There is a stark contrast between what I call the “technical view” and the “business view” of emerging technologies like blockchain, AI, and quantum computing. However, focusing only on one or the other can present challenges that have long-term consequences for companies.
With many technologies there is a considerable level of interest across the technology and security communities regarding security weaknesses and methods of attack. This is the technical view. (We’ll get to the business view a bit later.)
Indeed, threat modeling is a key component of technology evaluation and an essential risk management activity. That goes whether an organization is developing or adopting new applications, systems, or platforms.
Good practice in managing technology risk involves preparing for different adversarial threat scenarios that are likely to arise and providing security leaders and business executives with assurance that the organization’s technology is resilient against malicious attack.
At the same time, placing too much emphasis on the threats posed by adopting new technologies can be at the cost of overlooking potentially greater threats to the organization. These include poor planning and integration, weak architecture, incompatibility, and unexpected obsolescence.
Blockchain is a case in point. This exciting technology continues to grab headlines and dominate discussions among technologists and security professionals. Although blockchain is more than a decade old, from listening to these discussions it might seem that it’s practically a newborn.
Many trends today illustrate the degree to which blockchain is being embraced:
- Start-ups are emerging to develop radical blockchain-based solutions for industries and sectors.
- Technology giants are building thousands-strong teams of blockchain developers.
- Major cloud providers are delivering blockchain-as-a-service (BaaS) platforms and distributed ledger networks.
- Global enterprises are using blockchain to convert their supply chains into value chains to track goods, certify authenticity, demonstrate quality, establish trust, and protect brand.
- Companies in banking, insurance, telecommunications, manufacturing, shipping, and retail, along with governments, are evaluating, piloting, and testing blockchain technology in a bid to deliver value for themselves and their customers.
In short, blockchain promises a great deal.
Nonetheless, is it a sure thing that this nascent technology will solve our security issues?
One might be forgiven for thinking so, based on media coverage and testimony from blockchain advocates over the last few years. But the hype surrounding the technology presents striking parallels to the emergence 20 years ago of public key infrastructure (PKI), which like blockchain was designed to protect confidential communications between parties.
Back then PKI received massive media and industry attention, as well as enormous investment, as it promised a solution to security ills. After about five years Microsoft packaged PKI within its Windows Server operating system, and today it remains a fundamental and widespread element of an organization’s technical and security infrastructure.
As a technology, PKI was and is sound. When built and used correctly, it can provide confidentiality, integrity, authentication, and non-repudiation, which are required for large-scale financial transaction systems.
However, in its early days the development of PKI was hardly smooth sailing. Many corporate implementations, from pilots to large-scale rollouts, didn’t meet its strict requirements for security design, development, and build-out.
PKIs delivered in this manner eventually hit integrity issues, where its infrastructure components and digital certificates couldn’t be trusted. PKIs intended to last decades had to be rebuilt or replaced, at significant cost.
Unfortunately, because of the hype, PKI had been deployed in all manner of systems and platforms with little thought to priorities, benefits evaluation, or stage rollouts. This happened even though it wasn’t required everywhere, particularly where bigger security problems needed fixing first.
Now, when it’s looking like blockchain might get applied to anything that moves, organizations are in danger of repeating the mistakes made with PKI.
Blockchain, working together with cryptography, algorithms, applications, infrastructure, connections, and people, can play a key role in providing distributed, peer-to-peer networks of ledgers.
In doing so it can help organizations manage identities, ownership, and transactions in order to provide integrity and establish trust within often-hostile infrastructure environments.
But it will deliver these benefits only if designed and built correctly.
The promise of integrity and trust is the “business view.” It allows business leaders to confidently expect benefits such as increased revenue, improved operational efficiencies, competitive advantage, and enhanced brand reputation.
To avoid a repeat of the troubles associated with PKI, here are five recommendations for delivering on both the business and technical promises of blockchain:
- Pay heed to the experience of PKI, particularly when planning to deploy high-cost, complex, and critical technologies intended to have long lifespans.
- Extend the technical view of blockchain to all of its components, including those that form the distributed ledgers, such as applications, communications, underlying cryptography, and security components.
- Incorporate blockchain into all aspects of security architecture — including updating patterns, standards, and solutions, in order to help manage scale, complexity, and interoperability.
- Apply an enterprise-wide business view when adopting blockchain in order to identify all areas of the organization that can benefit from improved identification, ownership, and transaction management. These might include IP protection, supply chain, production, service delivery, customer engagement, and asset management
- Review legacy infrastructure and forecast future infrastructure scenarios in order to help ensure backward compatibility and future-proof subsequent technology.
You can’t cut corners when building either a PKI or blockchain solution. A zero-tolerance approach is required.
Mark Chaplin is a principal of the Information Security Forum, a non-for-profit organization dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best-practice methodologies, processes, and solutions. The organization’s nearly 500 members worldwide are included in either the Fortune 500 or the Forbes 2000.