CyberSecurity meets blockchain: A risk management-based approach to blockchain application development
Let’s face it: Blockchain technology has to contend with many technological, governance, and regulatory challenges to satisfy initiatives in the public and private sector. For all its ability to transform business transactions with its immutable, distributed ledger, there are many issues that need to be resolved before blockchain can gain mainstream adoption. One of those issues is securing blockchain applications.
In this post, we show how to provide blockchain security assurance by aligning cybersecurity principles and enterprise risk management with blockchain application development on a permissioned network. And we show how to use the IBM Blockchain Platform for building innovative cybersecurity solutions and services across multiple disciplines.
Governance and smart contract management
In an age of first-mover advantage, institutions in all industries cannot afford to ignore game-changing technologies. Blockchain’s distributed ledgers are a prime example of such a disruptive technology. They enable a single version of truth to be shared across complex, disparate ecosystems and processes. The result is shared business value, reduced cost, less risk, and the emergence of entirely new business models.
As blockchain technology dramatically expands access for new entrants into the global marketplace, securing transactions is critical to adoption. Traditional approaches to managing risk and maintaining security have not proven adequate in solving the security problem. While there have been several exploits to blockchain applications to date, they were not targeting the blockchain technology itself, but rather the smart contracts (business logic defined in code, intended to facilitate, verify, or enforce contract negotiation) and applications at the edges of blockchain networks.
Blockchain cybersecurity assurance
As blockchain applications, interfaces, and smart contract complexity increase, so does the risk to blockchain applications. Therefore, there’s a need for comprehensive risk management and cybersecurity assurance programs enacted by cybersecurity professionals skilled in strategy, governance, regulations, and compliance processes.
Blockchain application developers, together with development operations (DevOps) teams, must consider whether they have the right tools for security and privacy compliance. The industry, as a whole, must examine the security landscape to identify security risks, develop threat modeling tools, establish roadmaps to harden the security posture, and deploy technologies to mitigate risks.
Let’s take a look at a blockchain cybersecurity assurance model that addresses blockchain risks based on a domain-specific, risk-based defense methodology and cybersecurity implementation best practices:
Key elements in the model:
Smart contract governance and risk assessment:
Define and align the security program to blockchain application and ecosystem DevOps according to cybersecurity methodologies and NIST (National Institute of Standards and Technology) risk management frameworks.
Data security and privacy assessment:
Analyze blockchain application data sets, thus informing legal, policy, and regulatory issues, on- and off-chain design considerations, liability, and enforcability issues.
Implement public key infrastructure and associated key lifecycle management services, including certificate revocation, generation, and destruction.
Blockchain application threat modeling and secure coding assessments:
Analyze blockchain network participant ecosystem design, and secure micro-services. Assess service-to-service security, application programming interfaces, access controls, and business associate agreemen.ts
Certification, accreditation, and authority to operate a blockchain business network:
Understand and apply risk-based procedures for evaluating, describing, documenting, testing, and authorizing blockchain applications and business networks.
Blockchain cybersecurity intelligence and operations
Continuously monitor, detect, analyze, diagnose, and mitigate threats to gain insights into the blockchain threat exposure and prevent incidents.
Develop an incident response orchestration plan to effectively activate people, processes, and technologies to respond to and recover from security breaches impacting the confidentiality, integrity, or availability of enterprise blockchain applications.
About the authors
Adewale Omoniyi is a Senior Managing Consultant, in the Cybersecurity and Biometrics (C&B) Service Line for IBM Global Business Services, Public Service, as well as a Cybersecurity and Blockchain Technologies Solution Architect. He currently serves as the IBM GBS Federal Healthcare Cybersecurity Lead and GBS Cybersecurity Public Services Blockchain Leader. He earned his executive Master of Business Administration (MBA) in Strategy and Global Business at New York University. He has a Business Administration (BBA) in Management and Information Systems from Temple University. He has also earned the CISSP, CISM, CRISC Cybersecurity certifications.
Dr. Shue-Jane Thompson is Vice President & Partner, in the Cybersecurity and Biometrics (C&B) Service Line for IBM Global Business Services, Public Service. She oversees C&B-related technology innovation, solution engineering, and service delivery for the US DoD, Intel, Federal, State, and Local client, leading hundreds of highly qualified security professionals, providing advanced cyber capabilities as mission enablement for the nation’s top agencies. She has 30+ years of commercial, government, and international technology and business management experience.