Is Blockchain Technology Viable for Security?
Blockchain, blockchain, blockchain. It seems like you can’t throw a rock without hitting someone discussing the potential for blockchain technology. And, for the most part, this is driven by consumer interest in technologies and the potential for innovation in the web 3.0 world we live in.
While the consumer market is having a so-so engagement with blockchains, it is finding more purchase in enterprise applications–albeit with a few changes and customizations to address limitations.
What Is a Blockchain?
A blockchain is, in simplest terms, a ledger of transactions (represented as blocks) that provides a decentralized network of users with a record of interactions. First conceived in the Bitcoin whitepaper written by Satoshi Nakamoto, the blockchain was presented as a solution to the problem of double spending inherent to the adoption of digital cash.
Generally speaking, bitcoins are traded with the following process:
- Transaction: A user sends a bitcoin (or fraction thereof) to another user. The transaction information is encrypted using a specific algorithm employing complex cryptography.
- Authentication: Other users on the network (called miners) offer processing power to reverse the cryptography, essentially devising a formula that authenticates that the transactions are legitimate. These authentication steps aren’t a per-transaction activity but occur over large chunks of transactions known as “blocks.”
- Append and Record: Once a block is verified, the transactions are appended on the blockchain, and all transactions’ records for all users are updated.
The ledger technology serves as the “middle man” of the transaction, mitigating the need for a bank or financial institution. And while we aren’t commenting more generally on cryptocurrency as a viable product, it’s also clear that it has had a huge impact on both business and consumer security.
No one is seriously suggesting that Bitcoin is a viable security technology. But it’s critical to understand how blockchain is moving into the business market. There isn’t a single type of blockchain on the market, but several adaptations:
- Public Blockchain: Public blockchains are entirely decentralized, without a central controller. Most cryptocurrencies are public blockchains in that the coding of the protocols is the primary arbiter of how the network works.
- Private Blockchain: Conversely, a private blockchain can be managed by a person, company, or consortium. These managers will often modify the blockchain to include different security measures or integrations to make them more viable as enterprise technologies.
- Permissionless Blockchain: Permissionless blockchains have no set restrictions on who can join–users can enter and leave as desired. There is no restriction to use within the confines of the technology.
- Permissioned Blockchain: The opposite of a permissionless chain would, obviously, place restrictions on who can join. For example, blockchain-driven tech for internal enterprise use may limit the participation of employees and contractors.
These aren’t necessarily exclusive, but for the most part, you’ll see public/permissionless and private/permissioned blockchains. However, all enterprise (read: secure) chains will invariably be private and permissioned.
What Are the Benefits of Blockchain Technology for Cybersecurity?
While a complex technology, the blockchain also provides several potential benefits for companies looking to bolster aspects of their compliance and security efforts.
Some of these benefits include:
- Immutable Audit Trails: Maintaining a clear and untouched audit trail is a necessary component of many regulations and compliance standards, including HIPAA, NIST 800-53, CMMC, etc. A blockchain is, by definition, an immutable standard that disallows unauthorized changing of records. In cases where compliance is paramount or where legal documents must be demonstrably free from corruption, a blockchain can provide a level of integrity other systems can’t.
- Identity and Access Management: A significant part of any identity and access management system is the actual management of those identities. Traditionally, these records are stored in a central database, which can sometimes become a major attack surface. With a private chain, a system can exist where users take more ownership of their identity by storing ideas on a local device without needing an internal management system. This means that no single device or system is a point of failure that can completely undermine the system. This also means that it could become much simpler to deploy single sign-on (SSO) or passwordless systems to minimize security holes that come with password systems.
- Configuration Management: Patches and updates are a crucial part of compliance, and blockchain records could be a way to verify path deployment and system state for personnel managing large IT systems.
What Are the Limitations of Blockchain Technology for Cybersecurity?
Like any technology, however, blockchains have several limitations. These are even more pronounced considering that the technology itself is relatively new.
Some of the limitations of the technology for cybersecurity include:
- Scalability: Blockchains can, if not properly configured, scale incredibly poorly. When working with smaller (private and permissioned) chains, this is less of a problem, but there is a trade-off in decentralization. The more decentralized the blockchain, the less responsive it is to scaling up.
- Document Obfuscation: Public blockchains don’t encrypt transaction data, only transactions during transmission and verification. So, a company must employ relatively strong central encryption alongside the blockchain to properly secure information. This, in turn, can cause problems for compliance if the company attempts to share records publicly and illegally discloses personal data or metadata related to treatment or patient PII.
- Phishing: Much of the security related to private blockchains is centralized on users, who take ownership of specific aspects of the system. This opens up the possibility of phishing attacks compromising user devices or credentials, which is remarkably similar to the same threats in any other enterprise system. These threats can be more pronounced with private blockchains with fewer nodes.
The blockchain might not be a silver bullet for security; in some cases, the hype is leading the cart before the horse. But the value of permissioned, private blockchains in areas like IAM and auditing is clear, and many companies are integrating this technology into their systems. With layers of other security measures applied, the blockchain can become a small part of a secure and private system.
Are You Working on Internal Platform Security?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.