7 Ways Blockchain is Being Used for Security
Blockchain is being used as a security tool. If you haven't thought about adopting it, you might want to reconsider your take.
September 5, 2018
The distributed ledger of blockchain has found application in many fields, from cryptocurrency to supply chain. Much of the excitement about blockchain is due to its reputation as an inherently secure technology. But can that inherent security be applied to the field of security itself?
In a growing number of cases, the answer is "yes." Security professionals are finding that the qualities blockchain brings to a solution are effective in securing data, networks, identities, critical infrastructure, and more. As with other emerging technologies, the biggest question is not seen as whether blockchain can be used in security, but in which applications it is best used today.
Blockchain is being used in a number of security applications, ranging from record-keeping to acting as part of the active data infrastructure, and more options likely are on the horizon.
But while excitement over blockchain's potential grows, it's important to keep that potential in perspective.
One of the claims frequently made about blockchain is that it is an "un-hackable" technology. While no intrusive hacks have been demonstrated yet, it's wrong to say that blockchain can't be hacked. In early 2018, a "51% attack", in which a threat actor managed to gain control over more than half of a blockchain's compute power and corrupt the integrity of the ledger, showed that novel techniques can be effective. While this particular attack is expensive and difficult, the fact that it was effective means that security professionals should treat blockchain as a useful technology - not a magical answer to all problems.
Here are some ways blockchain is being used or considered as a security tool.
(Image: NicoElNino)
Identity on the network comes in two flavors: One is the identity of the user; the other, the identity of the device. In the case of the IoT, where there often is no user in the traditional sense, authenticating the identity of the device itself is critical, and a blockchain has been introduced to establish and maintain those device identities.
IOTA is a "permissionless blockchain" that seeks to do a number of things around the IoT, including establishing the identity of devices. It does this in the context of providing a micro-payment infrastructure to allow consumers and organizations to pay for IoT services on a per-use basis, but the payments aren't required for the identities to be authenticated.
The basis of the IOTA model is the "tangle," which is a combination of Full Nodes (defined as a full peer-to-peer member of the network) and Light Nodes (which must connect to Full Nodes in order to complete transactions). It is a variation on the traditional flat blockchain, but it does allow less powerful IoT devices to be part of the verified chain and remain fully identified and trusted.
Everyone gives lip service to security's requirements, but investors and regulators want more than lip service. They want verifiable evidence that the right steps have been taken. And blockchain can be a valuable tool for providing that evidence.
Xage is one company providing blockchain-based accountability and verified compliance for organizations. Duncan Greatwood, CEO of Xage, describes one of the key benefits blockchain brings to accountability: Because of blockchain's nature of recording and verifying every change that occurs, "the blockchain gives you the opportunity to audit or do forensics if something goes wrong."
Blockchain's ledger architecture makes it a natural fit for those looking to have audit support for security and infrastructure management. While it's not impossible to spoof blockchain verification, the effort required makes it more affordable, in most cases, to simply do the work required to be in regulatory compliance.
The same qualities that make blockchain valuable for regulatory compliance and accountability make it a worthwhile tool in protecting data integrity. "Blockchain is a decentralized, tamper-proof mechanism. It holds all the information the systems need to operate, from passwords to policies," says Greatwood. "No one node has all the information required to make any change."
Other vendors use blockchain qualities like the linked timestamping that is a critical part of Bitcoin to verify the integrity of data within the blockchain. Guardtime, which had the initial business responsibility for creating a formally verifiable security system for the Estonian government, has expanded its offerings to include integrity verification for both commercial and government customers.
Because a blockchain will record and verify any change to the data, it is an inherently suitable tool for protecting (and verifying) the integrity of a data set.
Critical infrastructure, whether that of the network or of the energy delivery system, comes with its security challenges.
"Discovery that Russian attackers left a RAT [remote access trojan] in the electrical grid was an eye-opener," says Greatwood. "This is a new problem that industrial operators are wrestling with."
As with many of the other aspects of security, blockchain's advantages in critical infrastructure protection come from the dual qualities of change verification and transaction transparency. It becomes far more difficult to hide any sort of malware on a system when there is a record of every change, and more difficult to make illicit changes when the authority to make a change must be verified by a distributed system.
The most vulnerable part of an encryption system lies in the storage of its encryption keys. If an attacker is able to gain access to key storage, then they have access to all encrypted messages within the system. And the access will extend to the credentials users employ to be authenticated into the system at various privilege levels.
CertCoin is an academic example of the technology that could de-centralize a public key infrastructure (PKI) used for authentication and encryption. According to the authors, "The core idea of Certcoin is maintaining a public ledger of domains and their associated public keys."
In many ways, the idea of a a blockchain PKI is the opposite of the usual "security through obscurity" model. Rather than keeping key stores carefully bottled up in secret locations, the infrastructure depends on the distributed nature of the blockchain and the complexity of the hash algorithm to secure the information. In doing so, the blockchain takes many of the attacker's tools out of play and, at least in theory, makes the entire process far more secure.
Healthcare records are among the most sensitive stores of personal information because of both the nature and quantity of data stored within them. For this reason, security professionals are looking at blockchain technology as a way of securing these highly sensitive electronic medical records (EMR) and electronic health records (EHR).
At least one company, MedicalChain, has already begun pilot programs to use blockchain as a technology for storing EHR. In the MedicalChain model, a blockchain would server as the architecture for a health information exchange, in which the patient records could be stored once and accessed by all of their medical practitioners. Adding a practice would be also simple as adding a node to the chain, with all accesses recorded and verified as with any other node.
Earlier this year, MedicalChain announced that the Mayo Clinic had begun exploring distributed ledger options with the company. As major players such as the Mayo Clinic move forward with trials, history indicates that other organizations will begin their own trials into the expanded use of blockchain technologies to secure electronic records.
Healthcare records are among the most sensitive stores of personal information because of both the nature and quantity of data stored within them. For this reason, security professionals are looking at blockchain technology as a way of securing these highly sensitive electronic medical records (EMR) and electronic health records (EHR).
At least one company, MedicalChain, has already begun pilot programs to use blockchain as a technology for storing EHR. In the MedicalChain model, a blockchain would server as the architecture for a health information exchange, in which the patient records could be stored once and accessed by all of their medical practitioners. Adding a practice would be also simple as adding a node to the chain, with all accesses recorded and verified as with any other node.
Earlier this year, MedicalChain announced that the Mayo Clinic had begun exploring distributed ledger options with the company. As major players such as the Mayo Clinic move forward with trials, history indicates that other organizations will begin their own trials into the expanded use of blockchain technologies to secure electronic records.
The distributed ledger of blockchain has found application in many fields, from cryptocurrency to supply chain. Much of the excitement about blockchain is due to its reputation as an inherently secure technology. But can that inherent security be applied to the field of security itself?
In a growing number of cases, the answer is "yes." Security professionals are finding that the qualities blockchain brings to a solution are effective in securing data, networks, identities, critical infrastructure, and more. As with other emerging technologies, the biggest question is not seen as whether blockchain can be used in security, but in which applications it is best used today.
Blockchain is being used in a number of security applications, ranging from record-keeping to acting as part of the active data infrastructure, and more options likely are on the horizon.
But while excitement over blockchain's potential grows, it's important to keep that potential in perspective.
One of the claims frequently made about blockchain is that it is an "un-hackable" technology. While no intrusive hacks have been demonstrated yet, it's wrong to say that blockchain can't be hacked. In early 2018, a "51% attack", in which a threat actor managed to gain control over more than half of a blockchain's compute power and corrupt the integrity of the ledger, showed that novel techniques can be effective. While this particular attack is expensive and difficult, the fact that it was effective means that security professionals should treat blockchain as a useful technology - not a magical answer to all problems.
Here are some ways blockchain is being used or considered as a security tool.
(Image: NicoElNino)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024