the_lightwriter - Fotolia
Putting blockchain technology to good use
Experts share their views on the best and most effective ways information security professionals can use blockchain technology
By 2025, public blockchain will provide a core interoperable foundation for global decentralised identity management, according to Gartner research.
In the Gartner 2019 CIO Agenda survey, 60% of CIOs said they expected some level of adoption of blockchain technologies in the next three years
RV Raghu, a director of Isaca, the international professional association focused on IT governance, believes that since it offers a way to manage records without any central control, blockchain will find plenty of uses to support the always-connected nature of society.
“One of the simplest things that can be done is to identify what data is to be recorded for each transaction,” he says.
Raghu says that by using blockchain, all relevant details will be recorded for posterity, establishing an audit trail, which will withstand necessary scrutiny within the enterprise and from a regulatory perspective.
“Add to this mix the fact that the data is encrypted and cannot be changed by any one entity, and an ironclad forensic trail can be established with the right configuration of the blockchain,” he says.
The validation process ensures high integrity. Mike Yeomans a research analyst at the Information Security Forum (ISF), says: “Validation depends on the distributed nature of the network, making a blockchain highly available and resilient. Provided just one node remains available, the blockchain continues to function and the ledger can be viewed by any stakeholder.”
Real-world uses of blockchain
Such “guarantees” of integrity and high availability make blockchain well suited for supply chains. For instance, Maersk and IBM have partnered on a blockchain platform that records and tracks shipping manifests across global supply chains. Volvo also uses a blockchain to track and verify ethical sourcing of rare earth minerals used in vehicle production.
For Maersk’s globalised trade, fraud and complex information management are considerable challenges.
“By using a single, centralised ledger that is deemed immutable and is available to all authorised stakeholders, such obstacles are significantly reduced. Five of the world’s six largest shipping companies (and many smaller suppliers) now participate in Maersk’s blockchain platform,” says Yeomans.
The logistics company says its platform offers greater trust, transparency and collaboration across supply chains and helps promote global trade.
The single, shared platform at Maersk is designed to streamline the supply chain and removes the need for endless spreadsheets and programmes, easing logistical administration and saving money.
“The distributed and consensus-driven approach to validating blocks protects against tampering or adding fraudulent transactions to the ledger,” says Yeomans. “Even if a node is compromised, attempts to falsify the digital ledger to conceal theft or cargo smuggling will be detected and prevented by the validation performed by other nodes, as they will reject fraudulent blocks.”
For Yeomans, using a blockchain to verify supply chain ethics also uses the blockchain’s transaction ledger, which is widely available and considered to be of high integrity.
Read more about blockchain
- Blockchain – balance risk and opportunity for smart security.
- Risk mitigation is key to blockchain becoming mainstream.
- Blockchain utility depends on business type and cost.
- Blockchain – not for everyone, so look carefully before you leap.
- Use blockchain for integrity and immutability checks.
- Too soon to dismiss blockchain in cyber security.
He says Volvo’s application of a blockchain makes use of the integrity and availability attributes that the technology offers to trace if products in its supply chain have been sourced from regions of conflict.
“Falsification of documents is commonplace in conflict regions, so blockchain makes that process far harder, while the transparent nature of the ledger makes tracking the often lengthy journey of shipments much easier,” says Yeomans. “Again, this greatly reduces overheads associated with information exchange and streamlines the process of looking to identify if items are being stolen from or falsely added to the supply chain.”
Public sector blockchain
In the public sector, blockchain has the potential to enable the construction of the digital self – the equivalent of a digital passport.
Richard Hunt, founder of Turnkey Consulting, believes that once an individual has been through the process to prove their identity, this proof can be reused in other situations where ID is required.
“A digital identity would enable citizens to take back control of their data and their identity, choosing who to share this information with and, perhaps more importantly, who not to,” he says. “It would also allow individuals to both fully understand and capitalise on the value of their personal data.”
Gartner distinguished vice-president David Furlonger says governments are looking at ways blockchain can be deployed to improve efficiency.
Efficiency-based initiatives are founded on the idea that decentralised, multiparty transactions can be streamlined using blockchain to solve transactions. Government interests are mostly driven by their need to decrease friction in disconnected processes, interactions or transactions between a variety of government organisations or involving the broader public/private ecosystems.
“The US states of Vermont and Delaware, as well as Dubai, have shown some of the most visible and ambitious efforts on the use of blockchain for organising government records,” says Furlonger.
Uses in IT security
Blockchain should be far harder to break, according to veteran cyber security expert, Eoin Keary.
“Given blockchain’s distributed ledger, if someone tries to alter the data, the system analyses the entire chain, compares each block of data in the chain and excludes any that do not match up, which prevents unauthorised changes,” he says.
This means it is possible to use blockchain to ensure the integrity of critical IT systems. Keary believes blockchain could be used to manage DNS records such that unauthorised changes could be performed only by the domain owner.
“DNS records would be immutable and distributed, making it nearly impossible to attack,” he says. “The attacker would need to attack all nodes due to blockchain’s distributed ledger.”
Another use in IT security relates to decentralised storage. Since data is not stored in a single place, but rather thousands of nodes, Keary believes this makes it very difficult for an intruder to harvest complete datasets.
For Ovum research director Maxine Holt, blockchain’s peer-to-peer (P2P) architecture and intrinsic security technologies – including the encryption/hashing of data, redundant and immutable ledgers, robustness of data to compromised nodes, and use of hardware wallets and chip-level trusted execution environments – bring the potential to increase internet of things (IoT) security.
“These characteristics enable the development of networks of trusted devices – whether in private or public blockchain deployments,” she says.
In terms of IoT security, Keary says blockchain can be used in relation to threat and operational monitoring scenarios
“Using blockchain, devices can work together and agree what ‘normal’ looks like, and as a result, alert or lock devices which are behaving out of the boundaries of normality,” he says. “The beauty of blockchain is the fact that there is no central authority and thousands/millions of nodes collectively control and make decisions based on the blockchain integrity.”
According to Keary, the concept of an immutable ledger can be applied to asset management or data integrity and configuration controls such that history of asset profiles or integrity hashes for software downloads can be stored in a blockchain.
“The hashes for a given download or software installation can be compared to the hash stored in the blockchain to help ensure software is not compromised with malware,” he adds.
Keary says identity and access management (IAM) is also a candidate for blockchain.
“A blockchain-based IAM solution would render it impossible for hackers to enter a network/system and leave in an undetected manner,” he says. “The attacker can no longer hide their tracks or tamper with access logs to erase records or their unwarranted access due to blockchain immutability.”
Broken links
While it offers many benefits, the industry has realised there is still much to be done before blockchain technology becomes mainstream. Almost exactly a year ago, in London, Dean Demellweek, digital innovation strategist at BNP Paribas, said that following the huge hype surrounding blockchain, the technology faced a “chasm to cross” if early pilots were to be applied to real-life business challenges.
The Barclays and Wave pilot of 2016, and more recent pilots at HSBC and ING, have illustrated the possibility of using blockchain for faster, cheaper and more secure transactions.
However, Gareth Lodge, financial services analyst at Celent, believes blockchain is still not properly understood. “It tends to get mixed up with a number of other things, most usually distributed ledger technology and cryptocurrencies,” he says. “As a result, some suppliers are being asked if their solution runs on blockchain. As one noted, “Not sure why they’re asking as they didn’t ask me last year if it was running on SQL’.”