According to Gartner’s report “Top 10 Strategic Technology Trends for 2018”, blockchain is evolving from a digital currency infrastructure into a platform for digital transformation [1]. As such, many companies across diverse industries have been investing in the technology and are starting to move past the Proof of Concept (PoC) stage and into more mature and commercially relevant environments.
As PoCs start to be incorporated into existing application and infrastructure ecosystems, it is essential they are protected by an established set of security controls such as the ones based on NIST, ISO 27002, or ISF frameworks. This is especially important when serving industries as highly regulated as Financial Services or Healthcare. Indeed, although blockchain finds its roots in cryptography, systems built on the technology still require controls to operate securely. In our previous newsletter article “Protecting the distributed ledger” [2], we highlighted the common misconception that blockchain technology is inherently secure. Blockchain does provide inherent immutability, time-order of transactions and fault tolerance, but the aspects such as regulatory compliance, data confidentiality, incident response or resilience capabilities do not come ‘out of the box’. A famous example of a security failure resulting in financial and reputational damage is the “DAO hack” [3] where an attacker exploited a smart contract design flaw* and ran off with USD 60 million.
In what follows, we highlight the main security control areas that are needed to complement inherent blockchain security properties and protect blockchain applications.
Security governance is essential for all systems that exist in a corporate setting, whether they are blockchain-based or not. The reality is that defining security governance in distributed settings is more challenging than in centralised counterparts. For example, in the case of the DAO hack, the lack of anticipated policies resulted in the need for the DAO community having to establish an ad-hoc incident response process in a time of crisis.
Below, we highlight how blockchain impacts three key security governance aspects and what needs to be done in order to establish sound governance in blockchain-based systems.
1. Governance Models
One of the foundational motivations for blockchain is the absence of a central governing authority. However, in a corporate setting, a governance structure and operating model are essential in order to enable the correct functioning and adoption of so-called permissioned blockchains, where nodes must be vetted before being admitted to the network. In fact, the choice of a governance model impacts major processes such as change management (for example updating the core code or applying security patches) and Know Your Customer (KYC) processes. Therefore, security governance must be adapted to match the overall blockchain governance model, which typically takes the form of a consortium, joint venture or statutory organisation, and must take into consideration the consensus mechanism, blockchain type (private/public, permissioned/permissionless [4]) and node vetting process.
2. Regulatory Requirements
The set of regulatory requirements applicable to a blockchain-based system is industry specific. Due to the technology’s intrinsic features, some of these requirements will be harder to enforce compared to standard centralised systems. Indeed, complying with GDPR-equivalent privacy requirements such as data confidentiality, the right to be forgotten and data deletion will require some specific design considerations, such as avoiding the storage of private data on the chain, usage of pseudonymous identifiers or zero-knowledge proofs [5]. Therefore, it is essential to leverage privacy-by-design concept when developing blockchain-based systems and consider, among others, data minimisation, retention and deletion requirements at the initial stages of the design process.
3. Third Party Risk Management
The fact that third parties participate in blockchain networks increases the inherent third party security risk. It is therefore crucial that third parties who run nodes in the blockchain be held to the same security standards and that blockchain-specific due diligence (see Prevention and Resilience controls below) be done during onboarding. Depending on the governance model (see bullet 1 above), due diligence can be performed by a consortium, joint venture or a statutory organisation.
Prevention controls support the ability to defend critical assets against known and emerging threats. Blockchain‘s backbone being cryptography, using this science to implement prevention controls seems evident; the key is to ensure that complementary controls are added to complement the ones provided by default and that these controls are present on all participating nodes.
Below, we draw attention to the main prevention controls areas that should be put in place across data, application and infrastructure layers when designing blockchain-based applications.
Blockchain technology was designed using cryptographic primitives such as hash functions for data integrity (immutability) and digital signatures for non-repudiation and authenticity. While data integrity and authenticity are provided by design, blockchain does not provide any data confidentiality.
Digital signatures leverage Public Key Infrastructure (PKI) which can also be used to protect on-chain data, i.e. data stored on the blockchain itself, through encryption. Other cryptographic techniques can be used to reduce or remove dependencies on single nodes, for instance by requiring multiple nodes to collectively decrypt using shared keys or collectively sign critical data using multi-signature schemes.
Finally, data can be further protected by enforcing data minimisation, i.e. keeping sensitive data securely stored off-chain and only allowing non-critical data to be on-chain.
Leveraging the existing PKI to achieve data confidentiality is appealing, but introduces an availability risk due to heavy reliance on PKI for multiple purposes, including authentication, authorisation, and data protection. This risk is further elaborated in Section Resilience below.
A major challenge in protecting blockchain-based applications is to train security engineers to understand blockchain technology, its properties and how these affect the overall security of systems being built on top of it. Moreover, blockchain-based concepts such as smart contracts can include complex code. The need for secure development processes and policies to ensure the use of pre-approved and tested software libraries and interfaces, regular code reviews and patching is exacerbated by the fact that smart contracts are fully automated. In the example of the ‘DAO hack’, more thorough code review could have prevented the smart contract design flaw which was at the heart of the incident. In addition, smart contracts usually take input from data outside of the blockchain, e.g. currency exchange rates, or measurements from smart sensors. Therefore, a proper input validation and data integrity checks need to be performed to protect systems’ functionality and integrity.
As blockchain technology is built using traditional components, all typical infrastructure attack vectors such as malware and hacking remain relevant for blockchain-based applications. Thus traditional infrastructure controls such as vulnerability scanning and patch management must be enforced on all nodes. It may be necessary to implement dedicated Virtual Private Network (VPN) gateways to implement inter-node connectivity and allow nodes that are geographically dispersed to communicate securely.
When the DAO discovered their funds were being syphoned, they had no recovery plan. There had been multiple attempts to contain the incident, but the network was unable to get consensus in the short amount of time available. It took over a month to finally recover from the incident [8].
Resilience controls allow an organisation’s operations to rapidly adapt and respond to internal and external changes, demands, disruptions and threats, so as to continue operations with limited impact to the business. Resilience is one of the main motivations for companies to use blockchain technology, although this property may not be as inherent as some believe. Indeed, blockchain technology eliminates a single point of failure and provides operational resilience via its embedded redundancy. On the other hand, it heavily relies on internet connectivity, sufficient node distribution (especially in private blockchain networks) and PKI, so it is still important to consider resilience requirements when designing blockchain-based systems.
The implementation of business continuity and disaster recovery controls is facilitated by the decentralised nature of the blockchain technology. In this context, it is important to understand what consensus mechanism is used and how this will impact the system’s availability if a subset of nodes becomes unresponsive. Despite blockchain’s inherent resilience, business continuity is tightly coupled with the availability of the PKI; if a system’s PKI is not resilient, then the system itself will not be either. Considering this, it is crucial to implement secure and resilient key management processes, including secure key backups and tamper-resistant hardware environments for private key storage. Finally, because the basis of blockchain technology, cryptography, is an arms race, companies must keep track of advancements in cryptoanalysis that could potentially break certain protocols or reduce systems’ security.
Organisations planning to go live with a blockchain-based system may want to consider the points above in the context of their organisations’ security control frameworks in order to manage legal, regulatory, operational and financial risks.
* Or feature, depending on the perspective.
[1]Top 10 Strategic Technology Trends for 2018, Gartner
[2]Cyber Flash – Protecting the distributed ledger, Deloitte, Online.
[3]Inside the Bold Attempt to Reverse a $55 Million Digital Heist, Bloomberg Markets, June 2017, Online.
[4]The difference between public and private blockchain, IBM, May 2017 Online.
[5]Zero Knowledge Proofs, Ben Lynn, Stanford, Online.
[6]The DAO – Chronology of a daring heist, Deloitte Blockchain Institute.