Could blockchain fix security flaws in the cloud?

The cloud still doesn’t live up to all its promises, but maybe blockchain can help

This is a contributed piece from Ian Smith, Founder and CEO of Gospel Technology 


“The new data culture” heralded by the introduction of cloud technologies hasn’t quite taken off to the level promised to the enterprise market. Over the last decade, the cloud model has grown from basic hosting all the way up to full services and cloud architectural models have evolved from hosted hardware through to sophisticated virtual, multi-tenant services.

These models were initially met with scepticism within enterprises, and ‘the great leap’ forward that was predicted in the take up of these services across the globe hasn’t really happened. Whether that’s down to cultural reasons or price, there’s one main issue that always comes up – data security.

Private, purpose built IT security systems have always been developed by enterprises - these are secured by isolation of both physical and virtual perimeters. Through this came the belief that trust could be obtained within these highly controlled environments. This traditional datacentre model would include scale-up, proprietary hardware orientated architecture where business services were limited to a physical unit. ‘Locking the cabinet’ provided comfort against external threats. However, this model has quickly moved from being an asset to a liability.

Everyone’s exciting about the potential of blockchain, but What can Blockchain bring to security?

Whilst it provides a degree of security, modern companies no longer operate in siloed isolation. Other business partners, clients and systems are highly distributed, and the idea of centralising is against the modern trajectory of business. We are even beginning to see a new breed of ‘cloud native’ services which have been built and designed for exactly this type of hosted, distributed architecture. These agile and fast moving new entrants are global from the beginning and are focused on consumer grade engagement. The ease of use is core to their success.

This modern collaborative mentality means that traditional enterprise has seen a rise of ‘shadow IT workarounds’ across its data borders, and in many cases lost control of vital data assets. Countless examples abound of intercompany and extra-company data sharing that punch holes straight through the “secure” perimeters and make a mockery of the once hallowed silo walls. CSV files extracted and sent across insecure email channels, or downloaded onto a CD and sent on a physical courier to a trusted partner. These are not unusual activities to find somewhere within an enterprise, either with or without official permission from IT owners, and certainly goes against standard company and regulatory protocols.

This activity isn't usually malicious of course, it's simply a necessary way to break the chains on the valuable enterprise data contained within each isolated silo, and to allow efficient and profitable use of that data to maintain a competitive edge over the more agile rivals, or to reduce the pressure on the bottom line. More and more managers are demanding access and availability to data right across their networks, whether that be system data or personal records, to allow them the insight and knowledge to compete.

And that of course is a major driver of enterprises who are taking up the challenge and moving toward digital transformation. It is no longer a question of if, it is a question of when.

But are the traditional data managers right to be cynical?  The perceived loss of “control” once the data effectively leaves the confines of your protected environment can be alarming, and has certainly come at a cost for some high profile companies. Practically every week we hear of yet another data breach happening across the ultra-connected digital world that was meant to come with a high level of data resilience. In March this year alone, 74 million pieces of individual data were leaked globally. In May of next year we have the General Data Protection Regulation (GDPR) which will see a company who doesn’t report on a data breach within 72 hours be subject to a fine of up to 4% of their previous year’s global turnover or €20M, whichever is the largest. No wonder so many IT overseers are quaking in their boots about “releasing” their data to the cloud.

And this is just from external threats, how can you control and monitor what’s happening to the data within your decentralised infrastructure?

We attempt to make sense of the rabidly complex potential in the blockchain in Hype vs. reality: We investigate the potential in blockchain


However a new technology has a emerged, that could be the answer. Blockchains, or more specifically distributed ledger technologies, are not really a new innovation, but they have previously been used for the sole purpose of acting as the underwriting ledger to crypto currencies like bitcoins. It’s only recently that it’s been applied to other areas.

As an append-only database technology, every new block of information is encrypted with a part of the previous one, making the historical record of data unchangeable. This builds up into a chain, where if it were even possible to remove a link, this would be identified immediately.

What if that same immutability could be applied across the enterprise to the both its corporate system data and that of the personally identifiable information (PII) that they hold and wish to share, but within a private, permissioned blockchain?

Underlying principles are perfect for just such a set-up, and a small number of firms are developing these enterprise blockchains: private, permission based ledgers that maintain the consensus architecture and high governance, whilst dropping the unnecessary and energy sapping public computing side.

What’s more, the data logic in the platforms being built upon these ledgers means that highly sophisticated and encrypted methods of authorisation and authentication can be built in, allowing not only consent based distribution of personal information (by the owner), but limited access rights to any such information by any particular sanctioned third party.

Not only would the ledger have a complete immutable record of what has happened to that data, but the software can also completely control who has access, when and what is shared.

It’s early days for such systems, but it certainly seems that distributed ledger technologies could hold the key for finally allowing the de-perimeterisation of data to safely follow the de-perimeterisation of infrastructure into the clouds.