Source: Mark Chaplin, Principal, ISF
24 Jun 2019

The discussion at this month’s Infosecurity Europe panel on quantum computing, artificial intelligence and blockchain highlighted how there is often a stark contrast between the technical view and business view of these and other emerging technologies.

Proponents of technology (old and new) can often focus on different perspectives, such as purpose and functionality, threats and vulnerabilities or security considerations. However, focusing on only a technical or business view can present challenges that have long-term effects for an organisation.

As with many technologies, there is often a considerable level of interest across the technology and security community regarding the security weaknesses and methods of attack. Threat modelling and evaluation of technology is an essential risk management activity, whether an organisation is developing or adopting new applications, systems or platforms.

Good practice in managing technology risk involves preparing for different adversarial threat scenarios that are likely to arise and providing security leaders and business executives with assurance that the organisation’s technology is resilient against malicious attack.

However, too much emphasis on examining adversarial threats to new technology can be at the cost of overlooking potentially greater threats to the organisation, such as poor planning and integration, weak architecture and incompatibility, and unexpected obsolescence.

The promise

Blockchain is a case in point. This exciting technology continues to grab the headlines and dominate discussions among technologists and security professionals. Although more than a decade old, you would think blockchain had been discovered in the last 12 months. Many technologists are embracing blockchain, with:

  • start-ups emerging up to develop radical solutions for all industry sectors
  • technology giants building teams of blockchain developers in the thousands
  • major cloud providers delivering Blockchain-as-a-Service (BaaS) platforms and distributed ledger networks
  • global enterprises converting their supply chains into value chains to track goods, certify authenticity, demonstrate quality, establish trust and protect brand
  • organisations in banking, insurance, telecommunications, manufacturing, shipping, retail and governments evaluating, piloting and testing blockchain technology in an effort to deliver value to the organisation and customers.

Blockchain promises a great deal.

Deja vu

But, will this nascent technology solve our security issues? You would be forgiven for thinking so, if you read much of the media coverage and listened to blockchain advocates over the last few years.

The build-up and hype surrounding blockchain presents striking parallels with the emergence of public key infrastructure (PKI) 20 years ago. Back then PKI received unprecedented levels of media and industry attention as well as huge investment. In hindsight, it was a good solution looking for problem in an effort to solve our security ills. After five years, Microsoft packaged PKI within its Windows Server operating system, and today PKI remains a fundamental and widespread part of an organisation’s technical and security infrastructure.

Despite the promise of PKI, it wasn’t plain sailing. Many corporate implementations, from pilots to large scale rollouts, did not meet the strict requirements for security design, development and build. PKIs delivered in this manner eventually hit integrity issues, where the Root Certification Authority (a core component of a PKI), other infrastructure components and digital certificates couldn’t be trusted. PKIs built to last decades and deliver various identity services were deemed to be untrustworthy and had to be rebuilt or replaced at significant cost to the organisation.

Can we learn any lessons from the past? Can blockchain be seen for what it is – an enabler of different technologies and deliver on the promise of bigger, better and faster solutions?

The reality

Blockchain, together with cryptography, algorithms, applications, infrastructure, connections and people, will play a key role in providing distributed (peer-to-peer) networks of ledgers. In doing so it will help organisations manage identities, ownership and transactions to provide integrity and establish trust within an often-hostile infrastructure environment. But only if designed and built correctly.

The promise of integrity and trust is the business view and where business leaders expect to see benefits such as increased revenue, improved operational efficiencies, greater competitive advantage, enhanced brand and reputation. Like the PKI of the past, it is the underlying distributed ledger infrastructure and related technology that will help deliver business benefits. As a result, it is the whole system, and not just blockchain, that will provide value but also introduce risk to the organisation.

To avoid repeating the errors of the past and embrace blockchain for the future, here are five recommendations for delivering on a business and technical promise.

  1. Learn from past lessons, particularly where high-cost, complex and critical technologies have been deployed with long lifespans – PKI is a good candidate
  2. Extend the technical view of blockchain to all the components – including those that form the distributed ledgers, such as applications, communications, underlying cryptography and security components
  3. Incorporate blockchain into all aspects of security architecture, including updating patterns, standards and solutions – to help manage scale, complexity and interoperability
  4. Apply an enterprise-wide business view when adopting blockchain, to identify all areas of the organisation that can benefit from improved identification, ownership and transaction management, such as IP protection, supply chain, production, service delivery, customer engagement and asset management
  5. Review legacy infrastructure and forecast future infrastructure scenarios – to help ensure backwards compatibility and futureproof subsequent technology.

 

The Information Security Forum performs extensive research covering information risk and cyber security, which is complemented with a comprehensive suite of risk management tools and publications.

Organisations can manage the business risks associated with blockchain and other emerging technologies, by using many of the ISF’s tools, publications and services, including the: