While many organizations are exploring potential blockchain applications, CIOs must keep in mind a fact for effective implementations: Blockchain is not self-confident, said Gartner research director David Mahdi in a session at the 2018 Gartner Symposium / ITxPo.
"It's based on really exceptional security technology, but it can not be assumed to be safe," Mahdi said.
For those who do not know it, blockchain is a type of distributed register in which the values exchange transactions (in bitcoins or other tokens) are grouped sequentially in blocks. Each block is chained to the previous block and immutably registered through a peer-to-peer network, using mechanisms of reliability and cryptographic security, Mahdi said.
SEE: Fast glossary: Blockchain (Tech Pro Research)
Blockchain offers several key benefits, including integrity, immutability, availability / resilience and trust in systems where the parties may not have full mutual trust, Mahdi said. "Blockchain becomes a source of truth," Mahdi said. "It does not matter what the case of use is."
By 2020, at least one catastrophic vulnerability will interrupt one of the major blockchain platforms, causing significant damage, according to Gartner. CIO and CISO will be the parties responsible for mitigating the damage, Mahdi said. Especially for companies that invest a lot of marketing and printing in their blockchain initiatives, "it can fall on you," he added.
Blockchain is a complex technology and may lack the clarity of supervision and audit that the more traditional systems offer, Mahdi said. As a result, compliance and enforcement costs could increase with blockchain implementation and some regulatory environments may require difficult supervision with technology, he added. This is exacerbated by the lack of common standards or legal frameworks.
Smart contracts – one of the most publicized blockchain applications – are also vulnerable from a security point of view, Mahdi said. "They do not remove the threat of fraud," he added. Furthermore, it is easy for a developer to make a mistake and accidentally create a vulnerability in the contract code, he added.
"Anything that can go wrong with the code plus anything that can go wrong with legal plus network security issues equates to the risks of blockchain," Mahdi said.
SEE: guide of the IT leader to the blockchain (Tech Pro Research)
Blockchain is not even immune to cyber attacks or fraud, Mahdi said. In many cases, encryption is not the problem, but rather the endpoints that write on the blockchain, such as operating systems, network protocols, and key management, he added.
This becomes even more important considering that within 10 years a quantum computer will be able to break modern cryptography, Mahdi said.
While blockchain is seen as a source of truth, it is necessary to "control who and what data can put in the blockchain," Mahdi said. For example, bad actors who exploit user identities can potentially enter unwanted information on the blockchain, which can not be deleted.
"It's a very critical question that turns the strength of immutability into a weakness," Mahdi said. "If you are responsible for a blockchain initiative at your organization, imagine if your customers' personal data went there in clear, and you can not delete them, it would be a big deal."
Companies must examine who has access to the blockchain, authenticate those who write and filter the data (for example, to allow only encrypted or tokenized numbers instead of credit card numbers). "You can set limits to only accept certain types of data that are safe," Mahdi said.
By 2021, 70% of blockchain projects will expose organizations to GDPR or other violations, due to insufficient privacy checks, Gartner expects. "We have to be careful with these systems because once they're there, they're there," Mahdi said.
Scalability will be another important issue to solve, Mahdi said. "When transactions, data, devices and identities explode, it also increases the need to manage and store artifacts related to them," he added. "Ensure that downstream applications and the distribution of general ledger nodes support the scale."
Blockchain security model
CIOs are able to manage blockchain risks on three corporate levels with Gartner's blockchain security model, Mahdi said:
1. Levels of business logic
These levels include the definition of the business problem and the contracts, the management of the consortia and the execution / resilience. The questions to ask include:
- What specific features are unique to the blockchain I need for this project?
- What is the governance model (trust framework) for the participating organizations and their members? Responsibility?
- What is the business life cycle for blockchain participants?
- What data will be captured?
2. Layers of the risk and identity process and access management (IAM)
These levels include risk management and compliance and IAM and cryptographic architectures. The questions to ask include:
- What are the regulatory issues relevant to the project? What are the options for meeting them inside the blockchain protocol?
- How are identity details handled?
- Block payloads are encrypted?
- How are the keys managed and revoked?
3. Layers of technology and IT
Technical and IT levels include threat / network / node management and physical layer management. Security questions to ask include:
- What is the logic to solve blockchain block collisions?
- What is the disaster recovery plan for blockchain participants?
- What is the minimum security posture for customers or blockchain portfolios for participation in projects?
Suggestions for CIOs
Mahdi offered the following four recommendations to CIOs to protect blockchain technologies in the company:
1. Separating governance and responsibility concerns form the blockchain technology
2. Take care of the basics of information security: Protect, identify, respond, anticipate, act. "Blockchain systems still require these," Mahdi said.
3. Take advantage of the blockchain model to identify, expand and manage business and technical risks
4. Plan for problems: evaluate incident response plans to address critical safety events during the blockchain life cycle