Is your blockchain technology secured?
A blockchain is arranged in data batches or 'blocks' that use cryptographic validation to link them together.
Adoption of blockchain technology remains a top agenda for the UAE government and then subsequently to the private players, but how do we ensure the security of the data given that by 2020 almost 100 per cent of government transactions will be digital in the nation.
A blockchain - a ledger of records - arranged in data batches or "blocks" that use cryptographic validation to link them together. The ledger is then distributed in a way that anybody with an interest can maintain a copy of it at the same time. Blockchain is a critical component of the digitalisation of the economy. When adopted, it will certainly revolutionise a variety of businesses. But the success of blockchain will greatly depend on how robust cybersecurity is to ward off threats from all directions.
"The key components to keep in mind when securing blockchains are: Access control and privacy, secure key management and DDoS (Distributed Denial of Service) protection against attacks," says Kalle Bjorn, director - Systems Engineering at Fortinet.
"We provide a security fabric that provides the powerful tools needed to integrate security capabilities and communicate threat information across the whole infrastructure in order to rapidly identify and negate cybercriminals."
Blockchain technology is mostly known for its relation to digital currencies, however it can also be used for contract management, title and deed management and other transactional operations that demand a high degree of certainty as far as what happened, when, and who was involved. Think of a simple service contract where two parties enter into an agreement. The cost per blockchain transaction is extremely low. This is particularly true when compared to credit card or bank account transactions. If a bank decides to purchase credit card operations from another bank, they have to be integrated into the purchaser's IT environment. It happens. But the cost to do so can be tremendous, and can take a great deal of time.
Blockchains can be used almost anywhere where a contract is required. There are new services and business models being created around the blockchain. ICOs or Initial Coin Offering, can be used to raise funds for a project instead of the traditional IPOs or crowdfunding.
Bjorn cautions that security technologies will have to adapt to the security needs of blockchain technology. The inherent operation may be relatively secure through the use of encryption and strong algorithms, but cybercriminals will inevitably find the weak links of the blockchain system and attack them.
While blockchain technology guarantees integrity, security components such as access control and privacy are things that need to be overlaid. It is important that all participants be protected from unauthorised access. So, in a permissioned blockchain, outsiders should not be able to tamper with the ledger. Therefore, the administrator of the permissioned blockchain must minimise its attack surface. In practical terms, this means that every participant is a target, and that traffic to and from participating entities must be protected using policies.
Stuart Davis, Middle East director, Mandiant at FireEye, says that one of the main concerns with blockchain technology is securing the private keys that are used to unlock the blockchain. "It is the owner's responsibility to keep it safe and far away from criminals because once a private key is stolen, it doesn't matter how secure the blockchain is. In addition, many industries and companies are interested in adopting blockchain applications but lack institutional expertise to develop and implement a blockchain-based solution in-house. A blockchain-as-a-service market provides the technology for specific use cases in various industries. However, the value of these services is only as strong as the vendor providing the service, and in this developing market and evolving cyber-crime landscape, one should carefully select vendors and ensure their credibility," he says.
Davis also stresses that blockchain technology is being considered as a game-changer in the cyber-security industry by many professionals. The decentralised consensus nature of the technology makes it very difficult to break at its core, as it eliminates centralised servers which are easier to breach and are mainly targeted by criminals. It provides organisations with confidentiality, integrity, and authentication for information. However, it's worth remembering that an organisation's assets are only as secure as the organisation itself. It is crucial for companies to know that security starts with culture and core processes, not with the technology that is implemented. There needs to be a certain level of security awareness and readiness amongst all employees to have an effective security defence. The access control and privacy, secure key management and DDoS are secured covers when it comes to providing security in blockchain.
Under the access control and privacy, when used by a consortium or private entity, most enterprise blockchains will be permissioned. In such blockchains, a governance structure has to be defined. This structure ensures which users can view or update the blockchain, and how they can do it. This establishes a consensus process that is controlled by a pre-selected set of nodes and predefined rules of governance. For example, if you have a financial organisation of 25 institutions, you may want to establish a rule requiring that at least 15 of them must sign a block in order for the block to be valid.
Similarly, under the secure key management a secure blockchain application requires the secure management of user private keys. Insecurity of keys can severely impact the confidentiality and integrity of data. Therefore, the same technologies that are typically put in place to address such concerns elsewhere should be used to secure these keys. Blockchain by itself doesn't make establishing this sort of control any easier or harder than with other technologies. The protection of these can be ensured using a variety of methods, including physical access control, network access control, and a key management solution that includes generation, distribution, storage and escrow, and backup etc.
Finally, under the DDos blockchain transactions can be easily denied if participating entities are prevented from sending transactions. A DDoS attack on an entity or set of entities, for example, can totally cripple the blockchain organisation and the attendant infrastructure. Such attacks can introduce integrity risks to blockchain by affecting such things as consensus. Therefore, blockchain architects must work with their security counterparts to ensure the availability of the infrastructure via such methods as building strong DDoS attack mitigation directly into the network.