Security and Blockchain Deployments
What is the #1 concern of members joining a permissioned blockchain network? In the past six months, I have been actively engaged in supporting the on-boarding process of members on to our blockbuster permissioned blockchain network “Trust Your Supplier”. TYS in short is a joint venture with IBM and includes some of the biggest names in industry as members such a IBM, Vodafone, Nokia, Flex, GSK, ABInbev and Lenovo . Recently Chainyard and IBM launched “Rapid Supplier Connect” to address supply chain concerns associated with the covid-19 crisis.
Once a permissioned blockchain solution is ready for deployment, the real fun begins. Like with any solution, security takes front and center seat before any member transacts on the platform. A truly decentralized permissioned blockchain network consists of members who have common business interests, yet every member on the network is not so trustful of the other members when it comes to their business. The network operator has to deal with and address each member’s peculiar needs and concerns.
Taking blockchains to production and on-boarding members can be a very involved process. The most important concerns for each member organization are security, compliance and data privacy, and without proper due diligence, things may not move forward quickly.
With every member coming aboard, there is a detailed process of going through a security assessment, drilling down to understand the details around responses, seeking evidences to support various claims made and conducting scaled down PoCs to assess any gaps that could impact the specific member. Most often, members engage their internal security, compliance, and legal teams during this process.
In the traditional world of enterprise applications, most organizations have an internal shared services team that defines the standards for security for their internal applications and enforce it across all their IT portfolios. Barriers are created between internal and external users, and access to partners are terminated at the DMZ. Security implementations were simpler, and partners had to comply with the organization’s internal standards. In a traditional world, applications were centralized within the enterprise or hosted on a cloud, and security was the responsibility of the application team.
Permissioned blockchain is a team sport. When every member wants to compare the security that has been engineered into the solution against their internal standards, things can get quite complicated. Members on the network are there to collaborate on a solution that addresses a common business need or problem, yet in the real world they are competitors trying to gain market share and increase revenues. They are very concerned about data ownership, access permissions, privacy and breach.
Isolating the competitive concerns, coming up with a common set of policies and guidelines, and engineering those into the solution that is acceptable to all members is very key to the success of a blockchain network.
After having worked with several blockchain solutions, and subsequently taking our own solution to production, we understand the security items that need to be addressed. The following graphic tries to summarize those elements of security that is of concern to the members of the consortium. Obviously, not all elements are applicable to every solution.
Security compliance can be categorized into business, technical and operational aspects of the network. Security is the Network Operator’s responsibility, though the governance board consisting of various member representatives provides guidance and oversight.
Security audits cover both the Solution and the Company that has ownership or operates the solution.
From a business perspective, the major areas that the solution operator(s) have to address include employee on-boarding and off-boarding, physical security of the premises, security of devices such as laptops and mobile devices, processes for records management and managing relationships with third-party suppliers. Most threats are attributed to people who have been actively engaged with the building of the solution.
The technical aspects must address a wide set of concerns such as identity and access management, storage of keys and passwords, data security and privacy, infrastructure, platform and the solution. Data privacy laws vary from region to country and being aware of the existing and emerging regulations such as GDPR, CPA, China and India privacy requirements is critical.
Finally the DevOps aspects include processes that must be documented and tested. Key among them are security incident and breach management, business continuity, disaster recovery and risk management. Risk is a broad topic and generally includes business, technical, financial, economic and operational risks.
Usually third parties specializing in security assessments are engaged to review the architecture and conduct pen-testing. It is highly likely that most members may engage their internal security teams to go over the details. These exercises can get tricky since the solution owner has to address the concerns without giving away the IP or the internal design secrets.
Now one may assume that that is enough. But wait! Members may look for compliance and audit reports especially SOC1, SOC2 and ISO 27001. In addition, members are interested in the results of “Pen Tests” and evidence of remediation of the findings.
Conclusion
Once a solution under development reaches a key milestone, planning ahead and engaging the right teams and 3rd party security firms early in the life-cycle is a good idea.
- Architect the solution with security as a key principle
- Understand the needs of your members early on. For example, a simple login scenario could come to bite later on. Some members prefer password-less logins, while others want OAuth2, MFA or SSO
- Engage a security architect as part of the team and bake security testing into the test plans
- Be open and honest about what is and what isn’t available. A security breach can be very expensive both in reputation and cost
- Security applies to members of the network as well and hence member agreements must be drafted to include security clauses
Chainyard is a boutique blockchain services and solutions company. More information can be found here. Also, review the production solution “Trust Your Supplier” which is one of the largest permissioned supply chain solutions based on Hyperledger Fabric. Chainyard helps companies in building enterprise blockchain solutions, consortium building and governance strategy consulting, and security and infrastructure engineering.
The content of this article are the author’s opinion and experiences, and does not necessarily reflect those of Chainyard or its leadership.