Now that the hype over Bitcoin has eased off, interest is growing in the Blockchain – the distributed ledger technology that powers both Bitcoin and other cryptocurrencies.
Broadly speaking the Blockchain works using timestamped blocks of transaction data, linked by hashing functions and verified through decentralised nodes which use a group consensus to confirm validity of the database. The benefits of using what is a kind of crowdsourced method of validation makes the system harder to hack and ensures no one location can be hacked.
Cryptocurrencies such as Bitcoin work on Public Blockchains; completely open Blockchains that anyone can interact with. There are also Consortium and Private Blockchains – varieties more likely to be offered as solutions by organizations. Private Blockchains contain nodes only from one organization, but could still be distributed over various locations, while Consortium Blockchains feature a pre-selected number of nodes – for example an association of financial companies – in a hybrid fashion. There are arguments that private Blockchains are just shared databases and not the real deal, thus lacking some of the benefits.
But how much potential does the technology have, and what can it be used for? While finance is by far the most common suggested use case – no doubt due to the Bitcoin connection – there are plenty of other potential applications.
Some suggest that it could be used to secure the notoriously insecure Internet of Things (and, by extension, Smart Cities). DARPA is looking at using a Blockchain-based messaging system for soldiers in warzones. MIT is working on a decentralised cloud platform based on the technology, called Enigma, as well as new digital certificates.
Both Microsoft and IBM now offer Blockchain as a Service (BaaS), with Big Blue’s Blockchain VP Jerry Cuomo saying that the technology “is becoming an essential tool… [that] has inherent qualities that provide trust and security”.
Founded in Estonia and now headquartered in Amsterdam, Guardtime provides its own version of a Blockchain to protect data integrity. The company’s CEO Mike Gault has previously claimed he wants to do for data what Qualcomm did for mobile, and was recently chosen to provide Blockchain-based security for major UK infrastructure locations.
We talk to Hema Krishnamurthy, VP of R&D, about the Blockchain and what it can bring to security.
Can you explain how your company works with the Blockchain?
Guardtime Keyless Signature Infrastructure (KSI) technology enables organisations to ensure the integrity of their networks, systems and operations by preventing loss of critical digital assets and verifying enterprise behaviours, even across service providers – without having to put their trust in cryptographic secrets, systems administrators or other centralized trust anchors.
Guardtime’s technology works by tagging and tracking everything that happens to data over time, and recording this information in the blockchain via hash-based signatures. In this case the blockchain is a record, not of financial transactions but of hash-based signatures. You can use these signatures to identify every time data has changed – whether intentionally, unintentionally or maliciously. This lets you ensure the integrity of data – that it hasn’t been altered or compromised.
By monitoring the signatures, you can ensure in near-real time that your system is in a clean state, identifying when key digital assets are altered in an unauthorised way.
Can you outline some potential uses for the Blockchain in security? Finance is common due to the Bitcoin association, but what other industries could benefit?
Blockchain’s security applications extend to every space that uses digital data. Imagine if regulatory bodies had the means to independently verify the activities of the organisations they are tasked to regulate. Or imagine if every modification, access and deletion of a healthcare record could be verified after the fact, without disclosing the records themselves. As the Internet of Things reaches 6.8 billion connected devices in 2020, we could verify the integrity of each device component, and how it collects and uses data. Use of blockchain in supply chain provenance (software or other) is a prime use case wherein introduction of malicious software or data can be detected without lengthy forensic investigations. Blockchain enabled eDiscovery provides a hassle free means to ensure integrity of data that is on legal hold.
Guardtime is currently focused on these industries: telecommunications, aerospace and defence, finance, insurance, eGovernment, eHealth, document storage systems, legal and digital advertising.
What does the Blockchain bring to cyber-security that other technologies don’t?
Security today is based on the premise of limiting access to data. There is currently no transparent and scalable way to verify that data is trustworthy – that it hasn’t been altered in an unauthorised way. Our society runs on data. For economies, governments, societies and relationships to work, they need to trust that data. We can’t say for certain what is happening inside networks, servers, files and devices without a solution that offers integrity for data at rest and data in transit.
Unlike traditional digital signature approaches that depend on asymmetric key cryptography – e.g., Public Key Infrastructure (PKI) – KSI uses only hash-function cryptography, allowing verification to rely only on the security of hash functions and the publicly available blockchain record.
Data no longer lives in networks with discrete, hardened perimeters. We not only need to secure data transmission, but also data storage. Second, complex key management is impossible to scale across millions of endpoints and devices. And finally, PKI relies heavily on trust anchors that can be easily exploited, such as certificates and human administrators.
Guardtime KSI technology offers a data-centric approach to deter, detect and disrupt malicious data manipulation by protecting both active and dormant data and data in transit using publicly available information.
What the biggest challenges in creating a security-based blockchain tool today? What are the current limitations with the technology?
The biggest challenge lies in shifting the paradigm of security to the importance of integrity. Along with limiting access to data, we must build solutions that are scalable and transparent to prove that data is trustworthy. We believe that integrity must be the basis for building reliable, resilient and secure systems. For the last 40 years, security has come to mean confidentiality and encryption. Integrity has largely been forgotten, primarily because there haven’t been the right tools to address it.
Do you think security professionals are excited by the prospect of bringing the Blockchain into their work?
We’ve seen a lot of excitement with customers in cloud, government, military and other applications.
How costly and mature is the technology at this point; is it enterprise only, or could SMBs deploy it if they wanted? Could it eventually trickle down into consumer products?
Guardtime’s KSI can theoretically scale to sign all data in the world and register it in the blockchain. We’re currently partnered with Ericsson, who is producing a next-generation cloud product that registers data signatures into KSI blockchain, and a number of other customers. Eventually we could be registering data from any service or device in the blockchain to ensure its authenticity and integrity.
Which do you think has more potential benefits and uses in cybersecurity – machine learning or the Blockchain? Could they be used in tandem?
This is difficult to compare, but they can absolutely be used in tandem. Blockchain technology provides a means to protect the integrity of assets in a transparent manner by providing near-real time detection on data changes. Machine learning in conjunction with blockchain-based platforms offer a means to perform data mining, pattern-based and other kinds of predictive analysis on events that are fed into a Security Operations Centre.
PREVIOUS ARTICLE«Suregifts: A start-up spreading its wings across Africa
Adrian Schofield sheds light on tech in South Africa
Mark Chillingworth on IT leadership