Thirty years ago, as a U.S. Department of Defense experiment called the internet was to be soon commercialized, companies started to focus on how to protect internal systems and applications from attackers on the internet.
The group responsible for deploying internet connectivity within organizations — usually network administrators — touted a technology called the firewall. On the principle that it could observe and direct network traffic, its proponents delivered a tantalizing message: Companies didn’t have to change a thing within their applications! All they had to do was install a firewall, configure it so ingress from and egress to the internet passed through this firewall, and it would ensure that only authorized entities and traffic were permitted to pass. Based on demonstrations that seemed magical for the time, the firewall became a wildly successful defense strategy for protection from bad actors on the internet.
Unfortunately, what should have been a temporary safety measure became a catch-all defense for any threat related to the internet.
Putting up a website? “Put it behind the firewall.”
Setting up an e-commerce site? “Make sure it is behind the firewall.”
Sharing sensitive files with supply chain partners? “Let’s make sure the firewall is protecting those files.”
Tens of billions of dollars have been spent on firewalls and other network-based defenses, but the state of organizational security remains woeful.
Since California passed its breach disclosure law in 2004, more than 9,000 publicly disclosed breaches with more than 11.5 billion exposed records have proven the fallacy of depending on the firewall and network-based solutions as a panacea to internet threats. What organizations avoided was the necessary work of strengthening applications to become resilient to attacks, despite using a firewall and network defenses.
As much as the firewall lulled IT organizations to ignore addressing vulnerabilities within their applications, blockchain has become the latest security salve.
Identity management problems? “Use blockchain.”
Securing healthcare data to share within and across the ecosystem? “Put it on blockchain.”
Invisible border control for nations? “Secure it with blockchain.”
Like firewalls, blockchain technology has a useful purpose. But, it simply cannot substitute for fundamental security controls within applications. Organizations would do well to guard against repeating this mistake in the 21st century. Executives can ensure this by asking the following questions of managers and consultants recommending blockchain:
1. How are users authenticated to the applications using blockchain? Can a bad actor usurp the legitimate identity of a user to submit a fraudulent transaction?
2. How is sensitive data within blockchain transactions protected for confidentiality if the transaction is on the blockchain?
3. How are blockchain transactions verified for their provenance, and how are they protected for preserving their integrity before they get on the blockchain? Can a bad actor modify a legitimate transaction before it gets on the blockchain?
4. How can one ensure a blockchain quorum is not compromised by bad actors? How are cryptographic keys protected and managed within the blockchain application system?
For over two decades, advanced security practitioners have known that public-key cryptography was unique in its ability to protect sensitive data in multiple ways: Data confidentiality was protected through encryption, data integrity through digital signatures and its authenticity (provenance) also through digital signatures. Advanced security requirements within military, banking and telecommunications applications have relied on cryptography to protect sensitive data for decades.
Blockchain’s most useful features are in enabling transaction transparency, and multiparty trust. Public-key cryptography enabled these benefits to organizations (in addition to the ones mentioned above) when implemented appropriately decades ago. However, given the complexity of working with cryptography — and under the misapprehension that network-based defenses were addressing data-protection problems — most organizations did not use this versatile technology to protect their applications and data.
We now realize that the threat landscape has changed, and the regulatory framework is different from a quarter-century ago. Organizations are mandated to secure sensitive data as well as the privacy of individuals in many countries around the world. As useful as blockchain will be in some applications, it is critical that executives approving the use of blockchain technology recognize that it does notsolve fundamental security problems. Rather, blockchain offers an additional security-like benefit outside of the core application that is using blockchain technology.
Solving basic security vulnerabilities within the application should be addressed despite the use of blockchain, and should be the highest priority of organizations. Without protecting data first within the application, blockchain is only another step towards an increasingly complex breachable network.