Device Authority Secures Enterprise Blockchain Infrastructures
An Enterprise private blockchain consists of a permissioned network in which consensus is implemented through a process called selective endorsement, where known users/peers verify the transactions. The advantage of this for businesses is that only participants with the appropriate access and permissions can update the ledger. This calls for traditional Enterprise IAM (Identity and Access Management) features extended to participating nodes. The identity management is implemented with PKI Digital Certificates. Each participating organization or service provider is responsible for implementing the right IAM and CA functionality. Also, the infrastructure that runs the blockchain application needs standard IT security controls for preventing un-authorized access.
Device Authority KeyScaler provides the functionality:
- IAM for Blockchain nodes
- Protecting private keys and crypto keys
- Preventing unauthorized access
- Delivering end-to-end data security/privacy
- Delegated transaction signing
Private Key Protection on Physical or Virtual Nodes
Blockchain is considered a breakthrough solution for addressing many use cases. It relies heavily on Public Key Infrastructure (PKI), but it doesn’t have a defined security model to secure the participating nodes and PKI keys.
Private Key Protection on Cloud Infrastructure
In a virtualized cloud infrastructure, typical hardware secure storage like Trusted Platform Module (TPM) is not available. Any nodes running on cloud infrastructure require private key protection. While cloud infrastructure providers offer Hardware Security Module (HSM) and key management services, the usual node authorization to the service itself can be compromised.
Managing Identity and Authorization Model for Enterprise Private Blockchains
Enterprise private blockchain consists of a permissioned Blockchain network in which consensus can be achieved through a process called “selective endorsement,” where known entities verify the transactions. The advantage for businesses is that only participants with access and permissions can maintain the transaction ledger. This calls for Enterprise IAM features extended to participating nodes.
Prevent Un-authorized Access to Critical Infrastructure
For use cases leveraging private Blockchain and vendor managed infrastructure, identity management that controls who is authorized to resources on the network, data confidentiality and access controls are important.
Some of the unique characteristics of Blockchain technology like decentralization, replicated data stores, and consensus or permissioned mechanisms introduce scalability challenges. While PKI is a proven technology for identity and data security, implementing and managing at scale for Blockchain isn’t easy.
HSM Myth – Perfect Data Protection
HSMs are popular for secure key generation and storage. While private keys are protected in HSMs, it is still possible for attackers to compromise credentials used by nodes, and admin servers that connect directly to HSM.
Enterprise private Blockchain implementations are now mainstream and require more stringent security for key management and operations. To harness the benefits of Enterprise Blockchains, technology must evolve to embrace device centric identification and authorization functions. This approach helps secure Blockchain infrastructure for:
- Participating nodes identification, authorization and protecting the private key
- Data security, privacy and authorization policies
- Security management functions for Blockchain implementations
- Automation for Blockchain security operations
Solution / How We Do It
Device Authority specializes in Device Centric IAM to address the above issues. KeyScaler delivers the required functionality at scale for Enterprise Blockchain implementations. Relevant capabilities are:
- Device Registry: A centralized registry of all the entities in your KeyScaler network
- Device Authentication: Automated, dynamic verification of every registered entity
- Dynamic Device Key Generation (DDKG): Patented technology based dynamic key generation, device-derived key technology
- Secure Soft Storage: To prevent theft of secrets and unauthorized usage, the secure software enclave stores the private key or other secrets in an encrypted state. Decryption is available only to authorized applications defined in the credential provisioning policy on the KeyScaler server
- Policy Management: Provides a centralized security posture for governing entities
Typical steps involved in implementing the solution:
1. Register entities
2. Derive crypto key for encryption
3. Encrypt the private keys, secrets or data
4. Get crypto key for decryption
5. Decrypt the private keys, secrets or data
Have a Question?
Interested in learning more about our Blockchain solution? Schedule a 20-minute, online meeting with a specialist to discuss your individual requirements.