Thoughts on Blockchain’s Relationship to Data Security
After reading an article in the Wall Street Journal, “Blockchain Could Be the Security Answer. Maybe.” (May 30, 2018) I was concerned that information in the article could mislead readers regarding the place of blockchain in a cybersecurity discussion. Further, ruminations regarding blockchain’s ability to protect information spout from various media sources with insufficient detail regarding exactly how the information is protected.
This post isn’t meant to explain blockchain, there are many resources for that. Instead I focus on a few points made in the article specific to data security. In general, I find there is a lack of understanding about blockchain’s place in a data security context, the article simply highlights a few. I’ll frame my discussion using a common cybersecurity framework, the CIA triad.
When considering data security we often separate information protection into three categories: 1) Confidentiality – data should only be visible to those with a legitimate reason to access it; 2) Integrity – data should be accurate and no unauthorized changes should be made to it; and 3) Availability – the data should be accessible when it is needed. These three categories of protection, Confidentiality, Integrity, and Availability, form the CIA triad. To secure information, computers and programs must effectively provide all three.
Blockchain Protects Data Integrity
Blockchain was created to focus on the integrity of data. That is, the premise for blockchain is that a group wants to share information and assure that no one changes the data without consensus. The data is visible to anyone with access to the blockchain. Public and private keys in blockchain are only used to authenticate data changes – managing the integrity of the data.
A byproduct of a typical blockchain deployment is enhanced availability. If there are multiple organizations each with a complete copy of the blockchain, then the information is redundantly stored across multiple systems and accessible through multiple networks. Although not the focus of blockchain, and not a guaranteed security feature, especially if a single organization is using the technology privately, blockchain’s support for a distributed implementation can be used to enhance availability.
Confidentiality Is Another Issue
As relates to confidentiality, keeping private data private, the article implies that the keys used with blockchain encrypt the data, and hence aid in confidentiality. For instance, the article mentions, “With blockchain, the patient’s entire medical record is stored in a ledger and encrypted with the patient’s private key.” There are a three significant errors in this statement.
First, the use of public and private keys (known as asymmetric encryption) cannot be used to encrypt large amounts of data. This is a limitation of the way that such encryption works. Second, if data is encrypted with a private key it can be read (decrypted) by anyone with the corresponding public key, which as the name “public” implies, is expected to be anyone. Third, blockchain does not encrypt the block’s data with the keys, rather it uses the keys to create and verify block “signatures” (mathematical hashes) that are used to validate the individual changing the data has that right. Blockchain is not intended to provide data confidentiality and adding such capabilities would have to be done separately.
There are several other claims in the article regarding blockchain’s use in assuring that only authorized users see the information they should. Blockchain isn’t intended to address these types of concerns and any use of blockchain to these ends would involve some external system interacting with the blockchain data at which point the question should be, “do I really need a blockchain for this?”
Blockchain technology can provide a useful platform for sharing decentralized data that multiple, untrusting entities are permitted to read and update in an open verifiable manner. However, overstating blockchain’s utility and applying it to problems it doesn’t fit wastes resources and time, which based on ever escalating cyber-threats would best be avoided.
Tags: blockchain, data, data security, disk encryption