The Security Implications of Blockchain
What you need to know to take your business Web3.
The blockchain market is has taken off these past few years with no signs of slowing down. The space is set to at a CAGR of 85.9% until 2030, with roughly 86% of senior executives being certain that blockchain will become a staple mainstream-adopted technology. While the world has been fixated on various cryptocurrencies and the speculation of their prices — most notably Bitcoin, Ethereum and the overall NFT market — organizations have been adopted blockchain technology behind the scenes. Integrating blockchain tech to optimize a business is no small task. It demands the right education, implementation strategies and precise all around execution. The barrier of entry is high because without the proper implementation strategies factoring in architectural nuances, companies are opening their business up to major security risks.
There are three types of blockchain deployment models: private, permissioned and public. While they all maintain some similarities, each comes with its own nuances regarding its accessibility and associated security risks.
Private Deployment
On a private network, blockchains are generally isolated but intended to solve internal operational efficiency problems. They offer a separate data plane compared to traditional database architectures, with smart contracts acting as stored procedures.
Private networks are much quicker than other deployment models. Primarily l because all of the infrastructure lays within the four walls of the organization In addition, the consensus mechanism doesn’t require trustless verification unlike public chains which do. When deployed in house, processes become more efficient, so the security measures to protect business assets are more controlled. We can see this specifically within a company’s supply chain— the blockchain empowers a faster and more cost-efficient delivery of services.
The entity that controls the blockchains can enable permission requirements and implement its own security protocols. By controlling which indiviudals can view, add or edit data within the blockchain, private information is protected from any third parties.
On the flip side, private blockchains are generally more vulnerable to fraud, so organizations have to innately understand the interworking of the network in order to patch a vulnerability effectively. Should a malicious insider or cyberattack present itself, the steps to mitigate are essentially the same as it would be with any other cyberthreat: preform risk assessments, conduct penetration testing in place to identify gaps in security and build a threat detection and response plan. Organizations that neglect to address blockchain acumen gaps in their IT and cyber resources may find their response playbooks inadequate.
Permissioned Deployment
Permissioned blockchains — or consortium blockchains — are controlled by multiple entities, which comes with its own set of pros and cons from a security standpoint. Similar to private chains, permissioned networks operate at a much higher velocity through the selection of a consensus model that is optimal for trusted relationships.
Permisisioned blockchains are fairly secure, given their limited exposure to external users or entities. So, organizations will be held accountable for data change within the network and implications on internal operations. They must also pay close attention to the consensus algorithm in order to ensure privacy safeguards are in place at the beginning of the adoption cycle. This enables individuals access only after permission is granted. When transaction privacy is necessary, an organization must guarantee the selected technology supports that requirement. These precautions are imperative where there are individual privacy implications — such as when providers use blockchain technology to freely share and store personally identifiable information. Privacy data teams should be engaged to comprehend and address the implications of permanent data retention and global privacy legislation.
Being able to understand how data can be modified in a harmful way is important in every blockchain — especially in a consortium network where there are multiple points of access. Threat modeling is tried and true method security leaders can utilize to evaluate security concerns within blockchain deployments, as it identifies any potential architectural and implementation weaknesses, as well as defining what actions can mitigate the risks in the system. Proactive security testing equivalently important as traditional infrastructure and application testing. It is an absolute necessity for organizations to identify, assess and mitigate vulnerabilities in the solutions they deploy.
Public Deployment
Public blockchains are exactly what they sound like — public. Anyone with the algorithm (kind of like a key) can access and add to the blockchain’s data. They are typically decentralized and more transparent. Public blockchains such as Bitcoin and Ethereum have created vibrant ecosystems that are increasingly garnering attention as the use cases rapidly become more advanced. Its independence from any nation-state or corporation creates a mechanism for economic and social innovation that is ultimately controlled by its users. These public distributed ledgers allow individuals to engage in a global ecosystem in a trusted way, leveraging technology that is inherently trustless.
However, the public blockchain does come with significant security risks that businesses must look out for. We’ve already seen these risks play out recently with the Sky Mavis breach, where bad actors stole 173,600 in Ethereum and $25.5 million from Ronin Network’s Axie Infinity game. These exploits will continue to happen in different forms, such as the 51% attack rule, vulnerable smart contracts, network congestion and insider attacks.
In addition to the traditional infrastructure and application risks, there are many other threats that organizations must consider when interacting with public blockchains and checking for breaches in security.
As with other deployment models, management needs to ensure their teams have adequate education and intuition in blockchain technology to assess their risk through familiar tactics such as threat modeling and security testing.
Blockchain technology will inevitably become a fundamental part of our internet. It’s one of the, if not the biggest technological advancements of our time, with even the White House exploring its benefits at a national level. There are also talks of the central bank potentially releasing it own digital currency. Overall, the risks associated with implementing blockchains vary based on the use case and associated deployment model, but the benefits of blockchain far outweigh its security risks when maintained correctly.
While many aspects of creating on top of this new technology mirror traditional software development, the nuances of using a trustless and distributed ecosystem require thoughtful consideration. Technology, development and cybersecurity teams need to understand these architectural nuances as they look to support, optimize and defend them. Once organizations and their respective teams gain a thorough understanding of the threats they need to solve, they’ll be empowered to refine their strategies within the ecosystem and leverage the full potential of blockchains to enhance their technology.
