Blockchain Security Revisited
Don't assume the built-in security of blockchain technology is sufficient for your enterprise. Here are seven concerns to evaluate.
- By Brian J. Dooley
- August 20, 2018
Since its inception, blockchain has been touted for its security features. Security is ensured by a number of features -- based on its distributed nature, immutability, verifiability, and encryption -- as explained in a previous article, "Security Implications of Blockchain."
These features do, indeed, provide the basis for a secure and unalterable ledger. However, as blockchain becomes increasingly important to business, its security cannot be taken for granted.
As with many security issues, the devil is in the details. Actual security is very much dependent on implementation. With anything promoted as a panacea, there is a tendency to assume that the solution will provide all of its magic out of the box. However, blockchain can be complicated due to the large number of possible settings, and each system characteristic can have independent or aggregate security implications. Bitcoin and Etherium, for example, have both experienced significant hacking episodes that have revealed inherent blockchain security weaknesses that must be understood. Additionally, security experts have been at work examining the surrounding environment -- technical and organizational -- of enterprise blockchain implementation.
Blockchain is based on smart contracts that are distributed as a chain of data to all nodes on the network. Adding new blocks requires permission and verification, which is provided by Bitcoin via "mining" using a proof-of-work concept with verification by at least 51 percent of the nodes on the network. Private blockchain networks use other methods, but distributed verification and permission is an essential element of blockchain security.
Blockchain also uses public-key encryption to ensure security, adding potential vulnerabilities due to system characteristics, such as the need to store keys where they might be discovered. Finally, blockchains exist within the corporation's overall security environment, so some security practices may need to be adjusted to ensure that the ledger cannot be hacked by increasingly sophisticated attackers.
Specific issues to consider include:
- Selective block authorization. Many enterprises will need to assign different permissions for different blocks in a blockchain. Bank of America recently patented its process, noting in the patent that "a need exists to develop systems ... that manage control over blocks of resources."
- Data quality. Blockchain does not ensure the quality of stored data. With its permanent nature and difficulty altering blocks, mistakes could live forever. Such errors could compromise other systems that rely on the data.
- Situational inadequacy. Blockchain solutions incorporate a mix of algorithms and practice. If this mix does not meet an enterprise's security needs or compromises security elements, significant weaknesses can develop and be exploited.
- Network disruption. Network disruption can be caused by conventional and blockchain-specific exploits such as node spoofing (pretending to be a legitimate node). Such attacks can break consensus protocols, prevent verification, and combine with other attack vectors.
- Cryptographic key theft. A key component of many blockchain schemes is public-key encryption. Keys may be stolen from online wallets, other network locations, mobile devices, and other storage to compromise the system or gain complete access.
- Network scale. Networks that are too large may enable DDoS exploits that affect consensus through verification latency (some nodes unable to participate, leading to inability to verify requests). Transactions could be too slow and multiple rapid transactions could confuse protocols. Networks that are too small, such as private networks, open the possibility of controlling more than half the nodes and defeating safeguards.
- Vendor platform. Software vendors and external software suppliers can provide sophisticated blockchain platforms that take care of the complexities of implementation. However, the trade-off is that their inner operations are often poorly understood, potentially leading to hidden security issues.
These are just a few of the issues an enterprise must consider to ensure blockchain security. There are wide differences in operation between implementations, not only in the specifics of the technology but also in the organization's overall security environment of the firm. These concerns need to be considered carefully, but the good news is that all can be remedied.
Implement Wisely to Secure Well
Blockchain is an excellent technology for ensuring a high level of security for a distributed ledger. As with all security, however, the technology is surrounded by technical and social elements that cannot be ignored. Security always involves some trade-offs, and this is true for blockchain. Determining the best choice demands consideration of the whole surrounding environment and the security priorities of the firm. Decisions must be weighed carefully, particularly where decisions might affect data accessibility, regulatory compliance, or auditability.
Blockchain has gone through its initial generation of promise, hype, and experimentation. It has been considered and applied to innumerable situations. Now it is time to move into the next generation in which the specific details of the technology and their impact are more carefully considered. Security will be one of the most important issues.
Brian J. Dooley is an author, analyst, and journalist with more than 30 years' experience in analyzing and writing about trends in IT. He has written six books, numerous user manuals, hundreds of reports, and more than 1,000 magazine features. You can contact the author at [email protected].