Point/Counterpoint: Blockchain in Security

Written by

Terry Greer-King, VP EMEA, SonicWall
Terry Greer-King, VP EMEA, SonicWall

Blockchain: A Modern Cybersecurity Essential

After years of being protected by a clearly-defined security perimeter around the corporate network, enterprises now need to operate in a much less well-defined, ‘anytime, anywhere’ IT landscape. The previously strict security perimeter is vanishing in a multitude of connected devices across diverse geographical locations – all while attack vectors are becoming more invasive than ever.

The current cyber-landscape is defined by increasingly targeted attacks, even as it operates in a more distributed space than ever. The SonicWall 2020 Threat Report found that phishing attacks, for example, were down 42% on the previous year, but that’s not necessarily good news. Volume is down but complexity is up and phishing attacks will continue to target valuable Personally Identifiable Information (PII) for financial gain. At the same time, the number of endpoints is constantly increasing, especially given the explosion of the Internet of Things. Cybersecurity systems must be able to adapt to confront a changing threat landscape head-on and Blockchain technology, if implemented correctly, can be a crucial factor in protecting organizations.

It is important to note at this stage that Blockchain technology is not without fault. However, it does not need to be perfect to greatly improve cybersecurity processes. It will form part of a wider picture, a recalibration that democratizes data and emphasizes PKI cryptography over flawed human-centric decision-making.

Blockchain technology is designed so that data is not stored within a central entity. There is never a single, tangible data center, silo or warehouse which a cyber-criminal can target directly. Every single node across a single Blockchain is democratically controlled.

For example, if your car alerts you that you have a punctured tyre, you stop and get it fixed. If your car does not alert you, and you carry on as normal, you remain at risk. This is the same with business security. If you do not know that your system is compromised, how do you know what to change? Take a look at Marriott’s first data breach, for instance. Its system was first infiltrated during 2014, only to be announced to the public four years later. In that time, up to 500 million customer records were leaked. If the perimeter had been protected by a decentralized system of nodes connected in a Blockchain this would not have happened, as the second a hacker attempted to tamper with the data, the system would have analyzed each and every block, identifying any outliers and excluding them from the chain.

When external interfaces of the Blockchain, especially for the authentic inserting or reading of data, are secured, data is protected across the whole transactional route.

Despite the rapid advancement of technology, human error has and will continue to be a fundamental stumbling block in the fight against cybercrime. Educating the workforce can only go so far, as a single misjudgment is capable of giving cyber-criminals access to an enterprise’s entire repository of PII and other valuable data.

With Blockchain, devices and users are authenticated by businesses without the need for login details. Authentication becomes essentially ‘human error-proof.’ Decision making is in-built and managed at the edge, with PKI securing devices and users and lifting the weight of human oversight.

Every single transaction across a Blockchain is time-stamped and identifiable. From a cybersecurity perspective, this provides organizations with an extra level of reassurance that the data is authentic and has not been tampered with. Offering confirmation that the data within a Blockchain has followed a correct path and has not been tampered with externally ensures the data’s integrity throughout the transaction, effectively confirming that the data can be trusted.

Blockchain is still in its relative youth. We are only just breaking the surface of what can be achieved with this technology. In a sense, it is designed for the very era that we are now entering, the era of boundless computing. A multitude of devices can be secured by Blockchain PKI, distributed enterprise networks can be secured at the edge, organizations can tackle the persistent challenge of human error and the challenge of remote working, and decentralization ensures tampered with systems are discovered and intruders stopped.

Blockchain has already proved to have a definitive voice in how organizations protect data. Blockchain implementations are not yet the status quo in cybersecurity strategies, but the advantages it offers guarantee that it will soon earn its place. As we continue our shift away from manual, and therefore error-prone, processes towards a more automated, democratic model, Blockchain will become a fundamental pillar that upholds data and enterprise security.

Ed Moyle, Partner, Security Curve
Ed Moyle, Partner, Security Curve

Blockchain: The Wrong Tool for Some Security Jobs

There’s an old saying about using ‘the right tool for the right job.’ The reason I’m bringing this up is because it’s a great metaphor for where the security industry is with Blockchain. Blockchain solves a set of discrete problems very well; it’s exactly the right thing for a narrow set of very specific problems, but the industry is trying to solve other problems with it – including those which it’s not well suited for. This is dangerous.

It’s dangerous for two reasons. The first is that the devil is in the details. The implementation – if done poorly – can lead to reduced security relative to more traditional alternatives that solve problems in other ways. Given the early state of Blockchain, the degree to which implementers often misunderstand its workings, and the lack of standardization, poor implementation is all too common.

Likewise, there are emergent properties associated with usage at scale that can be unexpected pain points. This means challenges that are difficult to predict on a small scale and only become apparent when usage is of a larger scale. We’ve seen this happen with cryptocurrencies (by far the largest and most mature of Blockchain implementations) and enterprise non-currency usage is not immune. 

To argue my case, let me start with what I mean by enterprise Blockchain in this context. I’m referring specifically to the ledger mechanism used by Bitcoin extended to enterprise production use for non-currency applications. It’s clear why organizations would want to do this: the primary value of Blockchain in a cryptocurrency is as a distributed ledger. There are thousands of applications upon which keeping a ledger (either financial or otherwise) plays a huge part, because cryptocurrencies use Blockchain to do this in a distributed way.

However, as I said, the devil is in the details. There are two parts to Blockchain: the data structure and proof of work. I mention this because, though pretty much all enterprise deployments employ the data structure part, only a subset include robust proof of work (or proof of stake).

This is a problem because the security properties of the distributed ledger are only possible due to proof of work. In a cryptocurrency context, the proof of work allows community consensus to validate transactions, since anyone seeking to undermine the system would require controlling more than 50% of CPU power. Therefore, a non-currency Blockchain use case that doesn’t include proof of work still requires a secured, vetted, controlled, audited and accountable central authority to maintain the ledger. Unless, of course, some other mechanism is used to enforce the security model. This means that authority still needs all the same security controls you’d require if you were using some other data structure instead. In this case, you’ve found a more expensive way to do fundamentally the same thing you’re already doing.

Even in the event that you do have proof of work/stake – or some other creative mechanism to enforce the security model – you still have challenges with implementation. How many security pros are comfortable unpacking and analyzing the engineering involved in a cryptographic module to validate the implementation? Sure, those folks exist – but is it likely that every company pursuing enterprise Blockchain has a team of them on staff? Even if they did, it’s too early for validation/auditing guidance, technical standardization, etc. This means that enterprises will need to solve those challenges themselves while that guidance is being developed. 

The second issue that organizations run into is emergent properties that can undermine security. I’ll use an example from the cryptocurrency world, in this case Bitcoin. Bitcoin is by far the largest Blockchain implementation in any context, therefore studying it and drawing lessons from it is both valid and necessary. Bitcoin, as we’ve discovered over time, has a ‘monopoly’ problem – at least with mining.

By this, I mean that the economics of mining Bitcoin lead invariably to monopolies in hardware and mining pools. The reason why is that the difficulty of the proof of work algorithm is non-constant: it scales based on hash rate. Therefore, more miners (or more efficient miners) make it more difficult for everyone to mine. What this means in practice is that only those who can mine most efficiently can do so profitably (at least over the long-term). Given a surplus of miners, the more efficient miners will drive down profitability for everyone else. Since there can be only one most efficient platform, all other platforms (at least above-board ones) will operate below the threshold of profitability. 

Why does this matter? Well, more than 50% of the hash rate happening on one platform opens up opportunities for attack. When a single entity can control or influence more CPU power than any other, there is the possibility of attack. In fact, this situation has already happened in the Bitcoin world: a vulnerability (AntBleed) impacted what was, at the time, as much as 70% of mining hardware, allowing possible subversion of the Blockchain. 

This is one example of an emergent property that already occurred in the cryptocurrency world. What will the emergent properties be for enterprise deployments? We won’t know until we reach the scale where it’s visible.

I’m not suggesting that Blockchain is necessarily bad or insecure per se. However, I am saying that, no matter how much promise Blockchain might hold for the future, rushing headlong into adoption without workmanlike, systematic analysis and testing is dangerous. However, the skills associated with doing that analysis and testing aren’t ubiquitous and can be challenging for organizations to gain access to. This means that, in the short-term, organizations need to be careful not to put themselves at undue risk.

What’s hot on Infosecurity Magazine?