A blockchain network is only as secure as its infrastructure
With the hype of crypto currencies popularity, there has been tremendous press about Blockchain, the distributed ledger technology and its use cases. Many talk about it as breakthrough solution for addressing many IoT security and performance issues. Blockchain relies heavily on Public Key Infrastructure (PKI). It doesn’t have any security model defined to secure the participating nodes and associated PKI keys. We need to understand the inherent security risks in Blockchain before we claim victory on its applicability for Enterprise IoT use cases.
In the past, several users have publicly complained of stolen private keys and Bitcoins. There isn’t any assurance on the security posture of the nodes in the network. There may be many participating Blockchain nodes running on Operating Systems without the latest patches. What are the consequences of that?
Blockchain a distributed ledger technology is a chain of digital “blocks” that contain transactions records. Each block typically contains a hash pointer as a link to a previous block, a timestamp and transaction data. This makes it difficult to tamper with a single record because a hacker would need to change the block containing that record as well as those linked to it to avoid detection. The records on a blockchain are secured through cryptography. Network participants have their own private keys that are assigned to the transactions they make and act as a personal digital signature. If a record is altered, the signature will become invalid and the peer network will know right away that something has happened. It would require massive amounts of computing power to access every instance (or at least a 51 percent majority) of a certain blockchain and alter them all at the same time. This is the real value of Blockchain, provide immutable trust for transactions. However, there are other conditions and requirements to consider when you want to use a blockchain for Enterprise IoT.
To understand the inherent security risks in blockchain technology, it’s important to understand the difference between public and private Blockchains. The sole distinction between public and private Blockchain is related to who can participate in the network
Need to address the security of the participating nodes and infrastructure
Private Blockchains offer degree of control over participating nodes and the transaction verification process, more suitable for Enterprise use cases. Private Blockchains use identity to confirm membership and access privileges, and so the participants in the network know exactly who they are dealing with. These systems are in the evolution stage, many of them need to address security of the system and the assets it manages or stores. This is no different from traditional Enterprise security to manage the infrastructure associated with the network. As an example, it is fundamental to protect the private key of the participating node.
An Enterprise private blockchain consists of a permissioned network in which consensus can be achieved through a process called “selective endorsement,” where known users verify the transactions. The advantage of this for businesses is that only participants with the appropriate access and permissions can maintain the transaction ledger. This calls for traditional Enterprise IAM (Identity and Access Management) features extended to participating nodes.
If an attacker can gain access to the Enterprise blockchain network, they are more likely to gain access to the data. The original Blockchain technology was created without specific access controls due to its public nature. For the Enterprise use cases with private Blockchain, the data confidentiality and access controls are very important. To manage this Enterprises, follow suitable key management and access policy procedures.
Blockchain, the distributed ledger technology, may prove to be valuable for IoT use cases. But it’s only as valuable as the participating nodes security. To maximize its usefulness, specifically for the enterprise, Blockchain as a technology must evolve to embrace device-centric IAM functions. Identity and Blockchain can work together to create new use cases. This approach would help secure the core Blockchain infrastructure for:
Device Authority specializes in device-centric IAM with a focus on automated PKI and security management functions for IoT devices and data. Our KeyScaler platform delivers the device and data trust at scale for any Enterprise Blockchain implementation.