The Georgetown University Master’s in Cybersecurity Risk Management prepares you to navigate today’s complex cyber threats. Take classes online, on campus, or through a combination of both — so you don’t have to interrupt your career. Learn more.
Let’s face it, there’s been a lot of hype about blockchain over the past few years. Nowadays though, there are signs that we may be on the cusp of moving from the “blockchain will solve all your problems” segment of the hype cycle into the “blockchain may be useful for a few targeted applications” segment.
Yes, utility-based Darwinism is at work, where we’re starting to see the more bizarre and unlikely of proposed enterprise blockchain applications fall away, and only those places where it truly adds value continue to prosper. The shift will take time, of course, but ultimately blockchain use in the enterprise will continue to mature.
As a practical matter, though, there is a subset of security pros who have a very specific problem in the meantime: Namely, how do they validate the security model of an enterprise blockchain application for their environment? This can be quite a challenge.
After all, a detailed understanding of the mechanics of blockchain operation requires understanding concepts that practitioners may not be familiar with out of the gate, while an analysis of potential threats requires understanding new attacks and threats outside what practitioners normally encounter.
Likewise, the broader business impacts require an in-depth understanding of the business itself to see how blockchain will change operations.
No Validation Standard
To see what I mean, consider something like a 51 percent attack. For a blockchain application like a cryptocurrency, this refers to a situation in which adversaries are able to temporarily or permanently control a majority of the computing power, and therefore manipulate data stored on the blockchain as they see fit. (Holders of Ethereum Classic are right now becoming intimately familiar with this situation.)
Unless your organization’s security team has staff who are familiar with cryptocurrencies, through personal interest or because of off-hours speculation, this type of attack is probably unfamiliar to the security team. That said, depending on the specifics of usage, this very well can be something your implementation team needs to think about.
The answer for this, of course, is standardization. However, even though there’s no shortage of proprietary methodologies to help organizations gain assurance about blockchain deployments, enterprise use is still early enough that there’s no de facto assessment or validation standard.
In the meantime, therefore, it’s incumbent on practitioners to develop strategies for evaluating blockchain deployments — either to supplement the methods employed by specialists they might engage or to stand alone if they do not have sufficient resources to engage such specialists.
With those needs in mind, following are a few techniques that can be adapted to assessing and validating the security…