The metaverse will change the face of trust

By Neville Burdan

As the digital world has evolved, so have mechanisms of trust and verification. Policymakers, regulators, and security professionals need to adapt existing mechanisms and principles of trust and create cybersecurity policy frameworks as the metaverse approaches.

The metaverse will soon pose new challenges for verifying identity and securing interactions. Image: Canva

The metaverse promises to be the next stage of the Internet – an immersive 4D experience which will host commerce, gaming, and new digital environments. Unlike the physical world, which is bounded by nation-state borders and passports, the metaverse will be boundless. And the day will come when we can no longer imagine life without it.

So now is the time to prepare.

Regulators in Singapore and beyond will be faced with developing policy frameworks to guide decision-making to secure the metaverse. Though much was learned from the experience of Internet and cloud adoption, the metaverse will engender new and unexpected kinds of challenges.

As such, it will require a combination of existing trust methodologies, such as zero-trust and digital trust, to ensure it remains a protected space for consumers and businesses.

The challenges of attributing virtual identity


Identity and trust are the foundation of all businesses. When you transact with another person or a business, you trust the person’s identity – be it through one’s username, credit card details, or passport. In the metaverse, we will need to identify and trust not only an individual, but also avatars, or even virtual entities that cannot be linked to a physical being.

And people will take advantage of blind spots, just as they did with the cloud. Over time, we have developed clear security models for the cloud, with shared responsibility models that clearly delineate who takes ownership over each and every security risk. We will soon need to do the same for the metaverse.

The critical challenge regulators will face will be attributing actions to people. If someone steals from you in the metaverse, how do you identify who that person is? If an AI bot impersonating an individual steals from a business, who can we attribute that action to?

This will only get trickier as artificial intelligence reaches near-sentient levels of intelligence. At that point, can we truly attribute the bad actions of such an intelligence to the human who created it in order to protect real people? Though that may be one stop-gap measure, more nuanced regulation will have to be developed for such cases.

We’ve spent hundreds of years linking identity to access, from roll calls and censuses in ancient Rome to usernames and passwords in the age of computing. With the metaverse, we are moving into a world where virtual identities can spin up, wreak havoc, create spinoffs, and be cut down in milliseconds. I don’t believe we’ve even scratched the surface of what may emerge.

Zero-trust mechanisms to protect consumers


Overly onerous regulations will not be the answer to protecting people from bad actors. Rather, people-centric policy will be key.

Right now, zero-trust methods authenticate one’s identity at each step to prevent bad actors from gaining access, so that only the right people access the right data.

From logging into your email to accessing your bank account, multi-factor authentication verifies your identity by sending a one-time password to your phone, giving you a call, or requesting a biometric facial scan.

In the metaverse, each action may require a new level of authentication depending on the risk. If you are wandering around the metaverse, you may not need to verify your identity. However, once you initiate a transaction, you may need to prove you are truly who you say you are through multi-factor authentication.

Zero-trust also delineates different access for different people. In the workplace, nobody has access to every set of documents. Rather, each person’s access is curated by the privileges tagged to their job function. A manager may have access to team modules that an employee might not, for example.

These persona-based policies will be vital for regulators. Once distinct personas have been defined – content creator, gamer, business owner – they can be more easily managed. The  personas may then have different actions and options available to them.

This is how countries will be able to regulate access to the metaverse according to their risk appetites, much like how streaming services currently offer different content for different regions and age groups. Soon, there may be different “streams” of the metaverse that meet the compliance requirements of different countries for different personas.

Digital trust mechanisms to facilitate business


Digital trust will also play a critical role in maintaining the metaverse’s integrity. Digital trust refers to the confidence people have in an organisation’s ability to provide data security. This facilitates trust between companies, which in turn facilitates trade, commerce, and supply chains. When a company suffers a data breach, it can severely undermine the level of trust of consumers and fellow businesses.

One way in which companies build trust with each other is through the blockchain. Companies like Nestle and Walmart use blockchain to digitally record transactions and enable end-to-end transparency. If a case of food contamination occurs, this wealth of data can serve to track the source of the contamination in seconds, reported CNBC.

When businesses begin buying and selling in the metaverse – particularly digital assets like non-fungible tokens – tools like blockchain will be essential for attributing who did what and when. These foundational elements will help make trade between companies seamless.

Countries will also need to agree on shared sets of security standards. Cross-border regulations and intergovernmental agreements are critical to building trusted ecosystems across geographies. For example, many countries and regions, such as the EU, limit businesses from transferring personal data to other countries which have less adequate data protection regimes.

Virtual worlds will require the same auditing and processing for commerce, as well as security operations centres that can protect commerce from scams. There may need to be automated personas in the metaverse that do the critical work of compliance management.

Zero-trust and digital trust techniques will be critical to protecting people and facilitating businesses within and across metaverses. As different platforms roll out their own metaverses, the lessons we have learned from our experiences with the Internet, with cloud adoption, and with emerging multicloud frameworks will be critical.

Agencies like the Monetary Authority of Singapore already adopt a principle-based, risk proportional approach to technology adoption in financial institutions. The time is now to start developing similar frameworks as the metaverse evolves.

Neville Burdan is the APAC Security Leader for DXC Technology and responsible for the Asia Pacific Security business including cyber defense, digital identity, secured infrastructure and security risk management.