If you think about banking security, what comes to mind is often a giant vault encased in a blanket of concrete. The huge steel door is a monolithic machine adorned by giant spinning wheels, knobs and dials, biometric readers, lasers and Tom Cruise dangling somewhere. Perhaps you are also picturing the hacker types, hunching over in the back of a cube van effortlessly transferring a staggeringly large sum of money overseas.
However, by the end of 2017, the banking landscape has been vastly reimagined through the introduction of a revolutionary technology. Whilst digital banking is certainly nothing new, the apparatus of cleaning and storing assets have changed. The cryptographic key to your blockchain address will not be stored in a giant vault. No amount of weaponry or physical force can seize your digital gold. The new money is distributed globally in multisig wallets, beyond the borders of nations. This fundamentally changes the nature of financial security, such that cyber security has moved front and center into the domain of asset securitization. The physical security of wealth has been replaced by the security of software and fading are the days of impregnable iron boxes and fancy underground vaults.
Unlike hacking into a centralized bank’s computer system and changing the values of a relational database cluster, a blockchain is a public and immutable ledger that is highly resistant to legacy attack vectors. Physical and environmental security do not have the same prominence as databases both on site, or in cloud.
Conventional Security Concerns
Security concerns for a typical, financial database typically range from:
- Access control – who or what can view resources
- Auditing – ensuring correct database access permissions
- Authentication – database user access permissions and privileges
- Encryption – protecting stored data with encryption
- Integrity controls – accuracy and integrity of data
- Backups – storing and backing up data
- Application security – removing security vulnerabilities from applications
While blockchain technology removes auditing, authentication, integrity controls and backups from our list of database security concerns, it raises concerns for Access Control, Encryption, and Application Security. Although the narrowing of concerns shows some sense of added security, let us take a closer look at these new concerns.
A blockchain takes care of auditing. The immutable ledger provides a permanent record of all balances and transactions. This is not to say that a financial company should put less effort into auditing, hardly that. With regards to data integrity, audits are a thing of the past. Regulators, administrators and compliance teams have greatly simplified their job of examining or investigating financial records.
Since authentication and access control to the database have been radically changed by using private/public key encryption, what approximates zero-knowledge user identity makes the data store safer. Data is publicly visible, yet immutable, therefore encryption takes on a different dimension. Hashing blocks in the chain, along with asymmetric public key encryption replaces hashing sensitive values
Backups are no longer required. Blockchain data is a pinnacle innovation such that the datastore becomes a permanent, immutable record. Nodes on the blockchain network maintain a distributed, single source of truth that makes backing up redundant.
Although blockchain nodes do require your typical username and password to access coinba se accounts, authentication has moved into the domain of Access Control. Requests made to the system are not authenticated with root level accounts. Rather, writing data is handled by consensus on a network of geolocated participants and risk is distributed across an array of nodes. This innovation ultimately removes the vulnerability of users and access privileges.
The need to store and manage your database becomes a matter of choice. The blockchain, or public ledger, does not require in-house management. A network of nodes run and store data regardless of whether a system is running locally. Data integrity on blockchain technology has proven to be immutable by Bitcoin’s near decade in operation.
When considering cyber security in the context of blockchain, application security takes centre stage. Traditional OWASP security concerns replace sensitive data issues. User identity is not required to access and write data. User identification is moved instead to participants in the financial system and to the individual. Cyber security, as it applies to securing web applications, replaces the need for complicated, physical and environmental security arrangements.
A whole new interconnected world
In many ways, the radically open nature of blockchain technology may seem unintuitive from the perspective of traditional security disciplines. The complexity of attacking distributed data is immense, and this ultimately brings the individual solely into focus as the primary target of financial hacking. Cyber intrusion into personal devices, social engineering, and a person’s physical security will come to replace traditional security practices. The vulnerability of the individual will intensify as blockchain technologies continue to gain popularity.
Additionally, public ledgers move security from protecting physical assets and opaque data stores within banks, to communities of software developers and cyber security partners. Securely implementing services built on distributed blockchain databases become a primary concern. This serves to free financial institutions from the internal security requirement of having to audit siloed data across departments and companies.
By changing the landscape of financial clearing and asset transactions, the blockchain opens the door to innovation in how financial institutions serve their clients. Backend operations are simplified when auditing and compliance becomes transparent on the ledger. As banks move to compete for the individual with better services and offerings, web application cyber security replaces many, if not most of the physical and environmental security concerns associated with traditional banking.
Source: Chad Lynch, Head of Crypto Security, Horangi Cyber Security