Strengthening the Security Fabric of Blockchain

Blockchain is a shared and continuously reconciled database used to maintain a list of digital records, called blocks. It is quickly becoming an important tool not just for financial information, but also for managing and recording virtually all types of data, such as medical and other records, identity management, and transaction processing.

Because a blockchain database is distributed and interconnected, it provides several essential services. The first is transparency. Because data is embedded within the network as a whole, it is by definition public. The second is that it is difficult to corrupt because altering any unit of information on the blockchain would also modify all subsequent blocks unless huge amounts of computing power are used to override the entire network. Next, because it is distributed, it cannot be controlled by any single entity. And for that same reason, it also has no single point of failure.

While blockchain was first adopted by BitCoin to manage and secure transactions, mainstream organizations were skeptical and slow to adopt it. But according to the recent PwC Global Fintech Survey 2017, blockchain is now moving out of the lab.  77% of organizations surveyed now expect to adopt blockchain as part of an in production system or process by 2020.

Key capabilities of blockchain include:

• Mutual:
  • A blockchain is shared across organizations,
  • Owned equally by all, and
  • Dominated by no one.
• Distributed:
  • Blockchain inherently uses a multi-locational data structure,
  • And any user can keep his or her own copy.
• Ledger-based:
  • Blockchain units are immutable, meaning that once a transaction is written it cannot be erased,
  • And because the ledger is public, its integrity can easily be proven.

Blockchain technology by its nature establishes assurance, and significantly reduces the need for processes and controls for reconciliations, confirmations, and identity.

As a result, a Blockchain infrastructure is essentially a permanent timestamping engine for computer records. These timestamps can be used for such things as proving that data elements were entered at or before a certain time, and that they have not been altered.

Attack Surface of a Private, Permissioned, or Consortium Blockchain

Blockchain technology does not include the built-in functionality of user roles or access controls. Because everyone has the ledger, everyone can read it. Roles and access controls are something that can always be added at the application layer.

In an un-permissioned blockchain, like those used for cryptocurrencies such as BitCoin, anyone can access and update the blockchain. Everyone has permission. New transactions are added to the ledger and inconsistencies resolved by a scheme in which users with the most resources win.

For permissioned or consortium based blockchains, however, organizations will need to run them within a secure environment, such as a security fabric architecture, that can provide essential services across the entire distributed environment, such as access control, privacy, key management, and protection against attacks such as denial of service.

Security Fabric Component 1: Access Control and Privacy

When used by a consortium or private entity, most enterprise blockchains will be permissioned. In such blockchains, a governance structure has to be defined. This structure ensures which users can view or update the blockchain, and how they can do it. This establishes a consensus process that is controlled by a pre-selected set of nodes and predefined rules of governance. For example, if you have a financial organization of 25 institutions, you may want to establish a rule requiring that at least 15 of them must sign a block in order for the block to be valid.

While blockchain technology guarantees integrity, security components such as access control and privacy are things that need to be overlaid. It is important that all participants be protected from unauthorized access. So, in a permissioned blockchain, outsiders should not be able to tamper with the ledger. Therefore, the administrator of the permissioned blockchain must minimize its attack surface. In practical terms, this means that every participant is a target, and that traffic to and from participating entities must be protected using policies.

Security Fabric Component 2: Secure Key Management

A secure blockchain application requires the secure management of user private keys. Insecurity of keys can severely impact the confidentiality and integrity of data. Therefore, the same technologies that are typically put in place to address such concerns elsewhere should be used to secure these keys. Blockchain by itself doesn’t make establishing this sort of control any easier or harder than with other technologies. The protection of these can be ensured using a variety of methods, including physical access control, network access control, and a key management solution that includes generation, distribution, storage and escrow, and backup etc.

Security Fabric Component 3: Distributed Denial of Service (DDoS)

Blockchain transactions can be easily denied if participating entities are prevented from sending transactions. A DDoS attack on an entity or set of entities, for example, can totally cripple the blockchain organization and the attendant infrastructure. Such attacks can introduce integrity risks to blockchain by affecting such things as consensus. Therefore, blockchain architects must work with their security counterparts to ensure the availability of the infrastructure via such methods as building strong DDoS attack mitigation directly into the network.

Conclusion

Blockchain is a critical component of the digitalization of the economy. When adopted, it will certainly revolutionize a variety of businesses. But the success of blockchain will greatly depend on how robust cybersecurity is to ward off threats from all directions.