The importance of protecting Identity, Integrity and Data security policies of participating IoT nodes in the Blockchain network
A blockchain network is only as secure as its infrastructure
With the hype of crypto currencies popularity, there has been tremendous press about Blockchain, the distributed ledger technology and its use cases. Many talk about it as breakthrough solution for addressing many IoT security and performance issues. Blockchain relies heavily on Public Key Infrastructure (PKI). It doesn’t have any security model defined to secure the participating nodes and associated PKI keys. We need to understand the inherent security risks in Blockchain before we claim victory on its applicability for Enterprise IoT use cases.
In the past, several users have publicly complained of stolen private keys and Bitcoins. There isn’t any assurance on the security posture of the nodes in the network. There may be many participating Blockchain nodes running on Operating Systems without the latest patches. What are the consequences of that?
Understanding the Blockchain
Blockchain a distributed ledger technology is a chain of digital “blocks” that contain transactions records. Each block typically contains a hash pointer as a link to a previous block, a timestamp and transaction data. This makes it difficult to tamper with a single record because a hacker would need to change the block containing that record as well as those linked to it to avoid detection. The records on a blockchain are secured through cryptography. Network participants have their own private keys that are assigned to the transactions they make and act as a personal digital signature. If a record is altered, the signature will become invalid and the peer network will know right away that something has happened. It would require massive amounts of computing power to access every instance (or at least a 51 percent majority) of a certain blockchain and alter them all at the same time. This is the real value of Blockchain, provide immutable trust for transactions. However, there are other conditions and requirements to consider when you want to use a blockchain for Enterprise IoT.
Public Vs Private Blockchains
To understand the inherent security risks in blockchain technology, it’s important to understand the difference between public and private Blockchains. The sole distinction between public and private Blockchain is related to who can participate in the network
- A public Blockchain network is completely open and anyone can join and participate in the network. Crypto currency models like Bitcoin rely on public Blockchain, to read or write transactions. In a bitcoin system, because no user is implicitly trusted to verify transactions, all users follow an algorithm that verifies transactions by committing software and hardware.
- A private Blockchain networks requires an invitation and must be validated by either the network starter or by a set of rules put in place by the network starter. This places restriction on who can participate in the network, and only in certain transactions. Once an entity has joined the network, it will play a role in maintaining the Blockchain in a decentralized manner.
Private Blockchains for Enterprises
Need to address the security of the participating nodes and infrastructure
Private Blockchains offer degree of control over participating nodes and the transaction verification process, more suitable for Enterprise use cases. Private Blockchains use identity to confirm membership and access privileges, and so the participants in the network know exactly who they are dealing with. These systems are in the evolution stage, many of them need to address security of the system and the assets it manages or stores. This is no different from traditional Enterprise security to manage the infrastructure associated with the network. As an example, it is fundamental to protect the private key of the participating node.
An Enterprise private blockchain consists of a permissioned network in which consensus can be achieved through a process called “selective endorsement,” where known users verify the transactions. The advantage of this for businesses is that only participants with the appropriate access and permissions can maintain the transaction ledger. This calls for traditional Enterprise IAM (Identity and Access Management) features extended to participating nodes.
If an attacker can gain access to the Enterprise blockchain network, they are more likely to gain access to the data. The original Blockchain technology was created without specific access controls due to its public nature. For the Enterprise use cases with private Blockchain, the data confidentiality and access controls are very important. To manage this Enterprises, follow suitable key management and access policy procedures.
Blockchain, the distributed ledger technology, may prove to be valuable for IoT use cases. But it’s only as valuable as the participating nodes security. To maximize its usefulness, specifically for the enterprise, Blockchain as a technology must evolve to embrace device-centric IAM functions. Identity and Blockchain can work together to create new use cases. This approach would help secure the core Blockchain infrastructure for:
- Participating nodes Identity and Integrity, protect the private key
- Data security/privacy and authorization policies
- Security management functions for Blockchain implementations
Device Authority can help to make Enterprise IoT Blockchain ready
Device Authority specializes in device-centric IAM with a focus on automated PKI and security management functions for IoT devices and data. Our KeyScaler platform delivers the device and data trust at scale for any Enterprise Blockchain implementation.