This is part II of a series. Part I of this blog, “Blockchain Security Assurance,” can be found here.
Blockchain technology offers profound opportunities in a myriad of domains, across self-sovereign digital identities, financial services, enterprise asset protection, supply chain risk management, and healthcare IT transformation. Because blockchain technology offers exciting prospects for developing blockchain-based solutions for cybersecurity applications, we explore some applications that help re-imagine conventional approaches to managing cybersecurity challenges.
Imagine if you were able to – with a significant degree of confidence – provide service providers your identity enriched with physical, behavioral, or temporal attributes that you can control. IBM is integrating secure, self-sovereign, digital identities and profiles alongside behavioral attributes, providing proof in the form of verifiable claims for the delivery of digital services. The goal is to provide individuals in a permissioned blockchain ecosystem with a decentralized, secure, self-sovereign, trusted identity associated with industry-mandated assurance levels.
Following the recent spate of breaches at Equifax and other institutions historically designated as arbiters of citizen identities, the urgency for taking a different approach – a departure from centralized architectures – is imperative. Applying distributed ledger technologies to this domain is promising, with the potential to achieve non-repudiation of transactions with high degrees of confidence, earn digital reputation, increase security assurance levels, and meet requirements for regulatory compliance. In effect, adopting blockchains allows relevant parties to validate who is offering data, who certified the accuracy and authenticity, and who is receiving the data.
Financial services are arguably the use case for blockchain applications that is farthest along, specifically around facilitating decentralized transactions across financial institutions and a decades-old, vast network of intermediaries. Digital currencies – specifically, Bitcoin – with significantly the most market capitalization of cryptocurrencies, is one application that runs on the blockchain technology. The technology inherently offers cryptographic verification and validation of transactions across multiple parties. It effectively disrupts and eliminates core legacy, traditional business processes implemented to facilitate “know your customer”; anti-money laundering; regulatory audit and compliance functions; cross-border payments; clearing and settlement; trade finance processes, back-office operations, etc.
Blockchain technology offers new, innovative opportunities, spurs transformation and results in cost savings around fraud detection, establishing and managing human and machine identities with the potential of offering financial products to 1.2 billion people otherwise disenfranchised from global commerce.
The associated vulnerability exposures to cross-border infrastructures, such as the SWIFT network, are susceptible to attacks and, as such, systemic, economic, and national security risks – as we have seen from recent vulnerability exposures could be catastrophic.
Enterprise Asset Protection – IoT Devices, Critical Infrastructure
With the proliferation of technology devices from Internet of Things (IoT) to enterprise technology infrastructure, endpoints, and assets, the challenge of effectively managing these devices is significant. These devices expand from the traditional IT boundary and attack surfaces with objects that carry different sets of risks, as well as complexities. To enable and improve situational awareness of IoT devices and critical infrastructure, adoption of innovative blockchain capabilities that augment traditional solutions is necessary. This innovative approach augments traditional security monitoring and mitigation capabilities and provides distributed, continuous monitoring of IoT devices, endpoints, and assets enriched with immutable, tamperproof, and cryptographically signed transaction data.
IoT device sensors and critical infrastructure endpoints and assets feed blockchain capabilities, enabling devices to participate in secure monitoring of transactions. Devices will be able to communicate with enterprise-defined, blockchain-based ledgers that autonomously collect, manage, and analyze, through SmartContracts, the security hygiene of endpoints; i.e. device information, software versions, most recent vulnerability scan information, firmware versions, etc. This approach offers a counter-argument to traditional centralized security operations capabilities saddled with the task of detecting known and unknown advanced persistent threats; distributed denial of service; “man-in-the-middle;” and open web application security project attacks from the dark web, while providing actionable security intelligence at scale across distributed peers.
Supply Chain Risk Management
In today’s increasingly globalized market, it can be incredibly difficult to prove the authenticity, chain of custody, and provenance of anything from microelectronics in semiconductors embedded in mission-critical military components, medical devices, and enterprise infrastructure (hardware, software, firmware) to IoT devices. Vulnerabilities and exposure to risks are prevalent across the supply chains of all domains. Confidentiality and availability of transactions aside, there are significant uncertainties around maintaining the integrity of data traversing through supply chain lifecycles from procurement to delivery.
One principle that underpins blockchain technology is the ability to achieve consensus among different parties to validate the accuracy of updates to the ledger. Updates, or “transactions,” are confirmed using cryptographic protocols. Agreements between these nodes can be codified into SmartContracts that enforce business logic and can be used to eliminate data integrity issues often seen in supply chains.
Standards such as NIST SP 800-161 prescribe and define best practices for supply chain risk management approaches. In addition to security controls defined in NIST SP 800-53, the “provenance” control family was created to address the many challenges of establishing a secure supply chain from original manufacture of a component to customer acceptance. Deployed with trust frameworks, and traditional risk management standards augmented with protocols such as the inter-planetary file system), distributed ledger technology can address many of the concerns outlined in 800-161 for supply chain protection.
Healthcare IT Transformation
Healthcare is another domain poised for transformation with blockchain technology. Innovative institutions in the healthcare industry are actively building disruptive blockchain-based applications with a myriad of objectives to realize significant cost savings, rolling out modern solutions that curb fraud, waste, and abuse while putting patients at the center of their medical data and realizing patient-centered healthcare outcomes. Standardization of data security and privacy processes that protect sensitive medical records and ultimately privacy of patients and citizens are critical design considerations for the long-term viability and mainstream adoption of these healthcare-based blockchain applications.
Instead, constructs of pseudonymity (decoupling data from individual identity) and data minimization techniques (such as zero knowledge proofs that offer mechanisms to protect patient privacy and identities while empowering patients with control of their medical data) are vital. Design considerations around preservation of personal health information and personally identifiable information data standards consistent with HHS-HITECH regulations and guidelines are critical to successful implementation for this use case.
Blockchain’s trust models, security, and efficiency present a unique opportunity to transform traditional business models. As with many other innovative technologies, blockchain adoption faces challenges around its nascency, the intricacies of the technology, regulatory standards, privacy, and SmartContract implications on business processes. Implementation of blockchain applications requires comprehensive, enterprise- and risk-based approaches that capitalize on cybersecurity risk frameworks, best practices, and cybersecurity assurance services to mitigate risks. In addition, cyber intelligence capabilities, such as cognitive security, threat modeling, and artificial intelligence, can help proactively predict cyber threats to create counter measures.
Blockchain application development lifecycles, on principle, should incorporate rigorous security operations, cyber hygiene cybersecurity assurance.
About the author
Adewale Omoniyi is a senior managing consultant, biometrics and cybersecurity, IBM Global Business Services (GBS). He leads IBM U.S. Federal’s healthcare cybersecurity initiatives and GBS’s public service blockchain initiatives. Adewale earned his M.B.A. in strategy and global business at New York University and his undergraduate degree in management and information systems from Temple University. His cybersecurity certifications include CISSP, CISM, and CRISC.