Like many emerging technologies enjoying a sudden increase in popularity, there are many myths and inflated expectations surrounding blockchain — all due to an incomplete understanding of the capabilities and vulnerabilities of these technologies.
Blockchain technology certainly has a lot of promise. It has the potential to shape and disrupt many industries from banking to government, and overall digital business. But with that promise comes risk. “Security and risk management (SRM) leaders must take a critical look not only at the possible benefits of blockchain, but also the threats,” says Mark Horvath, research director at Gartner. “Consider using a multilayered model of blockchain security, so risks are clear at the business, technical and cryptographic levels.”
Public or private blockchain?
As many organizations look to capitalize on the benefits of blockchain, SRM leaders must ensure that they involve themselves in the planning process. Their core responsibility will be to define, frame, recommend and implement security best practices to mitigate organizational risk. But with blockchain technology being relatively new in the enterprise, SRM leaders will need to extract these best practices from a variety of sources.
“ One of the strengths of blockchain is that it uses established technologies to build common cryptographic properties like identity and integrity into a dynamically changing document”
“Blockchain can be viewed as a protocol — and as such, must support an existing or needed business process in the same way that the HTTP protocol supports e-commerce,” explains Horvath. “Ensuring blockchain makes sense for the business is the key priority. Enterprises should ensure the implementation of blockchain technology enhances or creates a new digital business initiative that otherwise could not be recognized.”
Once you decide that blockchain can help solve your business problem, you need to decide if you need a public blockchain where anyone can join, a private one in which only select members can participate or a hybrid model that combines features of both. Additionally, many blockchains operate within a business context that includes several other groups or organizations that form a consortium as the governance model.
Plan how to recover if things go wrong
Blockchain depends on networks, yours and others — and on client software. Both have long histories of compromises, security events and human error, so it makes sense to look at these layers and plan how to recover when things go wrong. A public blockchain may be more exposed, but similar problems can also turn up in a privately managed blockchain.
Private keys can be managed both in software and on smartcards, but both require a degree of maintenance and protection to keep the keys safe. This is in addition to the aforementioned network management issues. If a blockchain project involves physical goods, for example, money or freight, understanding how to translate blockchain or smart contract events into physical processes will be fundamental to your success.
What’s secure today may not be tomorrow
Plan for critical security events and evaluate your preparedness and incident response plans. One of the strengths of blockchain is that it uses established technologies to build common cryptographic properties like identity and integrity into a dynamically changing document.
It’s well-known that hashing algorithms, which are considered safe today, may, in a few years, be deemed unsafe. SHA-1 is a good example of a widely used hashing algorithm that was weakened over time and replaced.
Gartner expects a period of heavy consolidation of blockchain technologies and platforms. “Prepare for turnovers in the technology and be ready for critical security events,” says Horvath. “This will enable you as SRM leaders to design resiliency at the heart of your security and risk approaches.”