Ingredients to Secure Blockchain Data & Transactional Jewels (Part Two of Two)
As a series of recent hacks reveal, blockchain technology remains exposed to common security vulnerabilities as well new ones that emanate from its underlying distributed database foundation. A holistic security policy built on the foundation of shared accountability can help organizations secure blockchain’s future.
As highlighted in part one of this series, blockchain may hold the key to a more transparent and trusted online future. However, that future can’t be realized until pioneering organizations holistically treat a range of security vulnerabilities threatening to undermine the distributed ledger technology before it becomes mainstream.
In fact, we believe pioneering organizations must work proactively to identify and address security measures independently and in concert with ecosystems’ partners as they conceive and act upon their blockchain strategies. While the challenges loom large and may not be fully apparent given numerous technological imponderables, forward-leading organizations should view this as an opportunity to build in security as a key component of their transactional services. Doing so will help gain the trust of customers and other key stakeholders across their business ecosystems.
For starters, organizations with blockchain business ambitions would do well to develop a comprehensive policy that addresses all key security vulnerabilities with measures that facilitate effective shared monitoring, control and compliance. This is critical since many business leaders see blockchain as a technology that is seemingly impenetrable, which is clearly not the case – as recent hacks suggest. As most savvy observers know, any technology conceived by humans can be cracked and compromised by humans working in concert with incredibly potent computing algorithms. It is therefore vital to inculcate a culture of compliance with emerging security policies.
We recommend that organizations consider the following 12 actions to create a broad and resilient security policy that will help to effectively safeguard data and transactional services powered by fledgling blockchain networks.
Blockchain’s 51% attack threat can be effectively prevented through a shared approach comprising strict contracts, covenants and controls that all participating entities embrace to monitor and control the chain’s total processing power and usage. Early blockchain-as-a-service (BaaS) implementations have incorporated the technical capabilities to do so.
Vulnerabilities arising from the distributed nature of blockchain settings need to be handled through use of distributed vulnerability management programs that enforce shared security standards, which comprise a combination of contracts, covenants, controls and cross-monitoring of systems. Such systems should empower chain participants to view, manage and, where necessary, prevent transactions by those that do not meet standards.
Developing and implementing a distributed identity management process of sequential steps through which entities are allowed access to a set of systems can render blockchains safe from malicious intruders. The process will also periodically evaluate and ensure validity of participating entities. Private blockchains can capitalize on such approaches by incorporating shared, mutually agreed-upon processes that are made enforceable via contracts and covenants. Only authorized entities may be allowed direct access to either read or create/alter entries. Shared provisioning, de-provisioning and validation processes must be the building blocks of such an approach.
The practice of using self-signed certificates for blockchain implementations may be supplanted by certificates from trustworthy authorities that are known to employ a verifiable step ensuring that encryption adheres to a provable methodology. Blockchain parties may collectively agree on selecting such certificates and subsequently ensure compliance in a distributed way.
Organizations implementing blockchain may also use hardware security modules (HSMs) that are capable of preventing hacks of ledgers, apps and wallets while ensuring industrial grade security. HSMs safeguard and manage keys through a crypto-processor that generates, safeguards and hosts the keys in a secure way.
The highly distributed nature of blockchain presents a significant challenge to attackers. To fully disrupt or tamper with a chain, attackers must compromise a large number of servers across the network. Remember, however, the value of blockchain rests upon trust in the integrity of the data. While a single intrusion at a compromised server level may be viewed as a miniscule blip, it can have a lasting impact on the confidence in the data set itself. Each node host, therefore, has an obligation to ensure the security of its link in the chain. Operationalizing a solid TVM approach, as well as host hardening, privileged access controls, and other network technical controls wherever the nodes reside must be incorporated into the security systems.
The absence of auditing read access in blockchain networks — both public and private — leaves information on blockchain vulnerable to reverse engineering. Security may be provided in two ways by employing verification and validation of data in a distributed manner. Storing direct links to systems that host information and are governed by authentication and audit access processes is one such way. Alternatively, the cryptographic checksums of information stored on blockchain may be used to protect information.
Adopting sound cryptography by avoiding weak algorithms and random number generators and using post-quantum crypto such as SPHINCS as a future-proof solution can provide safeguards against vulnerabilities as well as quantum computing threats. Recent advances such as Quantum Resistant Computing (QRL) that employ advanced mechanisms to prevent quantum attacks can also offer valuable lessons to strengthen blockchain security. The mechanisms combine using quantum-resistant cryptographic systems including hash-based cryptography, code-based cryptography, lattice-based cryptography, multivariate-quadratic-equations cryptography and secret-key cryptography. These mechanisms are considered to be capable of preventing classical as well as quantum computing attacks aided by suﬃciently long key sizes.
Keeping the smart contract programs smaller, modular and understandable.
Supplanting weak sources of randomness with implementations of random number generators.
Writing tests after thorough understanding of the use cases.
Introducing formal verification of algorithms underlying systems of smart contracts.
Including a fail-safe mode feature to effectively handle the contingency of risk incidents.
Considering security audits of software code alongside other security measures.
Enterprises adopting blockchain need a rigorous security strategy that defines the necessary programming requirements, and accountability for review and testing, as well as compliance requirements and measurement.
Security policies may also create compliance requirements for third parties, whose services may be utilized within the blockchain. Making sure that the vendors’ governance and risk policies are sufficiently aligned to the enterprise policies would go a long way in strengthening security postures. When it comes to cybersecurity, checkbox compliance is a risky approach. Organizations would be well served by understanding who has access, validating the business need of that access, and establishing a supplier security governance program to identify and resolve discrepancies.
IT security teams in organizations are already overburdened with growing demands, and the pool of available, skilled and experienced security practitioners is shrinking. It is therefore advisable that internal IT security resources are adequately supplemented with third-party security services.
Pan-industry initiatives may be necessary to develop standards and best practices for developing security of blockchain systems. Such initiatives are already underway both at regulators level and industry level such as healthcare, logistics, etc. Organizations should invest in such initiatives to collectively learn on the go and make blockchains safer.