.

Lesson One: Building on Legacy to Support New Environments is a Viable Approach

Cloud security has borrowed from some legacy security best practices, but not all. The cloud is a different environment and requires highly scalable tools.

One example is in the identity and access management area, specifically, managing privileged users. While there is a healthy and growing market for privileged access management (PAM) solutions, many were not built for hybrid multi-cloud environments. That led to the entry of cloud-first tools called cloud infrastructure entitlements management (CIEM). Essentially PAM, but in the cloud. Some organizations now must run both a legacy PAM tool as well as a separate CIEM tool to handle both environments.

Securing the metaverse will call for a similar hybrid approach, relying on existing advanced firewalls and multifactor authentication tools, as well as blockchain-based technologies to secure a new wave of decentralized identities. As part of this approach, reliance on public key infrastructure (PKI) technology is needed to secure the metaverse. Digital certificates powered by PKI are the gold standard for establishing digital trust, verifying and securing the influx of digital identities for both humans and smart devices traversing the metaverse. This use of cryptography will be an important technological foundation for the metaverse—and as a result, flawless cryptography monitoring will be imperative to avoiding devastating outcomes, such as outages and cyberattacks.

Of course, with this increased usage of digital certificates, a heavy need for automated certificate life cycle management (CLM) solutions will help manage this massive new set of decentralized identities; without them, organizations will quickly find themselves unable to manage new workflows in a scalable manner.

Lesson Two: Trust is Earned by Investing in Security

Cloud operators take security seriously and, as such, many of them have tried-and-tested people, processes and technology. Yet, it took a long time for organizations to put their trust in cloud operators.

One of the biggest concerns from cloud skeptics centered on the security of sensitive data and information. These worries, however, were misplaced: Many cloud operators leverage technology and infrastructure that few organizations could afford to build and maintain on their own. On top of that, Gartner predicts that 99% of cloud security failures from now until 2025 will be the customer’s fault, which means when something goes wrong, it’s probably not AWS or Azure’s fault.

Managing Sensitive Data in the Metaverse

Just as cloud operators had to deploy innovative security measures to reassure customers that their data would be secure, the businesses responsible for managing sensitive data in the metaverse will need to prioritize security measures to ensure safety and build trust with their users. Effectively managing legislative compliance needs will be key to this effort in a world where new laws and regulations around data privacy and security are proposed regularly.

Lesson Three: Data Sovereignty and Data Storage Must Be Carefully Navigated

As data sovereignty laws evolve, many security leaders are kept up at night with nervous thoughts about where their cloud data is actually stored and whether it’s in a location they can trust and that is in compliance with client requirements or local legislation. Think of a law firm whose clients are very particular about the country in which their privileged data is domiciled. That firm needs to have a very clear understanding of where their cloud vendor is storing their data.

Cloud operators, for their part, continue to launch multiple cloud data centers in numerous jurisdictions around the world, to prove that their client data is stored in appropriate locations.

The metaverse will follow a similar path, as it pertains to trust and security. The sheer management of so many identities is a challenge and will require sophisticated CLM capabilities to deal with onboarding/offboarding to the metaverse in a way that respects data sovereignty requirements.

Getting Security Sorted as the Metaverse Takes Shape

As businesses start to transact in the metaverse, identity-first security must be put at the center of security design. With billions of complex digital identities to protect, the success of the metaverse will hinge on the safe management not only of these identities but also on the underlying trust technology that secures its cryptographic keys and certificates.

We didn’t know all the security and trust issues that the cloud would need to address when it first gained prominence a decade ago. Similarly, while we can anticipate some security challenges that already exist within the metaverse, others will only be apparent with further use.

Organizations would be well served to ensure that they have an identity-first security strategy to prep for establishing digital trust and conducting business safely in this new connected world as it takes shape. Lessons from the move to the cloud should not go unheeded as this next chapter in the story of the metaverse unfolds.

Avatar photo

David Mahdi

David Mahdi is Chief Strategy Officer and CISO Advisor at Sectigo. In his role, David leads the company’s overall strategy, direction, and M&A efforts to expand its leadership in the digital trust space. With 20+ years of experience in IT security, most recently serving as Vice President and Analyst in Security and Privacy at Gartner, David has helped large organizations tackle digital transformation projects in the digital trust, identity, cryptography, and cybersecurity spaces.

david-mahdi has 3 posts and counting.See all posts by david-mahdi