David S. Read

After reading an article in the Wall Street Journal, “Blockchain Could Be the Security Answer. Maybe.” (May 30, 2018) I was concerned that information in the article could mislead readers regarding the place of blockchain in a cybersecurity discussion. Further, ruminations regarding blockchain’s ability to protect information spout from various media sources with insufficient detail regarding exactly how the information is protected.

This post isn’t meant to explain blockchain, there are many resources for that. Instead I focus on a few points made in the article specific to data security. In general, I find there is a lack of understanding about blockchain’s place in a data security context, the article simply highlights a few. I’ll frame my discussion using a common cybersecurity framework, the CIA triad.

When considering data security we often separate information protection into three categories: 1) Confidentiality – data should only be visible to those with a legitimate reason to access it; 2) Integrity – data should be accurate and no unauthorized changes should be made to it; and 3) Availability – the data should be accessible when it is needed. These three categories of protection, Confidentiality, Integrity, and Availability, form the CIA triad. To secure information, computers and programs must effectively provide all three.

Blockchain Protects Data Integrity

Blockchain was created to focus on the integrity of data. That is, the premise for blockchain is that a group wants to share information and assure that no one changes the data without consensus. The data is visible to anyone with access to the blockchain. Public and private keys in blockchain are only used to authenticate data changes – managing the integrity of the data.

A byproduct of a typical blockchain deployment is enhanced availability. If there are multiple organizations each with a complete copy of the blockchain, then the information is redundantly stored across multiple systems and accessible through multiple networks. Although not the focus of blockchain, and not a guaranteed security feature, especially if a single organization is using the technology privately, blockchain’s support for a distributed implementation can be used to enhance availability.

Confidentiality Is Another Issue

As relates to confidentiality, keeping private data private, the article implies that the keys used with blockchain encrypt the data, and hence aid in confidentiality. For instance, the article mentions, “With blockchain, the patient’s entire medical record is stored in a ledger and encrypted with the patient’s private key.” There are a three significant errors in this statement.

(more…)

This is a follow-up to my previous entry regarding full disk encryption (see: http://monead.com/blog/?p=319).  In this entry I’ll look at Blue Slate’s experience with rolling out full disk encryption company-wide.

Blue Slate began experimenting with full disk encryption in 2008.  I was actually the first user at our company to have a completely encrypted disk.  My biggest surprise was the lack of noticeable impact on system performance.  My machine (Gateway M680) was running Windows XP and I had 2GB of RAM and a similarly-sized swap space.  Beyond a lot of programming work I do video and audio editing.  I did not notice significant impact on editing and rendering of such projects.

Later in 2008, we launched a proof of concept (POC) project involving team members from across the company (technical and non-technical users).  This test group utilized laptops with fully encrypted drives for several months.  We wanted to assure that we would not have problems with the various software packages that we use. During this time we went through XP service pack releases, major software version upgrades and even a switch of our antivirus solution.  We had no reports of encryption-related issues from any of the participants.

By 2009 we were focused on leveraging full disk encryption on every non-server computer in the company.  It took some time due to two constraints.

First, we needed to rollout a company-wide backup solution (as mentioned in my previous post on full disk encryption, recovery of files from a corrupted encrypted device is nearly impossible).  Second, we needed to work through a variety of scheduling conflicts (we needed physical access to each machine to setup the encryption product) across our decentralized workforce.

(more…)

Security is a core interest of mine.  I have written and taught about security for many years; consistently keeping our team focused on secure solutions, and am in pursuit of earning the CISSP certification.  Some aspects of security are hard to make work effectively and other aspects are fairly simple, having more to do with common sense than technical expertise.

In this latter category I would put full disk encryption.  Clearly there are still many companies and individuals who have not embraced this technique.  The barrage of news articles describing lost and stolen computers containing sensitive information on unencrypted hard drives makes this point every day.

This leads me to the question of why people don’t use this technology.  Is it a lack of information, limitations in the available products or something else?  For my part I’ll focus this posting on providing information regarding full disk encryption, based on experience. A future post will describe Blue Slate’s deployment of full disk encryption.

Security focuses on three major concepts, Confidentiality, Integrity and Availability (CIA).  These terms apply across the spectrum of potential security-related issues.  Whether considering the physical environment, hardware, applications or data, there are techniques to protect the CIA within that domain.

(more…)