The metaverse and Web3 could fail without identity-first security prin

As the digital world takes over nearly every aspect of our work and personal lives, 2022 continues to be a foundational year for enterprise leaders to prepare their cybersecurity technology stacks for the future. We live in a fast-paced digital world that is experiencing:

  • Rapid digital transformation and cloud adoption, which has disrupted and introduced new business models.
  • A changing geopolitical landscape that has impacted our physical and digital lives by way of new digital privacy laws and regulations on cryptocurrencies and related technologies.
  • Cunning and destructive cyberattacks (notably leveraging identity) that continue to disrupt businesses daily.
  • Hype regarding the metaverse, Web3, crypto, and decentralization, all of which come with new cybersecurity, privacy, and governance concerns.

IT leaders should not get lost in the hype, especially since in my experience, many still focus on old computing and security paradigms that aren’t compatible with a cloud and Web3 world, and in the enterprise space, traditional security methods place an emphasis on firewalls and network security as the main line of defense.

In the past, this approach was sufficient, as fewer users were remote or needed to access external hybrid-multi-cloud resources. As such, trust in users, their devices, and applications was assumed solved if they were directly connected to the network. Yet, for years before the pandemic, a growing number of users were already accessing corporate networks remotely. The fact that trust was assumed, by being in the network, is exactly what attackers prey on to access sensitive corporate data.

We live in a fast-paced digital world of mobile and hybrid-multi-cloud, and the traditional firewalled network is no longer a position of power and trust. Attackers typically compromise trusted accounts (or specifically “identities”) and leverage them to access critical enterprise resources—trust cannot be assumed anymore.

This has created buzz in the world of “zero trust.” From a high level, the spirit of zero trust is all about verifying and authenticating every human or non-human entity that requires access to corporate resources.

While the hype around zero trust has helped to create awareness, I believe IT leaders must evolve to focus on the most critical element: identity. This includes the identity of humans, like employees, contractors, and customers, and non-humans—dubbed “machines”—such as devices, applications, and bots. According to CyberArk, “machine identities now outweigh human identities by a factor of 45x on average.”

I believe identity is the new perimeter, and IT leaders should embrace new paradigms of security and identity. Identity-first security and identity system defense, which Gartner first coined in 2021 and in 2022, puts identity at the center of security design. Modern-day IT environments should focus on establishing digital trust for the massive amounts (and growing) of human and machine identities.

Forging ahead, I believe the metaverse and Web3 are clear examples of evolving technologies that will enter the mainstream soon and cause further disruption. As enterprises embark on this next phase, they should ensure they focus on strengthening the notion of digital identity, as it is the bedrock of trust for all entities.


Web3 promises a solution to privacy, security, and control. Web3 is all about decentralization, typically enabled by blockchain technologies. Rather than critical web services that are hosted by centralized systems like Google and Amazon, Web3 is decentralized, meaning it is hosted on computers spread around the world.

We leave a trace of valuable identity information at every click, and the hope with Web3 is users will have more control over their data. Control and consent, I believe, will be conducted with intuitive interfaces, such as digital wallets, allowing users to understand, control, and consent to what information they are sharing online.

Web3 will come with a notion of digital identity. Establishing, verifying, and authenticating digital identities will help to form the foundation of security and privacy for the ecosystem. Specifically, mobile identity wallets (like ApplePay and GooglePay) will play a critical role in how users interact with Web3-based environments daily. Enter decentralized identity, or how Gartner coins it, DCI.


Businesses will eventually adopt the metaverse, Web3, and decentralization technologies. However, for all the hype, I believe there is little understanding about how to keep this new world secure and establish digital trust in the identities of machines and humans interacting with digital services.

It fundamentally comes down to identity-first security: knowing who and what you are dealing with. That requires establishing and maintaining digital trust in humans and machines.

I believe the way forward to ensure scalable identity-first security is by leveraging cryptographic keys and digital certificates, the proven foundation to establish digital trust.

The analog of certificates in the physical world is a national passport; certificates, too, can act as a “passport” for humans and machines. Certificates today are all around us and help secure digital business and will continue to evolve to power identity-first security for digital businesses, whether Web3-based or not.

While there are still many questions to be tackled, I believe one thing is certain: Identity-first technologies such as cryptographic keys and certificates will be critical infrastructure for the metaverse and Web3 to ensure the billions of identities are trusted.

I believe just as critical will be immaculate monitoring of this cryptography. Just one expired certificate or a vulnerable crypto element can result in disruptive outages, breaches, and cyberattacks.


Web3 and the metaverse carry promise, but I believe we must start with a solid foundation of security and privacy by design, otherwise, the potential is limited. The good news is we’ve learned a lot about cyberattacks and many Web3 approaches are starting with identity in mind, such as Concordium. In addition, tech titans like Microsoft, are investing in decentralized identity to help securely enable centralized and decentralized environments.

Now is the time to think about the exciting possibilities these interactive technologies bring to businesses. It can only be successful if it is trusted, and it starts with identity-first cybersecurity.

David Mahdi is the Chief Strategy Officer and CISO Advisor at Sectigo.

Be the first to comment

Leave a Reply

Your email address will not be published.