Image Source:Thinkstock
image description
Image Source:Blockchain has become the new darling of the technology world, and enterprise blockchain is one form of it. Enterprise-level blockchains use encryption technology to ensure the consistency and security of transactions and data records between institutions. This breakthrough technology has sparked innovation and RD across industries. In the past year alone, IBM has built more than 700 enterprise-grade blockchains.
At the same time, in order to ensure data security, more and more companies hope to deploy blockchain. At present, the blockchain-based security tool market has just emerged, and companies can have various ideas about blockchain technology.Brett Valentineauthor of this article
The characteristics of enterprise-level blockchain platforms, platform and application components are introduced, and companies are advised to conduct comprehensive security assessments of enterprise-level blockchain suppliers, platforms and applications. enjoy~
secondary title
What is an enterprise-grade blockchain platform
First, enterprise-level blockchain platforms typically include:
• A network of institutions that agree to share the platform;
• Institutions that are members of the network have different levels of authority over data and transactions;
• The structure of the platform, including all shared systems, infrastructure and applications that govern the blockchain, platform functions and use cases;• Blockchain data, including information stored on the blockchain and provided to official agency members;
data element
• A provider that creates and possibly hosts a blockchain platform.
IBM blockchain network application, image source: SecurityIntelligenceblack boxEnterprise-level blockchain platform providers usually provide dynamic scalability, neutrality, and consistent access paths based on cloud computing technology. Therefore, the components and security of the platform are usuallyblack box
, but that doesnt mean security is guaranteed.Before selecting a platform provider and joining a blockchain network, an institution must complete extensive legal vetting and conduct cross-network trust, governance and technical reviews. All assessments need to include a safety factor.Some vendors enterprise-grade blockchains include applications for end-user use, while other platforms simply
publicly available system. Regardless of the type, these applications require security controls. Each component must adhere to and utilize corporate policies, standards, processes and technologies that ensure business continuity and operational efficiency.
To establish trust across networks, member institutions need to share and enforce the same application security control information.
Characteristics of Blockchain Platform and Application Components
Member institutions may not understand the underlying components of an enterprise-grade blockchain platform. Unless an institution develops a blockchain platform on its own, it cannot gain insight into the technology. Assume that an enterprise-level blockchain platform contains the components shown below, which are typical components in an enterprise-level application.
image descriptionFabricIBM blockchain network platform, image source: SecurityIntelligence
structure code. This code defines the data structures, functions and capabilities that each member must use to use the blockchain. To some extent, Fabric can be standardized; however, todays Fabric is customized for the network.
Similarly, applications that interact with the platform use familiar architectural components. Business logic and functionality are embodied in application code and configuration information. Since blockchain applications for each member institution may be created and managed individually by the institution, they should have full control over their applications and components.
IBM blockchain application platform, image source: SecurityIntelligence
Brett Valentine said that as security experts, we care about the security of each component of the platform and application, especially the coding practices of the Fabric structure and application code. Therefore, as many corporate security policies and tools as possible need to be applied to achieve consistency and operational efficiency.
secondary title
How to select and verify suppliersOstensibly, enterprise-grade blockchain networks include other member companies. In fact, the most important unofficial members are blockchain providers. Companies have policies and procedures for evaluating suppliers, but these evaluations are usually routine and passable.Given the sensitivities and implications of enterprise-level blockchains (the impact spans multiple companies, and data can be particularly critical), a more holistic assessment is needed. simple
Request for Proposal (RFP)
is not enough—third-party security audit reports are just the beginning.
The assessment should also consider:
• the size and reputation of the company;
• the security of each component in the platform;
• The security level of each member of the network;• Minimal storage of blockchain sensitive data;Data Lifecycle Management
• quantum encryption, such as creation, management, verification, encryption and destruction;
quantum encryption
and technology to ensure that the blockchain will not be decrypted or compromised in the future as quantum computing becomes mainstream;
• As the scale of the blockchain grows, the platforms growth capabilities and performance guarantees;
• Platform availability, uptime and disaster recovery capabilities;RACI(responsible, accountable,• Component repair and maintenance processes;;
• Privileged access controls within the provider and between network members and
consulted and informed) model
• RACI model of business and support activities within the supplier and among network members;
• Tests to demonstrate transaction integrity.
Over time, market leaders in enterprise-grade blockchains will emerge and their security proven — as has been the case for cloud technology providers over the past few decades. Until then, institutions must conduct their own thorough assessments before investing in a blockchain provider.
secondary title
How to conduct a security assessment of a blockchain platform
After evaluating a vendors security posture, the next major task is to evaluate the platform itself. This step is actually an extension of the supplier assessment, but requires the participation and agreement of other member institutions.
law and contract
Every aspect of an enterprise-grade blockchain platform, network, and structure must be defined by contracts. Of course, security has to be a big part of it, and probably the most difficult factor to evaluate, because it has to be agreed by all members. More members means longer legal reviews and more red lines.
An important factor in this assessment is liability, and each company may have different legal department requirements. Therefore, the responsibilities of each member and supplier in the event of a security breach or breach of contract need to be clearly defined.functional use caseMulti-Factor Authentication (MFA)
network governance
, verification of rights to approve transactions, encryption and decryption, and API security.
network governance
Cloud Security Alliance (CSA)
shared operation
fromThe blockchain provider may perform technical hosting and maintenance, but members are also required to perform specific operational tasks.fromServer Operating System (OS)penetration testing
data ownership
, incident response and forensics, as well as patch remediation and configuration management.
data ownershipBest practice is to avoid storing sensitive data on the blockchain and upload only shared and reference information. This strategy allows the scale of the blockchain to be manageable while maintaining the highest possible performance. This also means that data is distributed among authorities.Therefore, it must be defined and written which members own each data element, how it is accessed or authenticated, who can access it, and how the owner protects it. This is especially complicated when multiple members are authoritative on the same data element under different conditions. if storagePersonally Identifiable Information (PII), will also receive
General Data Protection Regulation (GDPR)
Conduct security tests on other members
The safety of other members is an important part of building trust in a network. As a result, third-party security testing (including penetration testing, vulnerability scanning, and policy audits) must be conducted annually on applications used by all members, and the results made available to all other members.
secondary title
How to Secure Blockchain Applications
Assuming each enterprise blockchain application is managed individually by members, it is easier to control its security. In general, securing these programs requires special attention to the following areas:
Implement company security standards and systemsAll company policies, standards, and common security platforms should be used to ensure consistency, reliability, familiarity, and operational efficiency.For example, corporate standardIdentity and Access Management (IAM)Tools should be used for authentication, MFA, access control andidentity data storage. Likewise, one should use the safe
Software Development Life Cycle (SDLC)
and application scanning tools to ensure the security of code development and deployment.
Assuming the highest level of risk classification dataestablish trust。
It is assumed that the blockchain will manage the highest level of risk classification data. Even though your member institutions may not be able to manage or access confidential information, other members may. Assuming that the highest level of risk classification data also indicates a commitment to other members of the security, thus in the network
establish trustExecute MFA
Humans are often the weakest link in security,
MFA can help combat this risk. MFA has become the de facto standard for cloud computing applications and should also be applied to the blockchain field. Because of the distributed nature of blockchains, data is potentially sensitive, and it is necessary to develop trust with other members over time.Securing Identity APIsMost blockchains rely on APIs and will continue to do so in the future. API security best practices include associating user ID and session information with each API call. This should also be standard practice for blockchain applications as it provides
audit trail
, and allow enforcement of function-level entitlements.
Enforce strongest encryption key management
Make sure your institution has a strong and reliable key management system. Blockchains are based on the use of encrypted data, and a blockchain network may contain hundreds or thousands of encryption keys. Manually managing these keys takes a lot of effort, but keeping data and member institutions safe is paramount.Associated Security EventsSecurity Information and Event Management (SIEM)
system, but a security event feed should be established to transmit information to members through the platform and provide selected event information among members.
secondary title
The Promise of Enterprise Blockchain
What does the future hold for enterprise blockchains? If implemented correctly, enterprise-grade blockchains have the advantage and ability to unify and secure transactions between disparate institutions.
