Blockchain security, Deloitte Switzerland
A Blockchain, or distributed ledger, is a technological protocol that enables data to be exchanged directly inbetween different contracting parties within a network without the need for intermediaries. Each transaction is communicated to all network knots, and once verified and confirmed, is added to an immutable transaction chain.
Numerous industries are presently researching and piloting Blockchain applications, see our latest white paper “The Blockchain (R)evolution –The Swiss Perspective” (1) for a general overview of Blockchain applications in the Swiss market. What most of these fresh applications have in common is that they need to process and store sensitive data. In the healthcare industry, for example, these are patient medical records, medical metadata, clinical trial information and PII (Personally Identifiable Information). As a consequence, there is a rising number of inquiries and concerns from our clients about the security aspects of Blockchain and its capability and limitations in protecting such critical data. Based on our practice, three aspects contribute to making Blockchain security difficult to manage:
1. Immaturity and complexity of the technology
Due to the different consensus algorithms available (e.g. proof of work or proof of stake), the Blockchain types (e.g. permissioned or permissionless), and the sophisticated underlying cryptographic protocols, it is difficult for security practitioners to fully understand data flows and potential security weaknesses. In addition, numerous Blockchain platforms and implementations exist and applications must be evaluated for their suitability for integration with a specific Blockchain system.
Two. Lack of standards and regulations around Blockchain technology
As of today, Blockchain technology is unregulated, resulting in legal uncertainties and grey areas. An interesting example of the lack of controls and laws regulating Blockchain networks is the DAO hack (Two) where a wise contract (Trio) vulnerability led to the network losing sixty million US dollars (Four).
Three. Widespread belief that a Blockchain is secure by design
Blockchain technology is built upon public-key cryptography and primitives such as digital signatures and hash functions, which may give a false impression of security. The fact that all cryptographic protocols have their boundaries and that holistic security includes not only technology, but also people and processes, is often overlooked in a Blockchain security analysis.
To overcome these difficulties, we advise clients to take a risk-based treatment to Blockchain security, which ensures that security controls are selected in line with business needs and business use cases. This treatment can be summarised as goes after:
- Understand criticality of data and processes
The very first step is to understand the sensitivity of the data that is being stored and processed in a Blockchain. By understanding regulatory implications and performing a business influence analysis, the importance of confidentiality, integrity and availability of data can be determined.
Secondly, traditional threats related to public key infrastructure and application development, such as key compromise and code bugs, must be factored into the analysis. On top of these, Blockchain-specific attack vectors relevant to the given application need to be identified. These include consensus hijack, Distributed Denial of Service (DDoS), permissioned Blockchain exploitation, brainy contract exploitation and wallet hacking (Five). Based on these, risk scripts can be listed and evaluated for likelihood and influence.
- Select security controls
The final step is the selection of security controls that address the identified risks. A number of traditional good security practices can be deployed. These include sturdy key management, code review, data encryption, access control, and security monitoring. In addition, there are technologies specific to Blockchain technology that can be set up, such as secure wallet management, permissioned chain management, and secure brainy contract development. Ultimately, it is significant to keep in mind that people, processes and technology are identically significant to ensure that Blockchain applications are decently protected. For example, the influence of the aforementioned DAO hack could have been contained if decent governance structure and incident response process had been put in place.
If you would like to have an initial conversation about Blockchain security and Deloitte’s treatment, please get in contact with our team.
Five. ENSIA, Distributed Ledger Technology & Cybersecurity – Improving information security in the financial sector, December 2016