Still the next frontier for tech companies in the future, the consolidated metaverse looms closer as big tech companies jockey for strong starts while enterprises look to this new area of business.
However, as with any other form of tech that deals with data, cybersecurity is again a key issue. So, how does metaverse cybersecurity stack up against the criminals looking to take advantage of the new business landscape?
“Be it in physical or digital spaces, or even an unregulated world like the metaverse, platforms that allow us to interact and trade with others are attractive targets for cybercriminals. After all, cybercriminals never waste an opportunity to strike,” commented David Rajoo, head of systems engineering, Palo Alto Networks, Malaysia, when speaking about immediate and primary security concerns in the metaverse to Tech Wire Asia.
He noted that the intersection of physical and digital realities in the metaverse points towards the likelihood of digital information existing in physical spaces, which means that digital security incidents may very well have far-reaching consequences in the material world as well.
Metaverse cybersecurity – immediate concerns and challenges
As it stands, today’s economy already has a critical need for people to verify and secure their digital identities to ensure that their personally identifiable information (PII) cannot be misused or sold. According to Rajoo, in an unregulated environment like the metaverse, this security concern will only be heightened, as the expanded use cases for digital identities will make them even more attractive for cybercriminals to exploit.
“It’s also likely that consumers will require some kind of wearable hardware, such as smart glasses or headsets, to be fully immersed in the metaverse. Mainstream adoption of these connected devices will translate to an inevitable broadening of the attack surface, which could result in more vulnerabilities and opportunities for cyberattacks if not adequately secured,” he said.
He added that organizations looking to enter the metaverse have to be mindful of how different devices and parties will interact in this unfamiliar environment, as opportunistic cybercriminals will view the metaverse as another platform to execute the same cyberattacks.
With regards to whether current cybersecurity measures were enough for the metaverse, Rajoo believes that there are shortcomings and problems that have to be addressed, and that cybersecurity has to be integrated into the infrastructure and framework as early as when the code is being built.
“The shortcomings of Web 2.0 raised public awareness on the importance of data privacy and personal information. For the convenience of online services, people allow centralized servers to collect and store their identities, browsing behaviors, personal data, and information,” explained Rajoo.
“The entry of tech giants like Meta and Microsoft will definitely bring an inflow of capital and brilliant innovators together to build the security infrastructure of the metaverse. Their visions for the metaverse might be varied, but providing strong identity security should be the common priority of metaverse builders,” said Rajoo, who also called on regulators to keep an eye on this emerging technology to ensure it is well-understood, but without impeding or slowing down the innovation needed for it to thrive.
Security and privacy – where is the line drawn?
Rajoo shared that digital transactions on personal devices, especially going into the metaverse, heightens the risk of financial loss due to increased permissionless approaches.
“Permissionless approaches ensure a seamless experience in the metaverse by sharing users’ identities and information automatically to the open source. The implementation of block-chain/decentralized technology is seen as a solution to secure metaverse identity whilst protecting users against fraud.”
“Moving into the metaverse, facial features and biometric data will be potentially exposed to the identity thieves who steal the personal and financial information of another person to commit fraud, such as making unauthorized transactions or purchases,” said Rajoo.
One way to combat this, he believes, is through Palo Alto’s Zero Trust Framework for validation and verification.
For Rajoo, implementing Zero Trust leverages control and visibility to the digital ecosystem from identity, application and IoT to network, cloud, and more. He pointed out that an effective Zero Trust Framework validates and verifies everything, enforces the least-privilege access to the sensitive data segments. With visibility, the security system will scan all the content for malicious activity and possible data theft to ensure safe and secure transactions.
“At Palo Alto Networks, we believe that privacy is important for customers’ trust. We are accountable and responsible for the protection of personal information that is entrusted to us. We implement technical, organizational and physical security measures to ensure an appropriate level of security for every personal information we collect. Besides, we make sure our customers are well-informed when collecting their personal information for specific and legitimate business purposes, and we honor their preferences,” said Rajoo.
Decentralising metaverse cybersecurity
Rajoo also believes that the advent of Web3, which aims for a pro-privacy, anti-monopoly web through decentralization, will effectively address the issue of data privacy by returning users’ identities to the rightful owners, while dramatically reducing hacks and data breaches.
As the metaverse touts a unified community of users connecting one another in virtual cyberspace, this will likely mean the collection of more data from users. Rajoo explained that in today’s digital landscape, millions of data and identities are created and stored on centralized systems which creates central points of attack. Many have raised concerns about the lack of effective security solutions for centralized technologies providers to securely store user data.
“As we are moving into automation, the implementation of AI and ML to cybersecurity solutions will further enhance the effectiveness to analyze user access and behavioral patterns at a larger scale, and effectively prevent the increasing unknown threats in the metaverse,” added Rajoo, who also believes metaverse builders and providers must prepare for a decentralized identity framework to enhance users and data protection.
Food for thought for businesses and users
With businesses looking to set up storefronts and advertise on the metaverse, Rajoo noted that, it is imperative that they think about brand reputation, intellectual property, and how to identify fraud and abuse right from the onset. They will need an ironclad strategy that offers complete visibility on how people and other organizations will interact with them, and ensure that security is baked in all steps of their approach, from the planning stages all the way through to the running phase.
“Organizations should look to protect the data they collect and vet the third parties which they share data with, whilst applying the principle of “Trust nothing, validate everything”, or Zero Trust. This requires parties to continuously validate every stage of digital interaction, rather than relying solely on authentication and authorization to combat the exfiltration of sensitive data,” said Rajoo.
He also reminded organizations to be mindful of how different devices and parties will interact in the unfamiliar environment that is the metaverse, citing the need to establish a well-coordinated architecture and implement solutions that validate, authenticate, and apply threat prevention capabilities across their entire infrastructure. This, he said, will help organizations to identify potential threats and double down on areas that are especially vulnerable.
For users, he noted that the metaverse is like any social interaction online, where users should think about what and how they share their data.
“The metaverse could help companies to serve hyper-personalized, targeted ads to consumers, based on their interactions, likes and other information gleaned from what they post and share. This type of information, when overshared, could be used by cybercriminals to take over accounts and steal identities,” he said.