Beneath the buzz, the metaverse is arriving in both predictable and unexpected ways.
Some new experiences using headsets and mixed reality will be in your face – quite literally – but other implications will be harder to spot. As with all new categories, we’ll see intended and unintended innovations and experiences, and the security stakes will be higher than we imagine at first.
There is an inherent social engineering advantage with the novelty of any new technology. In the metaverse, fraud and phishing attacks targeting your identity could come from a familiar face – literally – like an avatar who impersonates your coworker, instead of a misleading domain name or email address. These types of threats could be deal breakers for enterprises if we don’t act now.
Because there will be no single metaverse platform or experience, interoperability is also crucial. Trust cannot end at the doorway of a virtual meeting space, for example – it must extend to the interactions and apps within – otherwise security uncertainty will hobble people wondering what to say or do in a new virtual space and create gaps that can be exploited.
Which brings us to the importance of these early days for the metaverse: We have one chance at the start of this era to establish specific, core security principles that foster trust and peace of mind for metaverse experiences. If we miss this opportunity, we’ll needlessly deter the adoption of technologies with great potential for improving accessibility, collaboration and business. The security community must work together to build a foundation to safely work, shop and play.
So what can we expect — and how can we create a trusted environment in the metaverse?
It’s important to remember that history often repeats itself
Technology shifts have a way of seeping in while we’re looking the other way. Consider the fact that real estate booms in virtual worlds aren’t new – coveted dot-com domain names were hot with brokers and speculators in the 1990s.
The early World Wide Web would indeed revolutionize commerce, but it would do so in ways many did not fully anticipate in the 1990s. Meanwhile, the ease of setting up a website also led to a gold rush of fraud with knock-off domains impersonating banks, government agencies and household brand names. These problems persist to this day.
We have seen this cycle play out again and again. When Wi-Fi was first available on laptops, corporate security teams were wary of embracing it. Before long, you could not buy a laptop without Wi-Fi –whether your organization accounted for wireless in security policies, or not.
When the iPhone and Android phones exploded onto the scene, they became a massive catalyst for BYOD (bring your own device) policies in the workplace. Almost overnight, personal devices became a new category and organizations had to catch up. We can logically expect metaverse-influenced features and experiences to arrive at enterprises in much the same fashion.
Let’s learn from these lessons and stay ahead of the curve
We’ve long known that security is a team sport, and no single vendor, product or technology can go it alone in protection. The culture of information-sharing and collaboration in the defender community today has been a monumental achievement that did not happen overnight. Today ISPs, cloud providers, device manufacturers — even industry rivals in these markets — recognize the need to work together on security issues.
Sitting now at the gateway of a new dimension in technology, it’s critical to align on key priorities to help secure the metaverse for generations — and identity, transparency and a continued sense of unity among defenders will be key.
Identity is where intruders strike first
For years fraudsters have claimed to be deposed princes with fortunes to share, or sweepstakes hosts desperately trying to reach you, but the advent of email and text messaging re-franchised these schemes for the digital world.
Play this forward, and picture what phishing could look like in the metaverse. It won’t be a fake email from your bank. It could be an avatar of a teller in a virtual bank lobby asking for your information. It could be an impersonation of your CEO inviting you to a meeting in a malicious virtual conference room.
This is why solving for identity in the metaverse is a top concern. Organizations need to know that adopting metaverse-enabled apps and experiences won’t upend their identity and access control. This means we have to make identity manageable for enterprises in this new world.
Constructive steps include making things like multi-factor authentication (MFA) and passwordless authentication integral to platforms. We can also build on recent innovations in the multicloud arena, where IT admins can use a single console to govern access to multiple cloud app experiences their users rely on.
Transparency and interoperability will be key
There will be many providers of platforms and experiences in the metaverse, and true interoperability can make the gaps between them seamless and more secure — while enabling exciting new scenarios. Think of bringing your virtual PowerPoint presentation into a client’s virtual meeting room, even if it’s operating on a different platform.
Transparency can help enable this every step of the way. New platforms usually run a tough gauntlet once they arrive in enterprises at scale — that is often when security researchers really begin probing code, features and product claims.
Metaverse stakeholders should anticipate security questions and be prepared to jump on any updates. There must be clear and standard communication around terms of service, security features like where and how encryption is used, vulnerability reporting and updates.
Transparency helps accelerate adoption — it speeds the learning process for security.
Our strongest defense is working together
The problems of yesterday’s and today’s Internet — impersonation, attempts to steal credentials, social engineering, nation state espionage, inevitable vulnerabilities — will be with us in the metaverse. And it will take the same security community of good faith, norms and teamwork to anticipate and respond to them.
The strides we’ve made across the tech industry in cooperating against threats as the stakes have risen in recent years remains a cornerstone for security as metaverse platforms and experiences begin to shape the future.
Security researchers, chief information security officers and industry stakeholders also have an opportunity to understand the terrain of the metaverse as adversaries do — and use it to our advantage. Metaverse platforms will likely create and generate entirely new data streams with the potential to improve authentication, pinpoint suspect or malicious activity or even revisualize cybersecurity to help human analysts make decisions in the moment.
As with any new frontier, high expectations, fierce competition, uncertainty and learning on the fly will define how the metaverse evolves — and the same is true for securing it. But we do not need to predict the ultimate impact of the metaverse to recognize and embrace the security and trust principles that make the journey a safer one for all.
Let’s make the lessons we’ve learned about identity, transparency and the security community’s powerful collaboration our top ideals to enable this next wave of technology to reach its full potential.
The post The metaverse is coming. Here are the cornerstones for securing it. appeared first on The Official Microsoft Blog.