In the last couple of months, we have witnessed a tremendous momentum behind blockchain technologies with new corporate alliances and start-up ventures emerging in all corners. Even though there is still wide contention as to the exact timing of diffusion (adoption cycle), there is already consensus that blockchain will have a real and very likely lasting impact. While this sustained hype (and hope) offers a fertile ground to advance developments around blockchain, we must also address the security risks that remain, in particular, when it comes to wide adoption. As mentioned in my previous blog articles: all ventures into the blockchain ought to be carefully weighted off with the risks associated and anchored within a thoroughly defined and future oriented cyber security strategy. This blog article dares to leap one step ahead and proposes security cautions and concerns as a reflection to ongoing or potentially future implementation endeavors.
Our experience shows that one of the first steps can already be the most critical: a faulty implementation. Even if the prospects are bright, organizations must not rush the implementation and jump on the technology bandwagon without carefully considering specific use cases, the security setting as well as traditional security risks, as any negligence may bare dire consequences and hamper the benefits of blockchain adoption.
- Even before considering implementation, companies should assess the changing risk profile and determine what type and what level of risks are acceptable, identify its crown jewels and invest in cost-justified security controls that protect those from outside threats.
- Organizations seeking to reap benefit of blockchains, private blockchains in particular, should carefully consider network access as a critical cornerstone of safeguarding data access. Our security best practices recommend that security controls (i.e. access controls) should be implemented directly at application level. In this regard authentication and authorization controls need to be properly implemented to ensure that only privileged parties obtain access, verify a transaction and delimit data reach (i.e. what type of data can be accessed by other parties in the blockchain).
- A full encryption of the blockchain data may also be beneficial in this context as to ensure that data cannot be eavesdropped by unauthorized parties while being transferred between the nodes.
- Organizations are also advised to consider how to treat intermittently active or uncommunicative nodes in the blockchain. Over time some nodes may restrict the transmission of information, transmit incorrect information or may even go offline entirely for inadvertent reasons. This may hamper the ability to obtain consensus on verified transactions, verify new transactions, reduce the verification speed and may even threaten the integrity of the blockchain in its entirety. Operators must therefore ensure that such nodes are identifiable and evadable to ensure that the blockchain remains functional in the absence of certain nodes going offline.
In my opinion, every company should strive to achieve the best balance between innovation, performance and cyber risks. However, it is equally important to realize that even with the advent of blockchain technology an all-encompassing cyber defense (i.e. safeguarding everything) would be utopic in the age of quantum computing and likely impede some of the most strategic initiatives. Organizations should invest in an overall cyber security program to mitigate risks, such as, defining a realistic governance framework, including roles, processes, accountability measures, thoroughly defined incident measures and, above all, a cultural shift in mindset. Blockchain should therefore be treated as an additional security layer rather than a potion against all cyber woes with its innate ability to prevent and secure fraudulent activities via consensus mechanisms and quickly detect manipulated data following its transparent, immutable and encrypted nature. In this context, blockchain may play a critical component in an organizations overall cyber security strategy.
Get in touch with us to learn more about our take on blockchain and how you could leverage your cyber security setting. If you have any questions, please do not hesitate to reach out and contact me.
Thanks to the co-author: Sebastian Heierhoff.