How CIOs can manage blockchain security: 4 tips

By 2020, an exploited vulnerability will disrupt a major blockchain platform, causing significant damage, Gartner predicts. Here's how to protect your blockchain efforts.

Why the blockchain is not secure

While many organizations are exploring potential blockchain applications, CIOs need to keep one fact in mind for effective rollouts: Blockchain is not secure in and of itself, Gartner research director David Mahdi said in a session at the 2018 Gartner Symposium/ITxPo.

"It's built on really cool security technology, but you can't assume that it is secure," Mahdi said.

For those unfamiliar, blockchain is a type of distributed ledger in which value-exchange transactions (in bitcoin or other token) are sequentially grouped into blocks. Each block is chained to the previous block and immutably recorded across a peer-to-peer network, using cryptographic trust and assurance mechanisms, Mahdi said.

SEE: Quick glossary: Blockchain (Tech Pro Research)

Blockchain offers several key benefits, including integrity, immutability, availability/resilience, and trust in systems where parties may not have full trust of one another, Mahdi said. "Blockchain becomes a source of truth," Mahdi said. "It doesn't matter what the use case is."

By 2020, at least one catastrophic vulnerability will disrupt a major blockchain platform, causing significant damage, Gartner predicts. CIOs and CISOs will be the parties responsible for mitigating the damage, Mahdi said. Particularly for companies who put a lot of marketing and press into their blockchain initiatives, "it can fall back on you," he added.

Blockchain is a complex technology, and can lack the clarity of oversight and auditability that more traditional systems offer, Mahdi said. As a result, compliance and enforcement costs may increase with blockchain implementation, and some regulatory environments may require oversight that is difficult to achieve with the technology, he added. This is exacerbated by a lack of common standards or legal frameworks.

Smart contracts--one of the most hyped applications of blockchain--are also vulnerable from a security standpoint, Mahdi said. "They do not remove the threat of fraud," he added. Further, it's easy for a developer to make a mistake and accidentally create a vulnerability in the contract code, he added.

"Everything that can go wrong with code plus everything that can go wrong with legal plus the security problems of a network equal your blockchain risks," Mahdi said.

SEE: IT leader's guide to the blockchain (Tech Pro Research)

Blockchain is also not immune to cyberattacks or fraud, Mahdi said. In many cases, the cryptography is not the issue, but rather the endpoints writing to the blockchain, such as the operating systems, network protocols, and key management, he added.

This becomes even more important when you consider that within 10 years, a quantum computer will be able to break modern cryptography, Mahdi said.

While blockchain is seen as a source of truth, "control over who and what can place data in the blockchain is needed," Mahdi said. For example, bad actors leveraging user identities can potentially place unwanted information on the blockchain, which then cannot be deleted.

"It's a very critical issue that turns the strength of immutability into a weakness," Mahdi said. "If you're in charge of a blockchain initiative at your organization, imagine if the personal data of clients went in there in clear text, and you can't delete it. It would be a massive problem."

Companies need to examine who has access to the blockchain, authenticate those who are writing to it, and filter the data itself (for example, to allow only encrypted or tokenized numbers instead of credit card numbers). "You can put in bounds to only accept certain data types that are secure," Mahdi said.

By 2021, 70% of blockchain projects will expose organizations to GDPR or other violations, due to insufficient privacy controls, Gartner predicts. "We have to be careful with these systems because once they're in there, they're in there," Mahdi said.

Scalability will be another major issue to solve, Mahdi said. "As transactions, data, devices, and identities explode, so does the requirement to manage and store artifacts relating to them," he added. "Ensure that downstream applications and distribution of ledger nodes supports scale."

Blockchain security model

CIOs can manage blockchain risks across three layers of the enterprise with the Gartner blockchain security model, Mahdi said:

1. Business logic layers

These layers include business problem definition and contracts, consortia management, and execution/resiliency. Questions to ask include:

  • What specific features that are unique to blockchain do I need for this project?
  • What is the governance model (trust framework) for participating organizations and their members? Responsibilities?
  • What is the business lifecycle for blockchain participants?
  • What data will be captured?

2. Risk and Identity and Access Management (IAM) process layers

These layers include risk management and compliance, and IAM and cryptographic architectures. Questions to ask include:

  • What are the relevant regulatory issues for the project? What are the options for meeting them within the blockchain protocol?
  • How are the details of identity managed?
  • Are block payloads encrypted?
  • How are keys managed and revoked?

3. Tech and IT layers

The tech and IT layers involve threat/network/node management, as well as physical layer management. Security questions to ask include:

  • What is the logic for resolving blockchain block collisions?
  • What is the disaster recovery plan for your blockchain participants?
  • What is the minimal security posture for blockchain clients or wallets for participation in the projects?

Tips for CIOs

Mahdi offered the following four recommendations for CIOs to secure blockchain technologies in the enterprise:

1. Separate governance and accountability concerns form blockchain technology

2. Take care of the basics of information security: Protect, detect, respond, predict, act. "Blockchain systems still require these," Mahdi said.

3. Leverage the blockchain model to identify, scope, and manage business and technical risks

4. Plan for issues: Evaluate incident response plans to address critical security events during blockchain lifecycle

Also see

Image: iStockphoto/NicoElNino