John Donegan, Enterprise Analyst at ManageEngineBlog

What will the metaverse entail for enterprise security?

By John Donegan, Enterprise Analyst at ManageEngine

The “metaverse” first entered cultural vernacular in 1992 when Neal Stephenson’s dystopian science-fiction novel “Snow Crash” hit bookshelves. Snow Crash’s metaverse described a virtual world — one that humans visit via augmented reality, the internet, and eye goggles.

Just like Mark Zuckerberg’s vision, the characters in “Snow Crash” enter the metaverse embodied in an avatar of their choosing and use encrypted electronic currency to buy virtual real estate in the metaverse — much like what is happening today on blockchain-enabled VR platforms, like Decentraland and Sandbox.

According to Meta’s blog, the metaverse is “the next evolution of social connection.” Zuckerberg explains that: “You can think about the metaverse as an embodied internet, where instead of just viewing content, you are in it.” Zuckerberg, and others, see the metaverse as the next iteration of the internet.

ManageEngine named a Niche Player in 2021 Gartner Magic Quadrant
ManageEngine introduces unified endpoint management for MSPs

It’s important to note that Meta is not the only company currently building out the metaverse. Deep-pocketed players, including Google, Roblox, Microsoft (“Minecraft”), and Epic Games (“Fortnite”), all have substantial metaverse footholds. Additionally, there are smaller, more egalitarian entities in the space, namely, Mysilio and Uhive.

In fact, the metaverse wave has already reached the Philippines. More companies are offering virtual experiences: food festivals, games, and concerts, to consumers on popular meta­verses. Just this year, the Union Bank of the Philippines (UnionBank) embarked on a journey to become the first Philippine bank in the Metaverse. And much like the dot-com boom in the 1990s, when people rushed to buy up domain names, there will be more organizations within the country buying non-fungible tokens (NFTs) and planting their corporate flags in the metaverse.

Privacy, security

Without being overly alarmist, it’s worth examining what the creation of this metaverse will entail from privacy, security, and public policy standpoints.

The metaverse will be hard to police
. In March 2021, an employee memo from Meta CTO Andrew Bosworth admitted that moderating people’s behavior in the metaverse “at any meaningful scale is practically impossible.” Granted, this was over a year ago, but it is certainly worth noting.

Historically, Meta has not been able to reign in the widespread, well-documented negative societal effects plaguing their legacy businesses, especially Facebook and Instagram. Also, potential addiction, rampant harassment, and assault aside, most transactions in the metaverse will run on the blockchain. Since blockchain technologies are generally unregulated (there’s not a centralized authority to recover stolen assets), it remains to be seen how theft will be policed in the metaverse.

Stakeholders hope to learn from the early days of the internet. 
To be sure, the internet’s nascent days revolutionized commerce; however, this didn’t happen seamlessly. For example, websites in the early 1990s were littered with scams. Bad actors took advantage of users’ unfamiliarity with the technology; they created sites to impersonate banks, organizations, and other entities. Undoubtedly, phishing campaigns, crypto-jacking, and other scams will be prevalent in the metaverse as well.

Security and privacy concerns abound.From a security perspective, the cyber attack surface will expand significantly. There will be IoT (Internet of Things) devices and wearables from multiple vendors; sensors will collect data all throughout offices and homes, and metaverse companies will actively process a colossal amount of user behavior in real-time. As mentioned before, the use of avatars will make it easier for bad actors to commit fraud, and the prevalence of cryptocurrency transactions will make it easier for them to hide their ill-gotten gains.

Identifiable information

Things are equally concerning from a privacy perspective. Companies that run the metaverse will use AR/VR (augmented reality/virtual reality) devices that collect a ton of personally identifiable information (PII), including financial and personal data. After all, how else will the businesses and organizations in the metaverse verify who we users are? Even more problematic is the fact that many of these businesses will want to collect biometric data, such as fingerprints and facial recognition.

This all constitutes a level of personal data collection that is not currently socially acceptable; however, in a few years, who knows? As we’ve seen, when it comes to giving up personal data, the public eventually acquiesces. It can be a bit of a slippery slope. The metaverse may well be a catalyst for an AI Act or a national digital privacy act that prohibits the sale of user data to third parties. Until then, however, these remain troubling, open questions that will be answered by metaverse players and market dynamics rather than legislation.

ManageEngine is the IT management division of Zoho Corp. and offers flexible solutions that work for all businesses, regardless of size or budget. ManageEngine crafts comprehensive IT management software, from network and device management to security and service desk software.