22nd September 2021

If you're one of those who turned to the virtual world of Eve Online during lockdown, you weren't alone. The science fiction MMO (Massively Multiplayer Online) game boasts an active player base of circa 300,000 people. Replicating traditional enterprise structures and roles, the game affords pertinent insight into the cybersecurity challenges facing online businesses (and remote ones), particularly around the thorny issues surrounding identity verification.

CDL's Chief Information Security Officer, Alex Haynes, shares the findings of his research into this world of virtual corporations and points to the lessons that can be drawn for their real-world counterparts.

With similar relationships between corporations and individuals as we find in society, studying 'in-game' security problems presents a novel way of delving into operational security issues. The research involved interviewing in-game corporation members and leaders at corporations ranging from micro-businesses to those with thousands of active members.

As in the real world, recruitment is the first challenge to be overcome – in particular the vetting of new recruits who can't be physically seen. While the process of using checks is the same, including credit checks, background checks and criminal records checks, there is the added challenge that competing candidates could in fact all be the same person. Corporations in EVE Online are operating in a world where people signing up can generate more than one character, potentially from different corporations, and in some cases multiplied further by players with more than one subscription.

In this context, 'source of truth' is shown to be every bit as important in the real and virtual worlds. In EVE Online, there is a singular source of truth via an Applied Programming Interface (API), referred to as ESI (Eve Swagger Interface). Via a permission-based setting, players can opt to share their API key to divulge anything from financial history to in-game mail.

For businesses, and particularly larger ones, finding a master record or directory which will act as a source of truth for an employee's lifecycle and authentication is often the basis for the deployment of good Single Sign-On (SSO) or Federated Identity Programs via Identity and Access Management tools (IAM).

The concept of 'zero-trust' has only recently come to the fore in information security discussions, seen as an important prerequisite to securing a decentralised workforce and infrastructure. While the discussions often centre around logical access controls (such as trusted devices, network source, etc.), they also refer to logical identity.

In EVE Online, zero-trust has been practised for many years when recruiting or working with other corporations – a principle which underpins all interactions. If the player is unknown, then by default, they are not trusted.

After working through the recruitment process of joining a corporation currently involved in a large conflict within the game, one can categorically conclude that the vetting of new recruits is above par compared to what an employee will experience when joining a real-world company today. Arguably, the only parallel may be applied for government contractors or employees, especially those working in defence or intelligence.

Using the ESI and API keys, corporations will ask players to hand over a permission set that may be considered invasive in the real world, but is de rigeur in EVE. Financial history, in-game mails, contacts and inventory lists (assets) are all handed over to the HR department to pore over for inconsistencies.

Some corporations also go as far as looking for 'meta-data' about the applicant in the 'real' world, tracking down their social media presence, establishing their friends and finding their associated avatars within games to spot connections with rival corporations.

So, what are the lessons we can take away from this and apply to our context?

The main one is that identity is fundamental to a cohesive operational security strategy. Maintaining a source of truth and federating identity as much as possible will help keep a lid on insider threats and to a lesser extent, external threats as well. Applying a zero-trust model to any interactions, from the inside or outside, is also key to improving cyber-resilience.

This deep-dive into the world of online gaming provides an insightful reflection of our own world, where market forces, geo-political tensions and competition for resources prove that identity and zero-trust are still primordial in securing our assets, even though we are literally a universe apart.