How Business Leaders Can Prepare for the Metaverse’s Impact on Identity Governance 

By Martin Kuhlmann, VP of global presales, Omada

The emergence and expansion of the metaverse will change how we interact with others and expand our individual digital footprints. It’s predicted that the metaverse’s market size will reach over $1.6 trillion by 2030 – and businesses will be eager to get a piece of this action.

It’s also going to have an impact on the concept of identity. There have been several conversations about the impact on digital identity and the concept of giving individuals greater ownership in the form of a universal digital identity. While most conversations about the metaverse and identity have centered on the business-to-consumer side, enterprises also need to be aware of how the metaverse will impact their identity strategy related to employees, contractors and business partners.

Prepare for the Metaverse’s Impact on Identity Governance

This is a rapidly emerging situation that furthers the need for ensuring that you have a strong identity governance program in play which keeps the company secure, complies with data privacy, and respects the individual rights of employees and partners.

Expanding digital identities

Today’s consumers are creating new digital identities all the time and/or are using various logins. Even though technologies for restricting the proliferation of  personal data are at hand (think of consent management), businesses are collecting and generating all sorts of data about who their users are.

Despite existing identity federation technologies, enterprises typically generate and maintain “proprietary” identities for their employees, and in most cases for their business partners, as well. In some cases, for example, by using Microsoft Azure guest accounts in the context of B2B collaboration, or country-wide universal education IDs for students in some countries, organizations start trusting third parties for identification and authentication. The governance strategy of many companies still needs to adapt to this situation.

In a metaverse, we expect to move between digital platforms much more seamlessly than today. This requires more advanced portability of identity and authentication, as modeled in Gartner’s “identity trust fabric” (ITF). 

For individuals, it will be a key challenge to control and safeguard their “digital twin” and the information that goes with it. 

For enterprises, questions of trust and governance are imminent and need to be answered in these scenarios, such as:

To what degree – and under which conditions – does an organization trust “universal” or external identities? Who created these and owns them?
How much does the organization trust other parties to store information related to their own employees? 
What is the responsibility of the individual who owns the digital identity? Which parts of identity governance are covered by a trusted identity provider? 
How do governance activities for identities need to be re-thought within an organization? This includes the risks related to “external” authentication, risks identified through external information about the identity, and the access risks within the organization. 
How can an overall risk profile for an identity be created and maintained, and where does this potentially conflict with data privacy?

If enterprises allow their employees to use third-party platforms to a high degree, they need to ensure that disclosure of user data or the possibility of tracking user behavior doesn’t breach privacy or reveal corporate confidential information.

Building a solid identity strategy for the long term

Identity is now at the forefront of many companies’ security strategy – and for good reason. The 2022 Trends in Securing Digital Identities, a study done by the Identity Defined Security Alliance, revealed that 79% of respondents had faced an identity-related breach in the previous two years. The reputational and literal cost of such a breach can be high. The study showed that 78% of respondents who had an identity-related breach claimed it created a direct business impact.

To remain secure and comply with regulations, businesses require complete transparency into the digital personas that are accessing their digital services  and data or collaborating  with their employees. They need to know how reliable and correct identity information is, why and when identities need access, and how they use this access. These are the essential components of identity governance and the building blocks of an Identity Governance and Administration (IGA) strategy.

With the usage of identities across boundaries and for multiple purposes, identity governance will become even more important and challenging. The number of identities having a “digital relation” with an organization will still increase. When working in a “Metaverse-driven” environment, appropriate permissions to use services need to be managed.

Companies must use IGA solutions  to automate access management and to keep control. “Classical” access governance activities, such as the recertification of access rights, are here to stay. But new topics must be addressed: Companies need to judge how safe they consider an identity to be, how reliable the provided identity attributes are, or how much the “digital behavior” of the identity is in line with corporate security requirements, without interfering with personal freedom.   

How to future-proof your IGA

Many companies still lack a proper IGA strategy – and it’s important to ensure that even if you do have a strategy in place, it needs to be made future-proof. 

As an immediate step, you’ll need to have an integrated corporate and B2B IGA strategy, and at the same time, follow the developments of the “identity trust fabric”. To start, ensure you’ve included all the fundamental components to be able to manage identities from different sources. If there’s a new architecture of trust, you need to be prepared for it. 

Looking future-forward

The metaverse holds exciting possibilities for businesses – and security and identity challenges, too. Identity management becomes increasingly complex as identities are used more comprehensively and their number grows. This could put the corporate assets at risk. Identity managers need a clear strategy to ensure that all people that need access to information and services  are who they claim to be and are able to do their work. Use the above recommendations to begin the process of creating a future-proof identity strategy that’s fit for the metaverse.

About the Author

Dr. Martin Kuhlmann heads up the Global Presales Team at Omada. In this position and formerly as Senior Solution Architect, he has been advising strategic customers and designing Identity & Access Management solutions. Martin has been active in the IT Security space for more than two decades and has been a frequent speaker and panelist at international conferences.

As a consultant and strategist, he had a leading role in various security integration projects in large organizations. He specializes in Identity & Access Management and IT governance, risk & compliance. Martin published numerous journal articles and several scientific papers on Role-based access control (RBAC) and application security.

See more breaking stories here.