Is there a weak link in blockchain security?
Recent research revealed that blockchain is set to become ubiquitous by 2025, entering mainstream business and underpinning supply chains worldwide.
This technology is set to provide greater transparency, traceability and immutability, allowing people and organizations to share data without having to be concerned about security. However, blockchain is only as strong as its weakest link. Despite the hails surrounding blockchain’s immutable security, there are still risks surrounding it that organizations must be aware of – and mitigate – prior to implementation.
It is important to understand that there are two types of blockchain – permissionless and permissioned. The most prominent example of permissionless blockchain is Bitcoin – a public blockchain network that anyone can participate in. Cryptocurrencies like bitcoin favor this type of blockchain technology because it enables all users to track, verify and confirm transactions, regardless of whether users choose to be anonymous or not.
The other blockchain model is permissioned (also known as private blockchain) – and is mainly used for business applications. These networks are only accessible to known entities such as partners, suppliers or customers. With permissioned blockchain, a company establishes protocols to achieve consensus, and verify and assemble blocks. This set up can deliver thousands of transactions per second and provide granular management and control over who sees and accesses the transactions.
In both cases, the main benefit is the trust and transparency that blockchain brings – all parties involved in the network have total visibility into the transactions recorded in the blockchain ledger and each block is tied to the block before it.
This transparency makes blockchain extremely difficult to manipulate at scale. While the blockchain platform itself may be secure, there is still some work to be done to ensure organizations are equipped to make their networks secure end to end. For true security, organizations must focus on the last mile connection between a physical event and the digitized record of this event.
If these points of entry to the platform are tampered with, the blockchain is rendered worthless. It is therefore imperative that organizations secure all points of entry, and assess the risks, before they consider deploying blockchain on a broad scale. They will need to consider security at all layers, most importantly:
This starts with ensuring data and transactions entered in the blockchain ecosystem are adequately protected from manipulation. The infrastructure these networks resides on must also have the necessary protections in place. With blockchain, you are only as strong as your weakest link.
If integration points are compromised, the entire blockchain ecosystem could be at risk, meaning that blockchain credentials and data could be exposed to unauthorized users.
Identity and access management
To prevent unauthorized parties from accessing blockchain data, a combination of encryption and identity management tools are needed. Stolen credentials could potentially allow a cybercriminal to access the blockchain platform, regardless of how secure it is. Organizations must deploy identity and access management controls. Encryption should also be deployed to ensure that data is not stolen, manipulated or leaked in transit.
The insider threat should be a focal concern when it comes to blockchain too. Organizations must consider that employees, partners and suppliers – be it unintentionally or maliciously – can cause security incidents that impact the blockchain.
To mitigate this, organizations should deploy security awareness training for employees and outline clear security parameters and responsibilities with partners. This will stop employees from making careless mistakes and may also ward off malicious insiders. In line with these requirements, blockchain can provide advanced security controls – for example, leveraging the public key infrastructure (PKI) to authenticate and authorize parties, and encrypt their communications.
Blockchain-based networks are built on shared business interests creating a system of trust. However, as the network grows, participating entities could leave the network and new ones may join, leading to ambiguities around operational considerations around data sharing and data ownership. These could result in serious regulatory and reputational repercussions for organizations as data owners, unable to secure the customer data.
Organizations are multi-faceted and have multiple revenue streams, often linked to each other. One of the major challenges to blockchain adoption has been a lack of interoperability across different blockchain networks. There have been recent developments, with major players embarking on developing interoperable networks, which could boost blockchain interest to a different level, at the same time introducing additional levels of vulnerability.
A key component of blockchain networks is the Smart Contracts, which are developed using different languages on the platform being used, like Solidity being used in Ethereum. These languages allow developers to make changes to the underlying blockchain networks, causing vulnerabilities. However, from an enterprise blockchain perspective, a solid governance mechanism using permissioned chain can establish a secure system in place to restrict the privileges to governing body.
To achieve the most value from blockchain, both now and in the future, organizations must take responsibility for their safety and security at all levels – application, Infrastructure, data and partners.
By conducting a blockchain risk assessment and addressing key risks, organizations can make sure they are well positioned to leverage the efficiencies, transparency and cost-effectiveness provided by blockchain without opening themselves up to unexpected risks. The most pragmatic way for organizations interested in blockchain is to test the concept through pilot programs. Pilots should be focused on the areas that offer organizations the most control and companies should take these weak links into consideration.
Ultimately, blockchain has the ability to solve business issues relating to traceability, responsiveness, and trust. By taking a carefully planned approach to implementation, and understanding blockchain’s weak links, organizations can unlock the true value of blockchain, creating new opportunities and reducing inefficiencies.