Chief Technology Officer (CTO) at NetSPIleader in penetration testing and attack surface management.
The blockchain market is expected to grow by 68.4% over the next four years, with 86% of senior executives believing that blockchain will become a technology adopted by the mainstream. While most of the world has fixated on various cryptocurrencies — including bitcoin, ethereum, and the emerging non-fungible token (NFT) market — organizations have embraced blockchain. technology Behind the scenes. To do this, the right education and implementation strategies are necessary because without proper implementation strategies considering architectural nuances, organizations are opening up their business to security risks.
There are several blockchain deployment models: private (or internal), authorized/consortium, and public. While they all have some common characteristics, each has its own nuances when it comes to its use and associated security risks.
Private (or internal) deployment
Blockchains on a private network are usually isolated, but are intended to solve internal operational efficiency issues. They offer an alternative data plane to traditional database architectures, with smart contracts serving as stored procedures.
Private networks are faster than other deployment models – mainly because the entire infrastructure is within the four walls of the organization – but more importantly because the consensus model does not require the trustless verification that public chains do. When deployed in-house, processes become more efficient, so steps to protect business assets are more controlled. We see this specifically with an organization’s internal supply chain – blockchain enables faster and more cost-effective delivery of services.
The organization that controls the blockchains can set permission requirements and implement its own security precautions. By controlling which users can view, add or change data within the blockchain, private information is protected from third parties.
Alternatively, private blockchains are potentially more vulnerable to fraud, so organizations must understand the interworking of the network to effectively patch a vulnerability. If a malicious insider or cyberattack presents itself, the steps to mitigate are essentially the same as for any other cyberthreat: perform risk assessments, perform penetration tests to identify security flaws, and create a threat detection and response plan. Organizations that have neglected to address blockchain acumen gaps in their IT and cyber resources may find that their answer playbooks are not fully meeting their needs.
Consortium, Or Permission, Deployment
Consortium blockchains – or authorized/federated blockchains – are controlled by multiple entities, which has its advantages and disadvantages from a security perspective. As with private networks, permissioned networks operate at a higher speed by selecting a consensus model that supports trusted relationships.
Consortium blockchains are relatively more secure given their limited exposure to external actors. Thus, organizations must take into account the change of data within the network and the implications for internal operational impacts. They should also pay attention to the consensus algorithm and ensure that privacy protections are in place at the start of adoption. This ensures that only those you want to see on the chain can access it. When transaction privacy is required, an organization must ensure that the technology selected supports this requirement. These types of precautions are important where there are individual privacy implications, such as when providers are using blockchain technology to share and store personally identifiable information (PII). Privacy teams must be engaged to understand and address the implications of permanent data retention and global privacy legislation.
Understanding how data can be modified in harmful ways is important in every blockchain, especially in a consortium network where there are multiple access points. Threat modeling is one way security leaders can assess security concerns in blockchain deployments as it identifies potential architectural and implementation weaknesses, defining what actions can mitigate threats in the system. Proactive security testing is just as important as traditional infrastructure and application testing. Organizations need to assess, identify and mitigate vulnerabilities in the solutions they deploy.
Public blockchains are exactly what they sound like – public. Anyone with the algorithm (think of it as a key) can join and access the blockchain data. They are usually completely decentralized and more transparent. Public blockchains such as bitcoin and ethereum underpin a vibrant ecosystem that is increasingly attracting attention. Its independence from any nation-state or organization creates a mechanism for economic and social innovation. These distributed public records allow people to reliably engage in a global ecosystem, leveraging technology that is inherently trustless.
However, the public network presents significant security risks that companies should be aware of. We’ve already seen these risks play out with the recent Sky Mavis breach where hackers stole 173,600 worth of Ethereum cryptocurrency and $25.5 million from Ronin Network’s infinite axis games. We will continue to see these breaches play out in different forms, such as the 51% attack rule, vulnerable smart contracts, and network congestion.
In addition to traditional infrastructure and application risks, these are just a few that organizations should consider when interacting with public blockchain networks and monitoring for breaches. As with other deployment models, leaders must ensure their teams have enough education and acumen in blockchain technology to assess their risks through tactics such as threat modeling and security testing.
Blockchains are an inevitable part of the tech landscape. It’s one of the biggest technological advances of the last decade, with even the White House pledging to explore its benefits on a national level. The risks associated with implementing blockchains vary by use case and the associated deployment model, but the benefits of blockchain outweigh its security risks when managed correctly.
While many aspects of building on this technology mirror the development of traditional solutions, the nuances of using a distributed, trustless data plane require careful consideration. Technology and cybersecurity teams need to understand these architectural nuances as they look to support and defend them. Outside the technology frame of reference, some models also have regulatory and privacy implications. Once leaders and their teams digest and understand the risks they need to address, they will be empowered to advance their strategies within the ecosystem and unlock the full potential of blockchains.
The Forbes Technology Council is an invite-only community for world-class CIOs, CTOs and technology executives. do i qualify?