- By Nick Moore, AISA staff member
BLOCKCHAIN will increasingly find its way into the workflows of AISA members, says US technology educator, author and speaker Jonathan Reichental.
“This is an important time for cyber security professionals to be getting up-to-speed quickly on this technology.
“Not only will they observe it (blockchain) but they will touch it and it will touch their systems.
“Data will flow from traditional systems into blockchain, and from blockchain out into traditional systems, and between blockchain systems,” the LinkedIn Learning instructor and PhD in Information Systems told AISA from his base in the San Francisco Bay area.
“They need to understand that what they’re used to in the more traditional client-server architecture that we’ve all become comfortable with over the past 40 years or so, all bets are off on that,” Professor Reichental says.
What is blockchain?
Here’s a good definition from IBM: “Blockchain is a shared, immutable ledger that facilitates the process of recording transactions and tracking assets in a business network. An asset can be tangible (a house, car, cash, land) or intangible (intellectual property, patents, copyrights, branding). Virtually anything of value can be tracked and traded on a blockchain network.”
A blockchain can be public or private. Participation in a public network is open to all, such as the cryptocurrency Bitcoin. Whereas private blockchains are able to restrict participation and one or more organisations will control and maintain the ledger.
A blockchain like Bitcoin is essentially a shared online ledger that is updated, validated and maintained by a hive of computers (miners) that must agree on the legitimacy of changes and ratify the updated ledger.
The updated and validated ledger lives on all the computers in the network. In that way it is dissimilar to, for example, Google Drive where just a single master version of a document might exist on a cloud server but it can be accessed and changed by anyone who has the required permissions from the Google account holder.
Smart contracts
Further, some platforms - most notably Ethereum - allow “smart contracts’ to be coded into the blockchain. IBM explains these smart contracts as sets of rules “stored on the blockchain and executed automatically”.
Both public and private approaches run as decentralised peer-to-peer networks. That’s why Professor Reichental says they have potential to disrupt to some degree the ubiquitous client-server model upon which much of current information security is based.
Use cases
Areas where a business might deploy smart contacts include:
-
Supply chain and customer contracts
-
Identity management
-
Accepting payments via cryptocurrencies, and
-
Facilitating cooperative cloud storage and supercomputing-as-a-service
Professor Reichental says the biggest initial uptake will be in financial institutions such as banks with the execution and management of mortgages, for example. “Anything that is a series of steps that can be triggered by some input is a candidate for a smart contract.”
There are doubters
Recently, high-profile cryptocurrencies built on blockchain have plummeted in value. Bitcoin, for example, has almost halved in price, which has fed criticisms that blockchain is a risky fad.
Professor Reichental says. “You might get the sense from the media because of the backlash a little bit on Bitcoin and Ethereum and even some of the skepticism around NFTs (non-fungible tokens) that this is waning.
“The reality is that, on the blockchain enterprise side, it’s rapidly growing and the projection over the next five years is that this moves from being an experimental technology into being a serious production technology.
“In fact, the number I read is that, of the many, many thousands of enterprise experiments in blockchain that are taking place now, by 2025 30 per cent will be converted to real production systems.
“That’s a sizable number of new systems that tech professionals will be required to understand and get deep into it.”
Security concerns
Contrary to perception, Professor Rechental says, blockchain does have security vulnerabilities.
“The coding flaws are really one of the major weaknesses right now.
“The takeaway for anybody who’s thinking about the blockchain space from a cyber security perspective is that it’s not this wonderfully highly secure magical technology that has solved all our security problems.
“It does a good job - a very good job in many ways - but there’s a few more years to go before we tighten it up and fill some of the holes.”
Accordingly, cybersecs will benefit from at least a foundational understanding of blockchain technology, the Professor says.
“You might have a job where you don’t necessarily have hands-on but you should understand it. You should understand the principles.”
Other vulnerabilities include denial of service attacks and, because blockchain employs asymmetric encryption, the secure storage of a participant’s private key is crucial, he says.
CIA triad
The performance of blockchain in delivering on the CIA triad of Confidentiality, Integrity and Availability of data should also attract the interest of cyber security professionals, Professor Reichental says.
“There’s good evidence CIA becomes a valuable proposition on the cyber security end of things and because of that your industry should be very motivated to know more about it.”
But that should not be the main reason for an organisation to pursue a blockchain solution, he says. “CIA wouldn’t be the reason a company would necessarily use blockchain. It would be a benefit but you pursue blockchain because it offers some materially new way of delivering a service or doing an operation with an organisation.
“So I would argue that - and this is a big debate in the IT community - if you can do the thing that you’re proposing of blockchain with traditional computing, use traditional computing because we have 40 years’ of experience.
“You’ve got to be able to say, we are going to incorporate blockchain in our business because, for example, it speeds up cross-border payments or we can prove that slaves weren’t used to mine this material from the ground in Africa. We’ve got to have actual material leaps forward in the thing we are proposing, otherwise people are going to argue it’s too complicated, too much investment, let’s just rely on our old technology.”
Fundamentals unchanged
Blockchain might be a different way of storing and accessing information but the principles of data security remain, Professor Reichental says.
“It’s still important that the fundamentals are understood and the cyber security professional knows the state of the data at any point in time, who has access to it, where it is, and how you get access.”